Tor does not protect our IP address and is revealed with a webRTC leak

[Lucstay11]

I use your application with a tor proxy but the problem is that a webRTC leak can reveal anyone's IP address even with a VPN, tor proxy,... I did the test with another electron application and it’s the same observation. The big problem is that electron embeds a chromium integrated browser which uses webRTC which can reveal the identity of anyone... Can you manually deactivate webrtc in your electron app?

[vladimiry]

In the app, you are not visiting 3rd party sites with possible JS exploit included, like you do when use a regular browser. So, since the app only loads static proton webclients bundle, a potential WebRTC leaking exploits would be proton's move, so it's coming to the point whether you trust them.

It's possible to explicitly take a measure of preventing WebRTC leaks in the app, on the code side. Even though it's not really necessary for the app like this, I am going to do that, since I see no significant maintainability harm here.

For now, if you want to feel protected, you can run the app with --force-webrtc-ip-handling-policy=default_public_interface_only command line argument, which supposed to prevent WebRTC leaking. Also, adding "--force-webrtc-ip-handling-policy=default_public_interface_only" value to the jsFlags array located in the config.json file is an alternative way of applying this argument to the app. The config.json file located in the settings folder.

[Lucstay11]

First of all, I appreciate your application and the work you provide for free software! But it's actually not the browser integration that scares me but obviously proton mail (web version) they must surely use js scripts to collect the information! I added the setting to config.json but how do I enable the built-in browser devTool? It looks like you have it disabled by default. Other Electron applications allow it to be enabled by default!

[vladimiry]

It looks like you have it disabled by default.

Correct, it's intentionally disabled for production build. If someone needs dev console, there will be a need to deal with code.

[Lucstay11]

I absolutely need to verify that the modification in the config.json works otherwise I have no proof. How can I activate this devTool in your app?

[vladimiry]

How can I activate this devTool in your app?

The answer lies in the previous message. I'm not giving detailed instructions in regard to this matter. No offense, but this acts like a simple filter which supposed to make technical-related conversations more productive.

[Lucstay11]

I understand your point, but you can't claim to be open source by dumping the source code while preventing people from examining the application in depth, you are going against the concept... Are you looking to protect proton Mail or to hide something? Knowing that the devTool is just used to analyze the web page (proton mail) and in no case your application... You seem suspicious

[vladimiry]

I understand your point

You clearly demonstrated that you don't. I'm not ready to invest my time into technical discussions with those who are not ready to make minimal effort into independently enabling devTool, but simply want to put random JS code snippets into the console and see what happens. So again, no offense, but this is a filter against script kiddies.

[Lucstay11]

You seem once again to not understand the needs of your own users. I am a js developer myself and if I chose your application it is for a minimum of security, however you seem to prevent me from wanting to check this protection... I conclude that you just want to protect the proton mail which seems stupid for a free developer...

[vladimiry]

Leaving you with your own beliefs.

[vladimiry]

Handled in 46ef9c9.