Practically everybody uses the Internet for work or fun, browsing from tablets, personal computers, or smartphones. But knowing how to keep safe as you move around the web remains something of an arcane art very few people know. Your online privacy and safety matter a great deal, which is why you should always be mindful of it. And seemingly irrelevant things such as browser plugins and extensions can be an advantage or a problem. This is when webRTC comes into the picture.
So what is webRTC, anyway?
WebRTC is an open-source HTML5 specification released in 2011. It allows voice and video communication to work within web pages. It’s the reason why having such technology working inside a browser’s tab or window no longer requires installing a plugin, which is how it used to work before.
But is it effective?
The open-source project named Web Real-Time Communications embeds real-time voice, text, and video in the browser. It allows P2P (peer-to-peer) communication to happen natively between browsers without any additional software.
WebRTC jumps into life when JavaScript APIs (application programming interfaces) combine HTML5 to have communication technologies incrusted into a web page. The goal is to have user-friendly and streamlined multimedia communication between browsers.
Standards for webRTC remain a work in progress. Two developing groups are currently working on this (the web real-time communication group and the Internet engineering task force). As we write this, WebRTC is fully available and working in Mozilla Firefox and Google Chrome.
In simpler words, webRTC enables a browser to make video and voice calls and to carry P2P file transfers out. It can also get pictures from your computer’s webcam. This could look complex, but the underlying idea is quite simple.
All this thing does is enable a website to establish a direct connection to your computer so that information can go in and out. The thing is that such a direct connection also allows that website to find out a lot of information about you, including your physical location and your actual IP address.
How does it work?
If you have a look under WebRTC’s hood, you find three main elements:
- getUserMedia: This allows your browser or an app to access your device’s camera and microphone.
- RTCPeerConnection: Sets up audio and video calls on the device.
- RTCDataChannel: Opens up a pipe through which a P2P channel of communication can flow among the devices.
WebRTC thus launches multiple processes whose point is to come up with a P2P audio and video call. One critical ingredient in this recipe is that each device is assigned a public IP address. Those addresses allow the devices to detect each other and start a connection. Then signaling data channels are created to support the communication. Thus a link is born.
The signaling occurs through an HTTPS or WebSocket. It works through JavaScript code, and it’s not a WebRTC component.
WebRTC then starts creating the bits of information it’s supposed to send and processes those it receives, but it doesn’t send them or receive them over the network. Those bits and packets are inside packed SDP messages by WebRTC.
The media doesn’t go through WebRTC at all. It follows a different path through the media channels you find in SRTP (voice and video) or SCTP (data channel).
So WebRTC is helpful, for sure. It allows you to make a Skype or a Zoom call because that’s how you connect with the guy on the other side. It uses relatively up-to-date audio and video codecs such as VP8, OPUS, or G711. Being an open-source project, it has a high degree of flexibility and freedom for users to deploy its technology. But as it happens with so many open-sourced things, users need a somehow higher than average degree of expertise to take advantage of the benefits.
So if WebRTC is so cool, how can it be dangerous?
WebRTC’s benefits are there for all to see, but nothing in this world is perfect, so the package includes some disadvantages. And that’s where you find the problems for those users whose priority is to remain anonymous while online.
If you’ve read attentively, the problem is that the protocol must have a public address for each device. So if you want WebRTC to work, you can hardly hide your actual IP address, and that can beat the purpose of using any proxies, or a VPN, Tor, or anonymity plugins like Ghostery. If WebRTC does the trick for your system, your device and the other party must have public and local IP addresses. Period.
For additional worry, the procedure to get an IP address is so easy to achieve that a short piece of JavaScript code can request (and get) your IP without any problems at all. And then your device’s security is breached. If you want to fix that, you must disable WebRTC.
But that is not the only security problem arising from WebRTC. It makes your browser easier to recognize by third parties, thus allowing them to track your activities. This happens because, besides your IP information, things like the browser you use, your screen’s resolution, your OS, and other minutiae can be revealed, allowing external observers to fingerprint you by aggregating all those details. Don’t laugh this off.
If you put together all those bits and pieces, the probability that any other user in the world has a device that is set up exactly like yours is exceedingly tiny. The more unique your preferences are (say you use Bravo instead of Chrome, for instance), the easier it will be for wrongdoers to tell you apart from the crowd. And they don’t even need cookies for that.
Last but not least, WebRTC makes VPN less effective. We hinted at this previously. But if you want your VPN to protect you by hiding your IP and encrypting all your traffic, having a process in your system that publicly reveals your IP renders all that precaution void.
So what is there besides WebRTC?
Remaining anonymous online needs a VPN that hides your IP address and scrambles all your data.
If you disable WebRTC, tracking your IP address is impossible if you are in a VPN. With a reliable VPN, or if you are using a secure browser like Tor, the risk of your IP address going public is negligible. Proxy servers can help with that as well, but with a lesser degree of privacy. But if you have WebRTC announcing it loud for the world to see, even Tor won’t keep you anonymous.
The market has VPN services that can prevent WebRTC leaks, which expose you to the world at large. This kind of reliable VPN also stops DNS leaks and Chrome extension leaks. Additionally, a good VPN will keep your online connections and private data confidential because they create a private network over the common, public one by encrypting and re-routing all your data.
That prevents hackers from intercepting or exploit your online activities. Also, no government or ISP can keep tabs on an end-to-end encrypted connection, such as provided by VPNs. Encryption turns your meaningful data into something that looks like random noise, so no external observer can make sense of it without knowing your encryption keys and the encryption algorithm you are using. AES 256 is the industry standard, but there are others, and some VPNs even use more than one encryption system in tandem.
So using a VPN does prevent your IP address from leaking because of WebRTC. Still, it also performs so many other useful tricks that keep your privacy safe that you should consider seriously adopting one.
So how do VPNs do their magic? Well, they connect you to one of its secure servers. VPNs have hundreds of servers scattered around several countries in the world. After the connection is established, your IP address is replaced by the server, hiding your own.
To hide your actual IP number, you remain anonymous, and you also circumvent geo-restrictions for content.
It all comes down to this: Are you using a VPN?
So now you know all about WebRTC and the risks it poses to your online privacy and anonymity.
As with so many other problems in digital life related to privacy, the answer lies in subscribing to a good, reliable VPN service. Yes, it has to be a paid service, we’re sorry to say. There are free VPNs on the web for sure, but using those will deepen your privacy problems instead of solving them. Your online safety is worthy cause to spend a few dollars monthly, so don’t hesitate.
Featured image: Shutterstock
Please discuss any ways to disable WebRTC besides use of a VPN.
Also, VPNs are not fool-proof solutions. The VPN provider usually has logs that will expose where users have been, even if the logs cannot expose actual communications because of the use of SSL encryption in the browser directly to the web site. However, the VPN might use its own proxy endpoint and certificates to do deep package inspection, and thereby log the entire transaction between the client and server. The VPN still protects the client from WebRTC, but then is the client protected from the VPN provider itself?
IOS: Click “Safari” in the menu bar
Then click Preferences
Click on the “Advanced” tab, then at the bottom check the box for “Show Develop menu in menu bar”
Now, click on “Develop” in the menu bar. Under the “WebRTC” option, if “Enable Legacy WebRTC API” is checked, click on it to disable this option (no check mark).
In Google Chrome’s address bar type chrome://flags/ And search for webrtc there will be some options that you can disable there.
For Microsoft Edge same as above but use edge://flags/