
The New York Times uses WebRTC to gather local IP addresses - DamienSF
https://webrtchacks.com/dear-ny-times/
======
dzlobin
Forum post from Dan Kaminsky, co-founder of WhiteOps[1][2]:

"Dan Kaminsky here, my apologies for kicking up a ruckus. This is part of a
bot detection framework I've built at White Ops; we basically are able to
detect browser automation using resources exposed in JavaScript. Nothing
dangerous to users -- or we'd go file bugs on it, which we do from time to
time -- but it does provide useful data regarding post-exploitation behavior.
Happy to jump on a call with anyone concerned or worried; I'm over at
dan@whiteops.com."

[1] [http://www.whiteops.com/company](http://www.whiteops.com/company) [2]
[https://isc.sans.edu/forums/STUN+traffic/745/2](https://isc.sans.edu/forums/STUN+traffic/745/2)

~~~
IanCal
Honest question, why?

What problems are caused by browser automation? Slightly more on point, what
issues might the NYT be seeing that detecting browser automation is the
sensible solution?

~~~
dougbarrett
I deal with this all day every day working with advertisements. A lot of money
is spent trying to detect "bad users" and/or "bots" (usually the same thing).
I'm talking hundreds of thousands of dollars, if not millions a year in some
cases.

I'm actually working on developing a system to track browser analytics and
usage to detect if it's a person on the other end or a bot.

The quick solution of course would be to have a captcha when viewing ads on
sites so the advertiser could confirm it's actually a legitimate user, but
there are users that are doing everything they can to not be tracked/or view
ads, so what incentive do they have to confirm they are a human just so they
can be targeted for advertisements? That's why there are companies trying to
work behind the scenes to see if the browser is a legitimate session, or a bot
session.

Companies looking to buy advertisement space are really honing in now on bots,
because it's become such an issue where server farms are set up that will
automate views on pages to inflate profits, or like in the case of the company
that runs this script on NYtimes, to see if the user is viewing the page
through a legitimate viewing session, or if the user is running software in
the background of their computer pushing page views automatically.

I could probably talk all day long with this, but advertising is a huge HUGE
market. There is little to no day-to-day talk of the users that are running ad
block on their computer, it's a low percentage of the actual users we are
running into. The large talk is the people that have created botnets of
hundreds of computers to push thousands of fake impressions and how to handle
that.

------
AdmiralAsshat
Just a friendly reminder for anyone using uBlock Origin on Chrome or Firefox
that you can now configure it to prevent webRTC from leaking your real IP:

[http://www.ghacks.net/2015/07/02/you-can-block-webrtc-
from-l...](http://www.ghacks.net/2015/07/02/you-can-block-webrtc-from-leaking-
your-ip-now-in-ublock-origin/)

You _do_ need to enable this. After reading the article I immediately checked
by dashboard and saw that the option was available, but unchecked.

~~~
mahouse
After enabling it I keep seeing my public address here.
[https://diafygi.github.io/webrtc-ips/](https://diafygi.github.io/webrtc-ips/)
— What gives?

~~~
pmontra
I went there with Firefox without ublock and saw my public and local addresses
(docker0, eth0 and virbr0 - VirtualBox). I installed Disable WebRTC
[https://addons.mozilla.org/en-US/firefox/addon/happy-
bonobo-...](https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-
disable-webrtc/) and all the addresses disappeared.

NoScript mitigates the problem because WebRTC won't work with scripts blocked
but I'll still have to disable the plugin to make it work on legitimate sites.
It's annoying and I'd prefer a browser permission popup along the lines of
what has been suggested in other posts here.

~~~
byuu
Going to about:config and setting media.peerconnection.enabled to false seems
to work, without the need for an extension.

Now to find out how many sites break in fun and exciting ways for having done
this ;)

------
Wilya
A whois on the domain serving the offending javascript leads to White Ops[0],
who seems to sell tools to protect against Ad Fraud. So I'm guessing this is
part of their fingerprinting system, to determine whether I am a human or a
bot.

[0] [http://www.whiteops.com/](http://www.whiteops.com/)

~~~
ktsmith
It is indeed here's a comment by the author on a github issue:

[https://github.com/EFForg/privacybadgerchrome/issues/431#iss...](https://github.com/EFForg/privacybadgerchrome/issues/431#issuecomment-120668684)

------
userbinator
I believe that WebRTC, just like JavaScript, should be disabled by default and
enabled only on sites that you really trust and need it; and in the case of
WebRTC, the argument is much stronger since its use-case is so specific.

~~~
altano
And what should browsers prompt users with? "Would you like to use WebRTC?"
What would that do to improve security for users?

~~~
userbinator
I'm sure someone could do better than this but here is a first try at a
suitably informative prompt:

    
    
        $site_name wants to use WebRTC.
    
        WebRTC allows voice calling, video chat, and P2P file
        sharing, but can also be a privacy risk. We recommend
        allowing WebRTC only on sites that you expect to use
        such features on.
    
        [Link to learn more]
    
        Allow WebRTC for $site_name?
    
    

Something like Flash's audio/video access prompt would also be a good idea:

[https://voicethread.com/image/howto/flash_settings_camera_mi...](https://voicethread.com/image/howto/flash_settings_camera_mic.gif)

~~~
jnaglick
The preposition at the end of that sentence is unnecessary. Guessing you're
from the midwest? :)

~~~
Dylan16807
It's not; I think you're parsing 'expect to use' differently than intended.

"sites that you expect to use such features on"

This means "sites on which you expect to use such features"

Not "sites where you expect them to use such features"

The preposition is key to having you be the one using, not the site. It
doesn't have to go on the end, perhaps, and you could rewrite the sentence
without that preposition, but simply removing it would leave you with an
entirely different meaning.

------
_joev
Here's a tool I wrote that grabs your internal IP and scans your LAN using
response timings and HTTP asset fingerprints:

Demo: [http://joevennix.com/lan-
js/examples/dashboard.html](http://joevennix.com/lan-
js/examples/dashboard.html) Code: [https://github.com/joevennix/lan-
js](https://github.com/joevennix/lan-js)

If you are interested and have some time, find and contribute HTTP
"fingerprint" assets from devices on your LAN to src/db.js.

------
decasteve
Ironic that loading up this site, webrtchacks.com, Tor Browser warns me:
"Should Tor browser allow this website to extract HTML5 canvas image data?"

I've now given up on "naked" browsing of the web and only surf via the Tor
Browser Bundle. I use a standard Firefox only for web development.

~~~
briandear
Are the rest of us who don't use Tor going to have our lives ruined? Certain
data such as social security numbers and bank passwords are obviously
critical, but I wonder what drives this seemingly excessive paranoia. For
example, who cares about your IP address in general purpose web situations?
Obviously if you're doing sql scans or pentesting obscuring your location is
extremely important, but I'm not convinced of the benefit of high paranoia in
most use cases. Reasonable paranoia sure, but going so far as to Tor
everything?

~~~
vitd
For me it's more about the fact that companies are collecting too much data
and not anonymizing it properly or securing it properly. I doubt Walmart, or
whomever is going to do much more than send me annoying emails or postal mail
at worst.

What I'm more concerned about is things like criminals obtaining the info and
realizing my personal machine might be a good target for some reason. Or some
company selling the data, which eventually gets to a healthcare company that
is able to connect my browser history to my name and start denying me coverage
or marking me as "potentially high risk" because I looked up the wrong thing,
or things like that.

I haven't gone as far as using Tor, but I block cookies from 3rd parties, use
ad blockers and browse entirely in private mode until I'm forced not to by
some lame web site. After I'm done, I delete as many tracking things as I can
and turn private mode back on.

------
joshmn
I said this when the vulnerability/bug/whatever you want to call it was posted
here: I use the same method for fraud detection, and it works unreasonably
well.

That said, I'd rather there be permissions surrounding WebRTC, but my clients
are happy.

~~~
iooi
How do you use it for fraud detection? What does it tell you/what are you
looking for?

~~~
joshmn
Financial card fraud; Most of the time someone just hops on a SOCKS4/SOCKS5
proxy, doesn't have a VPN behind that. We can grab the user's IP.

Original discussion:
[https://news.ycombinator.com/item?id=8949953](https://news.ycombinator.com/item?id=8949953)

~~~
x0
That's beautiful. One of my passions in life is seeing carders get caught.

~~~
joshmn
I was one in a former life. Now I use my insights to help.

You'd be sickened and surprised by how many startups overlook handling
chargebacks.

------
api
It's easy to gather local IP addresses. WebRTC is just one of dozens of
methods of doing this. Others include various DNS tricks, reverse TCP
traceroute, <img> tag tricks, JavaScript/XMLHttpRequest tricks, etc. Private
IP addresses (10.x.x.x) are _not_ all that private.

~~~
TD-Linux
Don't forget Flash, the #1 tool for persistent tracking. Uninstalling Flash
should be your first priority if you care about this.

~~~
api
Look into browser fingerprinting, among other things. This is a losing battle.

I am deeply pessimistic about the potential for tracker-blind browsing without
extraordinary measures. A simple plugin or cookie rules simply do not and
cannot cut it.

There are just umpteen million ways to fingerprint a device. What plugins do
you have installed? What is your font list? What can be deduced about your
device's make/model/revision from things like HTML feature support? Then you
have WebGL and other technologies that potentially allow for hardware
fingerprinting via various methods, slight differences in JS performance
revealing things about your JS runtime engine's revision (JIT differences,
etc.). Don't even get me started on all the myriad things you can do with TCP,
ICMP, network latency, geo-ip, etc.

Anything less than onion routing (Tor and friends) combined with a high-
isolation virtual machine or separate hardware device and a browser with _no
persistent state whatsoever_ is probably _provably_ inadequate to protect you
from fingerprinting or tracking. _Any_ un-obscured network path back to you,
access to any form of non-generic local hardware or storage, or persistent
state equals fingerprinting/tracking hacks.

It's like using simple XOR for "encryption" and then saying "well, it's better
than nothing." Yeah, maybe it's a nano-something better than nothing but it's
basically nothing. You might as well not even bother.

Personally I think privacy is _dead dead dead dead dead_ and we need to start
talking seriously about what kinds of new political mechanisms and safeguards
we need to mitigate abuse. This is a political problem and does not have a
technical solution that doesn't come with a lot of cost -- e.g. the enormous
performance overhead of onion routing and the inconvenience of secure
computing environments. 99.999% of users are not going to do any of that stuff
and never will.

~~~
anu_gupta
The EFF have a tool that shows how unique your browser fingerprint is:
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

It's pretty scary

------
joosters
Can they grab local IPv6 addresses using this? While a huge number of
computers are going to be on 192.168.0.1, their IPv6 address could actually be
unique, making user fingerprinting easier.

~~~
nextw33k
Yes they can grab the IPv6 address but IPv6 has a privacy extension to cater
for this. It will alter your local IPv6 address periodically. You could
configure it to update every hour and effectively they'd be thinking you were
a new PC on the network.

IPv4 you'd have a small range of IP addresses but with IPv6 you can have a
different IPv6 address each hour if you so choose.

[http://www.internetsociety.org/deploy360/resources/privacy-e...](http://www.internetsociety.org/deploy360/resources/privacy-
extensions-for-ipv6-slaac/)

~~~
joosters
Thanks for that link (IPv6 newbie here, I really need to properly learn it
some day...)

------
x0x0
there's really no way in chrome to disable webrtc? That's amazing.

edit: from the horse's mouths
[https://code.google.com/p/chromium/issues/detail?id=457492](https://code.google.com/p/chromium/issues/detail?id=457492)

edit2: you can install this

[https://chrome.google.com/webstore/detail/webrtc-leak-
preven...](https://chrome.google.com/webstore/detail/webrtc-leak-
prevent/eiadekoaikejlgdbkbdfeijglgfdalml)

and test here:

[https://diafygi.github.io/webrtc-ips/](https://diafygi.github.io/webrtc-ips/)

though google sure seems to be dragging their feet on this so I'm sure they'll
break this workaround soon

~~~
higherpurpose
Tracking is a feature, not a bug, in Chrome.

~~~
andor
_rolls eyes_

Disabling Javascript and Plugins is much easier in Chrome than in Firefox.

------
proactivesvcs
I recently added tagsrvcs.com to my Privoxy blocklist. Source site?
ycombinator.com.

~~~
cbsmith
Yeah, tagsrvcs.com is not a bad apple, but they are broadly used.

------
mastre_
On OS X, Little Snitch catches this in Chrome, as it would in any browser
[https://i.imgur.com/hWmpc42.png](https://i.imgur.com/hWmpc42.png)

------
jmount
WebRTC, a protocol proposed by Google to W3C has applications in user tracking
and detection of bots. Cui bono.

~~~
TD-Linux
WebRTC's protocols are actually standardized at the IETF in the RTCWEB working
group, by a large number of people. The W3C is in charge of the Javascript API
(which is actually what people are complaining about here), again with a lot
of contributors (yes, Google was bigger here).

------
ised
www world really needs more www "browsers", particularly some more that do not
implement javascript. Would it hurt to give users more choice and see what
they choose?

Only my opinion but there is much one can do without all the .js

I certainly do not need Javascript to fetch some newspaper articles via HTTP.

~~~
leni536
I use dillo and netsurf for that. Both are quite fast, dillo is the faster
one, netsurf's layout breaks less.

Dillo is freaking fast, once you try it you start to wonder where the web went
all bloated. Of course its layout engine is quite dated, AFAIK no HTML5
support whatsoever and I think there are many layout bugs too. I use it to
load up huge static html pages, they just kill Firefox or Chromium on my
netbook. It's certainly nicer than lynx, sometimes you want to look at images
too.

~~~
hexwab
Yay another dillo user!

[https://blog.sphere.chronosempire.org.uk/2013/11/26/dillo-a-...](https://blog.sphere.chronosempire.org.uk/2013/11/26/dillo-
a-eulogy)

------
phragg
So wasn't everyone up in arms about WHOIS recently but seemingly uses the
service to identify who wrote this script?

~~~
aw3c2
WHOIS to identify companies is good, WHOIS to identify people can be
dangerous.

------
btown
The only possible reason I can fathom that this would be useful would be for
tracking unique users behind a NAT (i.e. corporate or educational) who block
all cookies. Seems like a pretty niche edge case in the U.S., but I'd imagine
this could be useful in, say, the EU where cookies are opt-in by law?

~~~
pjc50
_Tracking_ , and any other kind of fingerprinting, is opt-in in the EU. The
directive does not say "cookie".

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML)

"The use of electronic communications networks to store information or to gain
access to information stored in the terminal equipment of a subscriber or user
is only allowed on condition that the subscriber or user concerned is provided
with clear and comprehensive information in accordance with Directive
95/46/EC, inter alia about the purposes of the processing, and is offered the
right to refuse such processing by the data controller."

So acquiring my internal IP address without consent for reasons other than
need for establishing a webrtc connection that the user has asked for is
against the law.

~~~
btown
> "stored in the terminal equipment of a subscriber or user"

This seems like a very odd way of phrasing the law. The default user-agent
string, for instance, is stored on the terminal equipment of the user, albeit
in read-only memory. It can be used to distinguish one user from another.
Therefore, could one argue that any site that includes the user agent in their
logs would be violating this law?

And what if the user is not behind a NAT? In that case, the user's external IP
address is the one their terminal equipment places in the TCP header... which
would mean that it is necessarily stored in said terminal equipment. Did the
user give up the right to the privacy of the information by connecting to the
website in the first place? Must there be a right-to-refuse all the way down?

/s

------
beedogs
Reasons to block javascript, #12395 in a series.

------
donohoe
To be clear, its not a developer at the NYTimes that has implemented.

It looks like the script in question is hosted on a domain ("tagsrvcs.com")
that Adobe uses when loading JS assets for Omniture.

This is very likely a standard Adobe Omniture thing. So its not the NYT acting
alone (or necessarily with awareness of this).

------
itistoday2
Why are they doing this?

~~~
slg
Probably part of their marketing fingerprinting. Lets say you have a big
company that only has a specific set of public IPs and you centrally manage
browser updates, add-ons, and extensions. Previously any user from that
network might show up as the same user in the NYT's marketing data. Now they
have an extra piece of data to help differentiate them.

------
dsjoerg
i've had a bit to drink, can someone ELI5 this to me?

------
1ris
In other news: If you create a IP connection the other party knows your IP-
Address. With WebRTC some parts of this ugly NAT madness are gone.

Nothing to see here.

~~~
userbinator
The issue isn't that the other party knows your IP, it's that this is an
_unexpected_ connection for no other purpose than to obtain your public IP,
_in addition to your LAN IP_.

~~~
ibc
There is not even a connection. During the RTCPeerConnection's "ICE Gathering"
process local IPs are discovered and, if STUN/TURN servers are configured
within the RTCPeerConnection, STUN requests are sent to those servers (which
help retrieving the public IP of the computer/router). But you don't need even
to send a single packet in order to get local IPs (private ones, VPN ones,
etc).

------
jgalt212
Here's another White Hat use case for local IP addresses.

You can use it to unobtrusively monitor license compliance for a SaaS biz. You
charge each user. A user is constantly logging on from multiple browsers
during the day (e.g. IE and Chrome). With local IP knowledge you can determine
whether or not this is being done from the same machine (still abiding by
license terms), or from multiple machines (most likely sharing with a
colleague and breaking license terms).

Before this webRTC hack the only other way to do this that I am aware of, is
via the dreaded Flash cookie.

~~~
chc
I hope that doesn't catch on. I have a laptop, two desktops and a phone that I
use depending on where I happen to be sitting. They are all me, though. Even
desktop software like Adobe Creative Suite seems to acknowledge that people
use more than one device these days.

~~~
andrewchambers
I guess the approach is something like: 3 PC's? fine, 6? fine I guess. 58? ok
something is going on.

