WebRTC on the New York Times – Not as an Article or a Video Chat Feature

WebRTC has been mentioned with regards to the New York Times. It isn't about an article covering it - or a new video chat service they now offer.

I was greeted this weekend by this interesting tweet:

https://twitter.com/incloud/status/619624021123010560

I haven't been able to confirm it - didn't find the culprit code piece in the several minutes I searched for it, but it may well be genuine.

The New York Times may well be using WebRTC to (gasp) find your private IP address.

In the WebRTC Forum on Facebook, a short exchange took place between Cullen Jennings (Cisco) and Michael Jerris (FreeSWITCH):

Cullen: I've been watching this for months now - Google adds served on slash dot for example and many other sites do this. I don't think it is to exactly get the local ip. I agree they get that but I think there is more interesting things gathered as straight up fingerprinting.

Michael: local ip doesn't seem that useful for marketers except as a user fingerprinting tool. They already have your public ip, this helps them differentiate between people behind nat. it's a bit icky but not such a big deal. This issue blows up again when someone starts using it maliciously, which I'm sure will happen soon enough. I don't get why exactly we don't just prompt for this the same way we do camera and mic, it wouldn't be a huge deal to work that into the spec. That being said, I don't think it's actually as big of a deal as it has been made either

Cullen: It's not exactly clear to me exactly how one uses this maliciously. I can tell you most peoples IP address right now 192.168.0.1 and knowing that a large percentage of the world has that local IP does directly help you hack much. To me the key things is browsers need to not allow network connections to random stuff inside the firewall that is not prepared to talk to a browser. I think the browser vendors are very aware of this and doing the righ thting.

My local IP address is 10.0.0.1 which is also quite popular.

In recent months, we've seen a lot of FUD going on about WebRTC and the fact that it leaks local IP addresses. I've been struggling myself in trying to understand what the fuss is. It does seem bad, a web page knowing too much about me. But how is that hurting me in any way? I am not a security expert, so I can't really say, but I do believe the noise levels around this topic are higher than they should be.

When coming to analyze this, there are a couple of things to remember:

• As Cullen Jennings points out, for the most part, the local IP address is mostly known. At least for the consumers at home
• We are already sharing so much about ourselves out of our own volition, then I don't see how this is such an important piece of information we are giving away now
• The alternative isn't any good either: I currently have installed on my relatively new laptop at least 4 different communication apps that have "forced" themselves on my browser. They know my local IP address and probably a lot more than that. No one seems to care about it. I can install them easily on most/all enterprise machines as well
• Browser fingerprinting isn't new. It is the process of finding out who you are and singling you out when you surf across the web through multiple websites. Does it need WebRTC? Probably not. Go on and check if your browser have a unique fingerprint - all of the 4 browsers I checked (on 3 devices, including my smartphone's) turned out rather unique - without the use of WebRTC
• The imminent death of plugins and the commonality of browsers on popular smartphones means that browser fingerprints may become less unique, reducing their usefulness. WebRTC "fixes" that by adding the coupling of the additional local and public IP address information. Is that a good thing? A bad thing?

One thing is clear. WebRTC has a lot more uses than its original intended capability of simply connecting a call.