5

Any site that I visit can see my local IP (e.g. 192.168.1.102). Is there any reliable way to block this behavior? (browser setting, OS setting, router setting, etc.) I am particularity interested in Google Chrome and Mozilla Firefox, but any modern open source browser will do. If it is a browser plugin, it should be open source with a solid user base.

By reliable I mean, that I do not need to check the leakage again after every software update.

More info / what I have read so far:

  • There was a Chrome plugin that is not working anymore
  • Local IP is obtained using JavaScript / WebRTC
  • Firefox developers is not going to fix the leak (bug is open from 2014): Bug 959893
  • In Private / Incognito mode does not prevent this leak. If you use static IPs, and have non typical local IP (e.g. 10.66.77.88 or 192.168.212.121), then there is no need for Browser fingerprinting . Your external IP + internal IP is perfect fingerprint.

Update 1: It is not duplicate of How to Disable WebRTC in Google Chrome - I want to prevent private / local IP leak, not disable all WebRTC.

Update 2: No, it is not related to header X-Forwarded-For (HTTP_X_FORWARDED_FOR), that is added when user/administrator chooses to do so. In my provided demo it is not your choice... It is Google's and Mozilla's choice to leak your private IP even when using private browsing mode.

Update 3: Ability to determine my local IP allows malicious JavaScript to quickly identify my local subnet and print on my local network printers from any website in the world without me doing anything. Cross-site printing This CSP Demo finds my LAN printers using JavaScript.

Update 4: It is not a good idea to reveal private IP to every website. By seeing your private IP, for example 192.168.88.101, I can guess with very high probability that you are using MikroTik router. Also, I can track particular user event if user uses different browsers because local and remote IP stays the same for some time (hours or even days).

Community
  • 1
Maris B.
  • 1,303
  • 4
  • 14
  • 22
  • 1
    The demo you linked shows all addresses as nothing for me, using edge. – pulsejet Feb 01 '17 at 15:31
  • @Ramhound, why not, if the local network is keeping logs? – pulsejet Feb 01 '17 at 15:33
  • @Ramhound, yes I understand that. But I have static public and static local IP. So incognito mode is useless to me – Maris B. Feb 01 '17 at 15:34
  • @RadialApps, try the Demo with Chrome or Firefox. – Maris B. Feb 01 '17 at 15:35
  • 1
    @MarisB. - The demo you link to me also shows me nothing. I am currently using Chrome. – Ramhound Feb 01 '17 at 15:36
  • 1
    You can link a better demo in your question (HTTP_X_FORWARDED_FOR) http://www.whatsmyip.org/more-info-about-you/ – pulsejet Feb 01 '17 at 15:36
  • @RadialApps, thanks for the Edge. However, I prefer an open source solution. But anyway +1 for the Edge. – Maris B. Feb 01 '17 at 15:39
  • @MarisB. lol, I just edited that comment. The link I posted can get the local IP from Edge too. – pulsejet Feb 01 '17 at 15:40
  • @Ramhound, the question says nothing about your public IP address. It is about not letting out your private IP address. – pulsejet Feb 01 '17 at 15:42
  • @Ramhound, from a security standpoint, I couldn't disagree more. If I were logging your intranet ip address right now and later wanted to track you down, then I could do it if your local router is also logging them with timestamps (incidentally, local ip addresses *are* logged under many work networks) . Of course I would need access to the logs, but that is another story. – pulsejet Feb 01 '17 at 15:52
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/52877/discussion-between-radial-apps-and-ramhound). – pulsejet Feb 01 '17 at 16:12
  • I have build open source browser based on explorer, and cant leak these data, check my blog it's called mini browser, give it a try – Narzan Q. Feb 01 '17 at 16:23
  • 1
    Possible duplicate of [How to Disable WebRTC in Google Chrome](http://superuser.com/questions/1055741/how-to-disable-webrtc-in-google-chrome) – Ƭᴇcʜιᴇ007 Feb 01 '17 at 18:13

2 Answers2

6

Disable WebRTC with extensions:

In Firefox with addon Disable WebRTC or advanced users can use about:config to set media.peerconnection.enabled to false.

In Chrome with extension WebRTC Leak Prevent

pulsejet
  • 2,211
  • 2
  • 14
  • 35
Ipor Sircer
  • 4,045
  • 1
  • 16
  • 18
  • 1
    In firefox you don't even need a extension, tweak about:config is enough. – Sam Feb 01 '17 at 15:39
  • 2
    same to chrome, just tweaking `chrome://flags/` But using extensions is easier for a person who couldn't find these settings by himself. – Ipor Sircer Feb 01 '17 at 15:42
  • 3
    @IporSircer - You should provide that information, within the body of your answer, for those not able to use extensions. Saying it's possible in a comment, and not explaining which flag, means people not familar with the name of the flag have to spend time to researching it. – Ramhound Feb 01 '17 at 15:51
  • 1
    @IporSircer, you can't use chrome://flags/, source: http://superuser.com/questions/1055741/how-to-disable-webrtc-in-google-chrome – pulsejet Feb 01 '17 at 16:32
  • uBlock Origin is also able to prevent WebRTC leaking, if you guys already have it installed – andromeda947 Feb 05 '17 at 17:26
0

On chrome, if I go into incognito browsing mode the WebRTC extensions meant to block your local IP address don't work. They only work if you are not in incognito mode. So you have to chose, logging to your browser history but no local IP leak or incognito mode with local IP leak.

Private
  • 1
  • Extensions have a checkbox letting you have them run in incognito mode. You probably just need to check that box for them. – Venryx Sep 16 '19 at 21:16