Hacker News new | past | comments | ask | show | jobs | submit login
VPN leaks users’ IPs via WebRTC (voidsec.com)
434 points by BlueGh0st 11 months ago | hide | past | web | favorite | 167 comments



I don't use VPNs. For me, the more alarming information here is that SOCKS and Tor proxies are also leaking IP addresses. If a SOCKS proxy is configured in browser, isn't it the browser's responsibility to ensure all outgoing traffic - including WebRTC - goes via the proxy? Are these browser bugs?

Update: Can confirm Firefox Quantum with SOCKS proxy leaks the address. Oh dear!

Update 2: I didn't realize this is how WebRTC actually works. FF even has an entire page for tweaking this stuff https://wiki.mozilla.org/Media/WebRTC/Privacy. I hate it when features like these, which atleast in my case go mostly unused, have such critical weaknesses by design and it's not announced anywhere with a big red danger sign.


This is the fault of the browser and WebRTC. They know about this but deliberately break it. The truth is WebRTC should never activate without user permission.

But no, WebRTC added data-channels. They have no good use to be silent and especially not to override SOCKS proxy. In fact, some key people on the WebRTC group, when I pressed them, could not provide a single real use-case for silent data channels.

Firefox is absolutely in the wrong to ignore your proxy settings, especially without getting consent first to start a call. It's a complete mess. Regardless of what the "spec" says, Firefox is responsible for implementing broken software that harms users.

Then again, so is STUN/ICE and basically every single thing that has to do with SIP/VoIP. It's like they go out of their way to be obtuse and come up with shitty standards then take glee in how bad it gets. As an example, look up SIP Torture Tests. There's an RFC just to illustrate the moronic edge-cases in SIP parsing that at one point implies your software needs to be conscious to infer the intention of malformed messages.

t. been working in telecom for far too long


Yes, this is largely the browser's problem. Because all available uplinks are available. Tor browser doesn't leak, because WebRTC is blocked. But other browsers with WebRTC enabled will leak with a standard Tor setup.

However, using Whonix for Tor, even if you install a random browser with WebRTC enabled, there is no WebRTC leak. Because the workstation VM has no Internet access except through Tor. The gateway VM is not a router. There is no forwarding, and it's firewalled. It just exposes Tor ports to a private internal network, for the workstation VM.

And one can do the same for VPNs, using pfSense VMs as VPN gateways. Apps in workspace VMs have no Internet access except through the VPN client running in the gateway VM.


+1 for Whonix (with Qubes OS)


TBH just from setting up one (1) PBX with about half a dozen devices from only two manufacturers -- I would never take a job anywhere near anything having something todo with SIP, ever.


SIP is one of a few protocols where two completely standard-compliant implementations are commonly unable to interop.


Oh it gets better. I have implemented SIP software (written, from scratch). On the SIP implementors mailing list, one of the authors defends the insane parsing rules by saying that C and Java allow you to be flexible with syntax, so why not SIP?

They are totally detached from actually implementing elegant or high performance software. Actual engineers achieve this despite of SIP's terrible decisions. Granted, many of those are inherited from HTTP. Tell me how many HTTP stacks handle comments and line folding properly...

It opens up security holes, too. One proxy interprets \r\r\n as 1 line break, another as 2 line breaks and start of body. Oops, now you can end up sending fun headers to your target because they try to be flexible in accepting input.

IIRC there is essentially no way to implement SIP standardly because of so many broken implementations. You have to make some decisions on certain parsing that will break one but any other way will break another.

Text-based protocols invite abuse by designers and implementors alike. IETF compounds these by living in a fantasy world.


I'm not sure binary protocols are any better, unless you make the first two bytes of every message a version number.

FWIW, I consider the canonical implementation of SIP at this point to be asterisk.

I work on a SIP derived protocol, P25 CSSI - it has all the issues of SIP, and more!


> I'm not sure binary protocols are any better, unless you make the first two bytes of every message a version number.

Actually we've seen people manage to fuck that up royally, too. Examples: Routers confusing MAC addresses starting with "6" with IPv6 packets. Various TLS implementations in proxies falling completely apart when they see an unknown version. Various TLS proxies falling apart when seeing an unknown extension. Far too many instances of "assert version==1" to list.


VoIP phones sometimes just don't work with some destination numbers (OWA/jumbled audio/insta-disconnect/no-connection). Workaround: call with mobile phone.

...


SOAP has this property too.


My impression is that this is a conflict between the WebRTC folks and the UX folks. The WebRTC team is happy to prompt you to use data channels, but the UX team doesn't want to over saturate people with security warnings. Especially warnings that people wont understand.


I'm only going off some in-person dealing with folks behind WebRTC and they know that permissions suck and would hurt adoption and hence fight to make sure they don't happen.

They dismiss all privacy concerns with "you can't have privacy in a browser" and "fingerprinting will work anyways so we can't make it worse". It's head-in-sand approach to privacy and it's bad.

Even then, Firefox is simply wrong to tell people it'll use your proxy, then throw that out.


Lots of people in webrtc are critically concerned with the safety and privacy of their users.


I'm not sure what that means. It was obvious this would be used for fingerprinting and leaks. The explained reasons for proceeding was that permission prompts for data channels would hurt usage, despite not having clear cases where we need P2P without letting users know.

And none of this excuses overriding the user's expressed network connectivity.

When this was brought up, they immediately jumped to the excuses that fingerprinting can't be helped. And many jumped to saying hey you should use Tor Browser anyway. Total capitulation.

Maybe someone cared, but it's not the official stance from webrtc groups or browsers.


obviously not that critically concerned if leaking sensitive information like this was required by the spec as drafted, and has remained uncorrected.


It really seems like adding a permission handler with a warning on WebRTC would be an easy fix for this problem and/or browsers should respect proxies and such when generating WebRTC candidates.

And I say that as someone who thinks WebRTC has some pretty cool use cases.


I use wrbrtc for lossy robot pose data. It would suck to require another approval popup in my software, but really, it's no big deal. Certainly the UX cost is worth the security benefits if we can't have both.


What if the entire system is configured to use Tor? Does the use of Tails mitigate this weakness?


To be safe, one must restrict output on the LAN interface to the Tor process. I'm not sure whether Tails does that by default.


I don't know either, but the web browser in Tails is Tor Browser which has webrtc disabled by default.


I am so annoyed with this. It feels like every advance in web browser technology takes away as much as it gives. Some days, it feels like the web was better back in the HTML4 days.

Can't wait to see how WebAssembly will be used against us.


Just wait till you get a load of content rendering engines being written in (dynamicly re-obfuscated) web assembly and rendered via canvas, so users are totally locked out of modifying content loaded into them or blocking ads.

This is already being worked on.


Any links to that? What kind of enemies of mankind are working on this? Advertisers again?


It's being fought before it's even fully grown.

Computer vision adblockers are also being worked on.


A sad and stupid zero-sum game wasting both talent and electricity.


> Can't wait to see how WebAssembly will be used against us.

Have you heard of Coinhive [1]? They are using WebAssembly to mine bitcoins in the browser.

[1] https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive...


On the other hand, this method might be a good way to 'pay' for using a service instead of ads, so long as it's opt-in and the user knows about it.


The weird thing for me is I'm on Firefox on my Mac and I ran all those tests and it said WebRTC is enabled, but never gave my actual factual IP address. I'm running Private Internet Access which they claim is vulnerable... So I'm not sure whose doing that test but they might have their settings a bit jacked up? If you have Private Internet Access there is an "Advanced Settings" panel where you can click on "IPv6 leak protection" it disabled IPv6 while using the VPN, seems to have been enough to fool these leak tests.


> I didn't realize this is how WebRTC actually works.

Yep. STUN is in the spec, and always has been. This has been a thing for years.


STUN is part of the story. The overall process is called Interactive Connectivity Establishment (ICE).


TIL, thank you!


It seems Firefox has resigned to some sort of role as 'token' competition to Chrome.

Most of its actions seem inexplicable and counterproductive when strong privacy and user protection should be their reason to exist and keep a dedicated user base.

The bigger problem is exploding complexity in many areas is a huge concern for open source as it's becoming increasingly impossible for small teams to implement or come up with alternatives. This is going to reduce meaningful choice and leave users at the mercy of a mix of corporate or vested interests.



Thank you for that site. Looks like I have to become more aware of browser internals.


I tried some of the leak tests here, it seems to leak my NAT address not my nearest public IP? Can anyone chime in?


It's not even the local ip of your home network. It's the ip of the tunnel interface. I don't know how this can be misused. It's only on firefox though. On chromium, it just shows 0.0.0.0 instead.


Yes that's exactly what I see. This seems to me to be a non-issue but perhaps other configurations and VPNs behave differently? I was using my phone into my home router with OpenVPN and it showed my VPN assigned NAT address 10.x.x.x ...


> Update: Can confirm Firefox Quantum with SOCKS proxy leaks the address. Oh dear!

Did you file a bug report?


I searched for one and found some that seem to be related. Will file one today and also work on a fix, since it appears this is known from a long time and nobody has bothered to provide even a simple fix.


Cool, can you link the report here when you do?


This is why when I actually do anything with tor it's always curl -H ""

Using something as complex as firefox for anything important is just stupid.


Or just use Whonix. Or better, Whonix in Qubes.


Why -H ""? AFAICT, it doesn't do anything.


Or just use Qubes on Tor


Just want to point anyone looking to test their own VPN to https://ipleak.net/. That's been my go-to, and it seems more comprehensive than the linked service.


Or try https://www.doileak.com . (Shameless plug of of a project of mine)


> WebRTC IP Leak: Your local IP: 10.41.41.2 .

> Your browser supports WebRTC! Your real IP address is visible to every website you visit.

>

> Web Real-Time Communication (WebRTC) is enabled by default in Firefox, Opera and Google Chrome, and enables video chat, voice calling and P2P sharing from within your browser.

> A neat trick, but it allows any website to instantly see your true IP address. The only way to avoid sharing your IP address this way is to disable WebRTC completely.

Nope, that's not my "real" IP address


Nope, that's not my "real" IP address

Reminds me a bit of this old story: http://sirkan.iit.bme.hu/~kapolnai/fun/bitchecker.html


FWIW, the link did not work for me, but archive.org has a copy. It was hysterical!!! :)


Seems my setup has me covered: https://www.doileak.com/?cb=liq1xtjsp37zvit5

Actual location is Kuala Lumpur, which was caught by the time zone... So need to look into fixing that.

For those wondering, my setup is:

ProtonVPN via the ProtonVPN Mac Beta (before I used Tunnelblick - which actually was more reliable - the ProtonVPN Mac Beta disconnects often)

AdGuard Pro, with DNSCrypt using the Adguard Family servers: https://gist.github.com/balupton/48057270a67d70e2ac984fdfa47...

Safari. With Camera, Microphone, Location, and Notifications all set as deny by default.


Nice project - but that name.... Sounds like a bad medical condition!


To me it sounds like a LibGen/Sci-Hub type website, playing off the idea of leaking papers with DOI numbers: https://www.doi.org/


> Timezone Difference: The time zone of your browser is while your request IP location timezone is Europe/Paris.

Looks like there is a word missing.


You can test WebRTC IP address (and media device id) leakage using https://browserleaks.com/webrtc.

To disable WebRTC in Firefox, set the about:config prefs "media.peerconnection.enabled" and "media.navigator.enabled" to false.


More like this:

    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false
    media.peerconnection.video.enabled = false
    media.peerconnection.video.vp9_enabled = false
    media.peerconnection.video.h264_enabled = false
    media.peerconnection.identity.enabled = false
    media.peerconnection.identity.timeout = 1


I need to find a way to automate the patching of Firefox's about:config when installing a new OS etc, quite a few telemetry/storage/WebRTC tweaks to date now.

There is an extension [1] that'll at least disable the IP address gathering (it doesn't look to disable all of the above settings but may have a similar effect if browser.privacy.network.peerConnectionEnabled disables everything):

[1] https://github.com/ChrisAntaki/disable-webrtc-firefox


The simplest level would to add what settings you want to Prefs.js file. http://kb.mozillazine.org/Prefs.js_file

If you want the preferences locked the application level and not be overridden or be unchangeable at profile level. Mainly important if you are managing a lot systems. http://kb.mozillazine.org/Locking_preferences


Look into vendor.js for patching about:config. I know Arch has one for sure in their package.


> To detect data from your torrent client we provide a magnet link to a fake file. The magnet contains an http url of a controlled by us tracker which archives the information coming from the torrent client.

That’s pretty clever. Alternatively they could have a unique file of garbage and have some seeders for it and then when someone connects it would also be the same person. But the tracker solution is less work and probably almost entirely as good.


And it needlessly requires Javascript to do things other services don't need Javascript to do. That's not a good plan.

One's IP address should be detectable to at least some degree with data from the packets making the request for the webpage. Some of this is remedied with what appears to be duplicative information further down the page.

DNS Address detection is done better by https://dnsleaktest.com/.

Geolocation detection is likely done by looking up what geolocation is paired with one's IP (and sometimes this data is wrong), so there's no real need for Javascript here either. It's not as if the requesting computer should supply this information, else it becomes even more easily spoofed. Some of this is remedied with what appears to be duplicative information further down the page.

Torrent detection is also needlessly JS-driven, and done better at http://dev.cbcdn.com/ipmagnet/.

There are also some grammar errors confusing singular and plural in the text at the bottom of the page.


FWIW, I show that Opera's free VPN does not leak the client's IP address.

https://www.opera.com/computer/features/free-vpn


Operas VPN is not even a VPN tho. Check their phrasing they call it 'Web vpn' or something like this and already committed in the past that the naming scheme for their proxy was just a marketing trick.

Written from Opera tho. So not saying it sucks :)


Clickbait? Its not "VPN providers" its "VPN provider software", I never even thought of using their software, most just give you the credentials for OpenVPN/IPSEC/PPTP or similar. Also if anonymity is of "real" concern you should never use a system that knows your real IP address in the first place. Instead create the vpn tunnel on a separate host system and run something like Tails in a VM (or better yet separate physical hardware).


>Its not "VPN providers" its "VPN provider software"

OpenVPN leaks DNS on every default Ubuntu installation I have tried. But I think it's actually Ubuntu NetworkManager's fault.

The WebRTC leaks discussed in this article are not prevented by OpenVPN either (last time I checked, which was a while ago). You have to disable WebRTC in the browser.


>You have to disable WebRTC in the browser

Incorrect. An easy and foolproof way of using VPNs is with network namespaces. You start the VPN in your init network namespace and then move the created device into a dedicated VPN namespace. OpenVPN has support for this because it allows you to execute a shell script after the VPN device has been created. Then you simply start your browser, torrent client, whatever in this namespace and you are completely safe:

1. If the VPN fails, then the only network device inside the network namespace disappears (modulo the lo device) and the programs in this namespace cannot use the internet.

2. Since the browser can only see the devices within the network namespace, the only IP it can see is the one assigned to you by your VPN provider (usually 10.x.y.z or similar.)

DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8.


>DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8

You mean leaking to Google doesn't count as leaking?

Your namespaces suggestion is interesting, but easy and foolproof?


Your parent said:

"DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8."

... and you replied:

"You mean leaking to Google doesn't count as leaking?"

But I don't understand where the DNS leaks would be coming from if you are using an actual VPN for your entire network stack - wouldn't that tunnel all traffic (TCP and UDP) to your endpoint ?

How are you leaking DNS in that scenario ?


Two things should happen:

1) All network traffic should go through the VPN tunnel.

2) All DNS requests should be sent to the VPN provider's DNS server and not to the one configured in the OS.

If either or both of these two things isn't happening then it's a DNS leak.

If I understood correctly, then mahkoh was saying that (2) doesn't matter if the host DNS is configured to use Google's public DNS server 8.8.8.8. That's what I called "leaking to Google".


You can run a DNS resolver in the network namespace that forwards¹ to google DNS through the VPN.

¹ Or run your own recursive resolver


VPNs do exactly that when they are not broken. Ubuntu is broken and dangerously so.


I wouldn't say "easy"! I wrote up an article on running a single application in a vpn[1]. It was quite difficult to be honest having never used network namespaces before. Thankfully, someone else wrote a very useful guide which saved me a lot of time.

[1]: http://iamqasimk.com/2018/02/24/single-application-vpn/


>OpenVPN leaks DNS on every default Ubuntu installation I have tried. But I think it's actually Ubuntu NetworkManager's fault.

Yeah, that's known behaviour. I think it's working as intended from Ubuntu/NM's standpoint since that bug has been open for a while with no fixes. The one line fix for that is to comment out dns=dnsmasq in NM's config. This is the bug for reference: https://bugs.launchpad.net/ubuntu/+source/network-manager/+b...


>The one line fix for that is to comment out dns=dnsmasq in NM's config.

There is no such line on either of the two leaking systems I just checked.


use sshuttle -dns $server


>Clickbait?

Partially. Obviously, self-marketing was the motivation for this test. However, it is still a helpful reference. If your provider doesn't even release a properly configured VPN client, you might want to reflect on whether to rely on the rest of their infrastructure.

>Also if anonymity is of "real" concern

You're digressing. Whatever a user wishes to anonymize their information for can be a valid concern but that does not necessarily require absolute anonymity.


That tunnel won't help against real adversaries. Timing attacks and text content analysis will expose you. It's getting harder to be truly black online.


> text content analysis

The solution to that is to use memes and bad grammar. I am not kidding. Keep your messages really brief and have a community of people that talk in a very similar fashion to one-another.


I think reading TheShadowBrokers posts[0] is really interesting. Because they use really bad english. But it's consistent within one piece of text, but not always over multiple texts.

The only reason i can imagine they're writig this way is to foil stylometry.

[0] https://steemit.com/shadowbrokers/@theshadowbrokers/response...


I think is how the birth of leetspeak came about, no? And why still a lot of "read me" files for pirated software use poor grammar.

Another option is to use translation services, en->fr->ja->de->en. Reread message -- does it say what you mean? If yes, go for it! If not, modify as needed.


Surely you mean an offline translation program, and not an online translation service like google's translator...


Oh, Google translate can mess up. There are also intentionally bad translators like https://lingojam.com/BadTranslator


I think the point is that the translation service logs will sell you out.


I can appreciate the use of Tails in a VM, but doesn't the provider of the "separate host system" have your identity through your payment information?


Running Tails in a VM is so your browser can't leak your real IP to the wider internet even if it wants to, because it doesn't know what it is. Your VM provider still knows your real IP address.


This is essentially the philosophy behind Whonix.

https://www.whonix.org/


It seems that main purpose of WebRTC was disclosing user's IP addresses. By the way, did you know that Websocket can be used for port scanning [1]? I was surprised to find that Aliexpress code scans 127.0.0.1 (visitor's computer) for VNC, RDP and similar ports.

[1] https://datatracker.ietf.org/meeting/96/materials/slides-96-...


Would enabling this uBlock option not be perfectly sufficient at preventing this attack?

https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...


It should unless this is something new? I'm not sure why this is really news. We've known about this problem with WebRTC for quite some time now.


For firefox the following in about:config should do the trick.

    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false
    media.peerconnection.video.enabled = false
    media.peerconnection.video.vp9_enabled = false
    media.peerconnection.video.h264_enabled = false
    media.peerconnection.identity.enabled = false
    media.peerconnection.identity.timeout = 1


I don't have a need for this high level of security, but if I did, here's what I'd do:

1. Run VPN software on host.

2. Download a widely used, generic VM image.

3. Route VM's entire network connection through host's VPN.

4. Do whatever you need to do, in the VM only.

5. Reset VM to initial settings after each use.

Am I missing anything?


VPN isn't leaking anything, your browser is.

A) Don't run javascript

B) Config your firewall to block everything except connection to the VPN entry point.


just for the record, "B" option is not helping here.


Please stop using clickbaity titles, first line that I saw in the post "I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC"

So, more appropriate title would have been "23% of VPN providers leak user IP" :)


While this has long been known, I was never able to actually reproduce this and I'm not sure how it's technically even supposed to work.

Assuming we're using IPv4, the default gateway is a VPN and the machine is behind a NAT: Any outside service (e.g. STUN server) would see the VPN's IP address. How would the browser even technically be able to know the public (i.e. the NAT's) IP address?

However, the WebExtensions API allows tweaking this via the webRTCIPHandlingPolicy to only reveal the public "interface" IP address.

FWIW, I'm always connected to a VPN and I have configured my macOS [0] and Android [1] firewalls to drop any connection other than the VPN's.

0: Wrote it down here: https://jomo.tv/security/pf-prevent-traffic-bypassing-vpn

1: Quite self-explaining: https://f-droid.org/packages/dev.ukanth.ufirewall/


Quite funny, I've published this yesterday and went unnoticed until now, lol


I was surprised it didn't tell me it was posted here before. I found the post and your comments on it over at /netsec.

Really appreciate your work on this!


Another thing to watch out for is leaking IPv6 connections. Depending on your configuration your VPN may not set the IPv6 default gateway.


I think it's a bit crazy Chrome web tools/inspector doesn't show these connections easily. You can check out chrome://webrtc-internals but most people just look at the network tab which shows nothing...


If you use computer/phone-based VPN, try https://www.dnsleaktest.com/ or http://dnsleak.com/

I have VPN on my home router with Tomato firmware. All of my devices pass this flawlessly.


Ahhh why is the scrolling messed up :/


I did find a bit of irony that the page warning about VPNs leaking my IP was hijacking my scrolling.


Anyone interested in setting up their own VPN should check out Algo: https://github.com/trailofbits/algo


What's the advantage of this over OpenVPN?


It's natively supported by more operating systems. Namely, macOS and iOS. Also generates mobileprofile files that you can AirDrop to your device and have it set up in an instant.


On the flipside, it introduces monstrous dependency (strongSwan) written in memory unsafe C, is nowhere near as flexible as OpenVPN and is blocked by many networks since it can't operate over arbitrary ports and forces you to manage/own the server-end.

1) If I wanted to do that, I'd use OpenVPN rather than strongSwan. They're both written in C, but I get extra flexibility by using OpenVPN. Their "TLS is suspect" stance doesn't hold water in my view.

2) When I don't want to set up my own server, OpenVPN allows me to use or even chain lots of third party servers and create my own nested VPN topologies. Installing an OpenVPN client on my phone or tablet takes a few minutes.

So, to summarize, Algo would be interesting if it didn't introduce dependency on memory unsafe code or minimized such dependency. But it doesn't. On the client, I do not see why I should trust Apple's IPSEC implementation (racoon?) more than OpenVPN client which is another point they tried to make. As it currently stands, it does not compare favorably to OpenVPN in any way.


What's so "legacy" about L2TP that it refuses to support it? Unlike others it's actually both secure and supported natively on most platforms...


Sorry, I'm not actually affiliated with the project, I just use it, so you'll have to shoot your question to the people behind it.


Not 'anyone'. Algo is not suitable for avoiding censorship, and it doesn't target this use-case.


I use it just to secure open or shifty public wi-fi in cafes and such. I do trust the data center the VPN terminates in more than the open wifi at the corner cafe, so it works for me.


FYI: Windows' built-in IKEv2 VPN client is not leaking IPs. Works great with Algo.


Or reconsider the need for a VPN at all. By using a VPN you cut yourself off from participating as an equal citizen on the net. If it's just for browsing the web, irc, or the like it's much easier and better just to use a socks 5 proxy to a cheap VPS. I like shadowsocks-libev.

But then again I don't use popular browsers that cram in fancy new features every week to expose new leaks and attack surfaces.


> By using a VPN you cut yourself off from participating as an equal citizen on the net.

What?


You can't host servers off a VPN. You don't have control or use of your own ports. You can consume and that's about it.


>You can consume and that's about it.

Uploading videos isn't "consuming". Writing blogs/articles isn't "consuming". Contributing to open source projects isn't "consuming". Neither of those activities require forwarded ports.


True enough. But they also aren't participating in the net. They're using other people and companies' resources to do things rather than participating yourself.

And that's bad because it leads to centralization. And centralization leads to perverse incentives to spy and censor.


You've got a weird definition of participation.


I’m not sure why you have that idea. I’m not entirely familiar with how most off-the-shelf VPN providers work, but I have a simple IKEv2 VPN hosted on Digitalocean that just gives me a public IP address, to which I can route a thing I want. This service appears be be specifically tailored for that use case, though I know nothing about it: https://staticvpnip.com


If I wanted to host servers, I'd host them somewhere else, not on my home internet connection.

I'm really not sure what point you're trying to make, or how you're defining "participating" in this context.


> If I wanted to host servers, I'd host them somewhere else, not on my home internet connection.

But why? You probably have a tens to hundreds of megabit connection that is always on. You have powerful computers that wouldn't even notice a webserver running. Buying a domain costs $8 and pointing it at home is as simple as changing the DNS entry a couple times a year or using DynDNS services.

And what you don't have is a need for all the complexity and requirements that most automatically assume they need just because they're drowing in them in their day job.

Hosting from home is more than enough for a personal website. It cuts the gordian knot of deciding what types of speech and content will be allowed on any given service. It prevents the perverse incentives of spying and selling users. It allows you to add things to your site on a whim just by copying a file to your web directory or opening an text editor. All the tools of your operating system, this refined and extremely usable software is now just there. Now you don't need a database. No need for a CMS. No need for scaling or containers or 99.9999% uptime.

Hosting from home allows you to participate in the 'net in a way that is just natural. When there's not 5 layers of abstraction between you and the web you really can participate and build whatever you want.

And since you don't need all that abstraction, dynamic content, and CMS (your OS is the CMS!) the security problems everyone loves to jump on simply vanish.

Say you want to monitor your logs, well, you don't need to go install some dynamic language parser and prettifier full of attack surfaces. You just tail the log and grep. You open it in OpenOffice if you really have to have a GUI. You can set alerts as easily as tailing a log.

You see day to day the type of bots, people, and referers and how they come to your site all without google analytics. You can respond to people using your site in real time; I love adding personal messages to people as they browse my site(s).

This is what I mean by participating in the net. Getting down into it. It's a beautiful thing and it solves so many problems that can't even be approached when you're using someone elses computer and someone else's connection.

And if you're in the USA you completely bypass third party doctorine and actually have an expectation of real privacy.

I just don't get the hostility to the concept I see on HN.


> Hosting from home is more than enough for a personal website. It cuts the gordian knot of deciding what types of speech and content will be allowed on any given service.

Cool, and then when I post something to my self-hosted blog that pisses someone off, my home internet gets DDoS'd and I lose my Internet access. It has happened before on IRC. I banned a user because they were spamming racial slurs, and they responded with a DDoS. I was offline for an hour while struggling to get someone on my ISP's support line that understood what it meant to force my IP address to change. Now I use an IRC bouncer in AWS to hide my home IP address.

> It allows you to add things to your site on a whim just by copying a file to your web directory or opening an text editor. All the tools of your operating system, this refined and extremely usable software is now just there. Now you don't need a database. No need for a CMS. No need for scaling or containers or 99.9999% uptime.

I think you misunderstand the reasons people use CMS. It makes it so I can just fill out a single text box and click "Post" and have all the indexes and links on the entire web site update automatically to include that post. I can allow people to write comments. I can create the ability for users of my site to search it.

And maximum uptime is still important. My home internet died shortly after I got to work a couple days ago, and I wasn't able to fix it until I got home. 10 hours of straight unplanned downtime is unacceptable for any server, even a personal website, IMO.

> And since you don't need all that abstraction, dynamic content, and CMS (your OS is the CMS!) the security problems everyone loves to jump on simply vanish.

The truth is quite literally the opposite. If I'm hosting it myself, and my server gets hacked, my entire home network becomes at risk.

> Say you want to monitor your logs, well, you don't need to go install some dynamic language parser and prettifier full of attack surfaces. You just tail the log and grep.

Uh...people can tail and grep logs from any server. You misunderstand there's a reason people use dynamic language parsers and prettifiers. Look at raw logs is awful. It's far easier to fire up a log analyzer and see "Oh, there are a lot of people making requests to X resource and it's creating a bottleneck."

> It's a beautiful thing and it solves so many problems that can't even be approached when you're using someone elses computer and someone else's connection.

It creates more problems than it solves. It puts my home network at risk. It makes me in charge of dealing with hardware failures. If whatever I'm hosting gets popular, and I can't scale.

> I just don't get the hostility to the concept I see on HN.

Because what you're proposing shows extreme naivete.


>Because what you're proposing shows extreme naivete.

I've done it for 20 years without any of the problems you describe. I've never been DDoS'd at home but I suppose if you run in some circles it happens once or twice in a lifetime. On the otherhand the servers and upstream of my paid VPS providers I run other websites on have been DDoS'd and usually once or twice a year. AWS isn't immune from other types of outages either. It's someone elses computer.

>Now I use an IRC bouncer in AWS to hide my home IP address.

If you can do that you can use simple ssh port forwarding of 80 to AWS (or whatever) too.

>10 hours of straight unplanned downtime is unacceptable for any server, even a personal website, IMO.

I've been offline some for tens of hours too but it didn't matter at all because I'm not running an ecommerce site or some business. Is your personal site really that important that it can't ever go offline for half a day? I'd argue that it isn't a personal site if you're using it as a reputation device for work or portfolio or the like. The inability to separate work from life complicates things.

> and see "Oh, there are a lot of people making requests to X resource and it's creating a bottleneck."

And if you don't bring the work mindset home and run all those pretty tools on your server with the $cms turnkey of the month you don't ever run into bottlenecks because you're not running excess crap with 5 more layers of abstraction that create things dynamically when there's no reason to.

> I can allow people to write comments. I can create the ability for users of my site to search it.

A comment system is a bit of a challenge with my mindset. You can always just embed something like discus but I know that's not a strong argument. I personally implemented it with perl script parsing the logs and editing text files and iframes plus 1 line of JS. While parsing the perl script only accepts characters from a list of something like 30 that are harmless. I admit this is definitely not for everyone.

As for search you and I both know that everyone only uses google anyway and it'll work better than whatever you implement.

> If I'm hosting it myself, and my server gets hacked, my entire home network becomes at risk.

The biggest security hole for everyone is using their browser for EVERYTHING by running JS apps instead of self-hosting and just using a native application on their OS. Some 0-day for nginx or $serversoftware is far less likely than the constant stream of browser exploits and far more likely to be patched quickly.

You keep saying it creates a security risk at home that doesn't exist otherwise. But that's only if you make it that way and even then it's magnitudes less of a risk than simply running a modern browser.


The WebRTC implementation in Firefox isn't as configurable as it could be, it just assumes that you are behind a firewall that doesn't understand SCTP so encapsulates everything in UDP and searches for the best way to escape to the internet.


I'm suprised to see NordVPN is leaking.

I see commercials everywhere all the time and its #1 or #2 on most VPN reviews websites.

I was very tempted to switch, especially when they routers' Firmware is available for the newest/coolest routers out there; but kind of got used to ExpressVPN over the years, so went with them and their firmware for NETGEAR Nighthawk R7000 is very easy to use. Glad to see ExpressVPN is not leaking and I continue not to find any bad news about them (versus HideMyAss for example LOL)


> I see commercials everywhere all the time ...

That's because of their marketing budget.

> ... and its #1 or #2 on most VPN reviews websites.

That's because of their affiliate programs.


NordVPN does not leak. Long time user. Simple test after acquiring free three day trial would be enough to clear any doubt, however people just love to speculate


I think I've started reading suggestions to disable WebRTC at least a couple of years ago in regards to avoid VPN detection from Netflix, so I thought it was a common knowledge.


FWIW, Safari does not include your local IP address in the list of candidate addresses for WebRTC until you also authorize the page to access your camera.


Heh, this webrtc story is at least few years old and everyone privacy / security aware is blocking it.

For testing webrtc and other leaks including fingerprinting rather use https://browserleaks.com/

(and it is unable to capture any exposing data for my browsers on any of my devices)


BTW I think I would love a "VPN" (the term itself is misused massively, oftentimes it is just a proxy) accessed via WebRTC so it would be harder for the men in the middle to tell whether I am using a "VPN" or just calling somebody. Perhaps people in countries like China could make great use of such a thing too.


Just tested this with http://www.ExpressVPN.com client on MacOS and it protected my IPv4 Public IP from being exposed but it does leak the local (NAT) IPv4 Private IP that I use on my internal network.

Not good that it leaked anything but at least the public IP is hidden by their software.


Looks like this Chrome plugin allows you to turn on / off WebRTC and fixes the leak. https://chrome.google.com/webstore/detail/webrtc-control/fjk...


Complete list of tested browsers and VPN providers: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5...


This has been known for a long long time, but keeps coming up in articles as a new finding.


If it's been known from a long time, then it's really unfortunate that nobody so far has bothered to contribute a fix to FF that changes its webrtc config flags correctly when a network proxy is configured.


uBlock Origin has an option to do it[1].

[1] https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...


Never used it before but will do so now, Thank you!


I authored http://jsfiddle.net/alokmenghrajani/0qo4kq7x/ over 3 years ago...


FWIW, various arbitrarily strung together components (your OS, DNS, VPN, Browser, WebRTC) are not going to guarantee anonymity. Simply because it is not their job.

The only possible solution is a piece of software that guarantees end-to-end privacy by literally standing guard at each end (from the moment you connect to your network with your hardware MAC address exposed to the final moment when a web page is retrieved for you from your destiantion website).

Shameless plug: my project proposes to do exactly this. https://qwaitwhat.github.io/


Every browser should have settings to disable WebRTC and it should arguably be disabled by default.

It can be very useful, but can also cause a lot of problems.


It's 503 for me. Here's an archived copy:

https://archive.is/XHX74


Given that its hard to figure out how they could be profitable, should we assume private internet access is a NSA honeypot?


Seems very unlikely to me.

Both the founder (Andrew Lee) and the CEO (Ted Kim) are known in the industry, have made their views on encryption and authoritarianism pretty clear in interviews, articles, and even full-page ads in the NYT and WaPo to argue for broadband privacy[0] and encryption.

PIA also seems pretty profitable; they certainly have enough to contribute to various open source projects, join pro-net-neutrality lobbying efforts like Fight For the Future, saved the Linux Journal from death (considered an "extremist forum" by the NSA's XKeyScore), and pay to keep Freenode ticking over (they also do loads of glitzy events for the Korean-American community).

You could argue that all of this is an elaborate hoax of course, but you could do that with anything.

[0]: https://twitter.com/Hunckler/status/846204241731575808


What's your take on the recent releases that claim that the US government is funding the Tor network and its development? Information obtained from FOIA requests.


They created Tor, and have been funding it from the start. This is not news.

Yasha Levine has been on a tear ‘exposing’ this for the last few years, but it’s not personally shocking to me.

Did you know that the US government funded Signal, too?


The US Government has a legitimate reason for creating and supporting mechanisms anonymous Internet use by those under the control of oppressive regimes.

Other parts of the US Government appear to have a desire to know everything about everyone all the time.

The "US Government" is not one thing, it's an enormous collection of agencies, bureaus, and humans, who sometimes have desires that are at odds with one another.


It's likely quite profitable, they don't buy bandwidth from Amazon, they get a few colo'd machines or dedicated servers in many DCs - you can get dedicated gigabit lines in several DCs for a few hundred a month. Most subscribers only use the service occasionally and won't place that much load on it.


I don't understand this. Is profitability the only metric for if a service can be trusted or not?

It's also not even mentioned in the article linked, not sure why you brought it up at all tbh.


Profitability (or the possibility of profitability) is absolutely a measure of whether something can be relied on. And if it can't possibly be profitable, then it means there is likely a non-obvious revenue stream or funding source, which means a ulterior motive.

So yeah, if a service can't be profitable, it can't be trusted.


A decent emergency medical response service is never profitable.

It requires a vast amount of hospitals to ensure that there is one local enough to wherever you get ill or injured and they all have to be staffed by lots of different highly qualified specialists who are in as regular practice as possible.

If you were going to require that they be profitable, there simply are not enough rich people for the doctors to work on in order to stay in good practice, or to pay for enough suitably equipped hospitals to ensure a short travel time in an emergency.


In the US, we essentially do require that they all be profitable or else not exist at all. This is "solved" by just charging you (or your insurance company) tons of money if you actually need to use it. A medical emergency requiring an ER and an ambulance can easily cost as much or more than an ordinary person will earn in their whole lifetime.


> A medical emergency requiring an ER and an ambulance can easily cost as much or more than an ordinary person will earn in their whole lifetime.

The majority of hospitals with E.R. in the US are non-profits that receive federal subsidies to help them exist.


But not enough subsidy that they are remotely affordable, hence the outrageous bills foisted upon individuals.


Good point. I should have been more clear about "non-obvious" funding sources. If a service isn't profitable, but has a clear funding source (philanthropy, government, etc), that is a little different. But the motive for that funding would need to be clear as well.

So yeah, charities can be ok.


I can see where you are coming from, I just think obvious profitability is a poor heuristic for trust, not only due to altruism, but also because some people like showing off, some people are pure hobbyists, some people are trying to make art and many people are just downright weird, though not necessarily in a way that is going to really do much damage.

It isn't always as simple as looking for an obvious motive, though I would agree to always keep an eye out for where the money comes from and if there is a game and if you are a mark. However that should apply whether or not something looks profitable on the surface, otherwise you drop all cynicism the moment someone tells you the right story.


Makes total sense -- if they aren't making money on the service they sell they will naturally have to do something else to keep the lights / servers on.


I worked at a well-known civil rights advocacy nonprofit for a long time and Private Internet Access was one of our major supporters. The owner is a huge ally of Internet freedom and privacy - a very good person who is an activist in their own way and using their success to make a positive impact.

So perhaps I'm biased (even though I'm not in nonprofit anymore), but I would put the chance of an NSA honeypot at close to 0%...


Krita’s 4.0 release was on here recently, which reminded me of this https://krita.org/en/item/krita-foundation-update/

PIA put up £20,000 to keep them going after a tax mixup dropped a large bill on the foundation.

Of course, it could conceivably all be government funded philanthropy to make them look like the good guys, but there’s no evidence to suggest that.


Bandwidth is cheap, massive overcommitment. Why wouldn't it be profitable?


What you say concerns me as PIA user. What do you base your allegations on? It seems that PIA sponsors a lot of organizations [0], which I don't think they would if they were not profitable.

[0] https://www.privateinternetaccess.com/pages/companies-we-spo...


My VPN provider is listed as "vulnerable" but testing with their test site does not show IP leak...


Which one?


One reason I don't want my browser to become a fucking operating system.

We already have Emacs for that. ;-)


this is old news tho, I was aware of this for ages. If you check privacy websites thats one of the first thing they say, turn off webRTC in your browser.


Use the VPN on your gateway / router, problem solved.


This is a terminology problem. If you are using a VPN, a browser could not possibly leak your real IP, as all traffic would be encapsulated by the VPN.

What is being described is actually a proxy.


Maybe the browser should not have access to your real IP when you are using a VPN? so it's the OS's fault?




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: