WebRTC and WebGL Leaks: How to Fix and Prevent Them

Laptop computer with audio and video icons over the screen and water tap, alert icon
Click here for a summary of this article
A Quick Guide: WebRTC and WebGL Leaks

Countless users will tell you they downloaded a Virtual Private Network (VPN) so they can be more anonymous online. Whether it’s bypassing oppressive government censorship or dodging unwanted online trackers, protecting one’s identity has become paramount in today’s online world.

But two persistent and sneaky vulnerabilities remain — WebRTC (Real-Time Communication) and WebGL (Graphics Library) leaks. WebRTC can give away your true location through your IP address, while WebGL can leak information about your device. If you use a weak VPN service and standard settings on popular browsers (like Chrome) these leaks can still happen today. They can also put your privacy at risk through browser fingerprinting.

Our tests found that Surfshark and NordVPN consistently block WebRTC leaks.

If you’re looking to seal WebGL leaks, you’ll need to get a good private browser or adjust the settings on your current one. Whichever route you’d like to take, we’ve got you covered in our full guide below on WebRTC and WebGL leaks and how to fix and prevent them.

A Virtual Private Network (VPN) protects your data from hackers, advertisers, and other unwanted online trackers while keeping your privacy intact. VPNs do this by encrypting your internet traffic and assigning you an anonymous IP address. Unfortunately, online surveillance techniques are constantly evolving and becoming more sophisticated.

Not all VPNs are created equal, either. With a subpar service, parts of your identity could still be traced using browser fingerprinting, which makes use of WebRTC and WebGL leaks.

In this article, we’ll explain exactly what WebRTC and WebGL leaks are and why you need to be wary of them if you want to be completely anonymous online.


Browser Fingerprinting and WebRTC and WebGL Leaks

Browser fingerprinting iconWhen understanding WebRTC and WebGL leaks and how they affect privacy, it comes down to a new kind of online tracking called browser fingerprinting.

In order to protect your online privacy, you’ll have to stop this form of tracking. Browser fingerprinting attempts to assign a unique profile, or “fingerprint,” to your device based on your browser and settings.

Once you’ve been “fingerprinted,” online trackers can collect your internet patterns, behaviors, and interests — a serious privacy invasion that could be used for advertising or other purposes. WebRTC and WebGL form a crucial part of this fingerprint.


What are WebRTC and WebGL?

Security, audio and video iconSo, what are WebRTC and WebGL exactly? They are two plug-ins that have become a standard feature of most browsers, such as Chrome and Firefox.

These plug-ins were introduced to enhance your overall browsing experience and provide compatibility with other programs. Unfortunately, they also decrease your online anonymity. While WebGL is generally a strong indicator of your browser’s capabilities and other hardware information, WebRTC will sometimes accidentally leak your real IP address — revealing your true location.

WebRTC (Web Real-Time Communication)

WebRTC is a critical software specification for incorporating real-time streaming elements between browsers and devices via the HTML5 standard. Essentially, it is needed for audio and video (peer-to-peer) communications on the web.

Thanks to modern APIs (bundled software functions) WebRTC enables you to video chat directly from your browser, so you don’t have to install video conferencing software, like Skype or Zoom.

WebGL (Web Graphics Library)

WebGL, on the other hand, enables hardware rendering of 3D graphics within your browser, if your computer is capable. While WebRTC leaks your public IP address, WebGL can leak information about your device’s hardware — like your device’s operating system (OS) and browser.

Websites use all of this information to construct the unique “fingerprint” used to identify you.


How Does WebRTC Leak My Real IP Address?

One of the main reasons people use a VPN is to hide their real IP address. This helps them remain anonymous and secure. But WebRTC has access to your real IP address. Once your browser asks for permission to connect to your camera or microphone, your public IP address has to be transmitted in order to establish the connection. This direct connection allows you to easily video chat within the browser, but it also betrays your real location.

Sometimes, the peer-to-peer functionality of WebRTC has to send out your real IP address in order to work in what is known as WebRTC peering. Some VPNs will hide a computer’s public IP address from WebRTC, but not all manage to do so.


Which VPNs Protect You Against WebRTC Leaks?

What to Look for When Choosing a VPN iconAt the time of writing, only two major VPN providers consistently passed our WebRTC leaks test: Surfshark and NordVPN.

Other VPN providers are capable of neutralizing WebRTC leaks but aren’t consistent enough to stop them entirely. Most budget or free VPN providers don’t even try to stop WebRTC leaks. If you’re looking for top-tier security and anonymity, this problem emphasizes the importance of choosing a reliable and established VPN, rather than just searching out a freebie.

Surfshark: Protection against WebRTC leaks, top speeds, best price

Screenshot of Surfshark VPN provider website homepage

Surfshark is one of the best VPN providers at the moment. It is also, interestingly enough, one of the cheapest. Throughout our tests (we’ll show you how to do those yourself later), it repeatedly kept us safe from WebRTC leaks. Surfshark also has over 3,200 servers in 65 countries around the world, all offering top speeds and secure connections.

It works with some of the strongest encryption protocols available and allows you to simultaneously connect with as many devices as you’d like. Surfshark is a great VPN for WebRTC leak protection, has top-of-the-line security features, great speeds, and an unbeatable price. You can try it out for 30 days by taking advantage of Surfshark’s free money-back guarantee.

Surfshark
Deal:
Safe and anonymous internet for only $2.05 a month
From
$2.05
9.0
  • Very user-friendly and works with Netflix and torrents
  • 30-day money-back guarantee. No questions asked!
  • Cheap with many extra options
Visit Surfshark

NordVPN: Seals WebRTC leaks, top security protocols at lightning-fast speeds

Screenshot of NordVPN website homepage with added logo in the corner

NordVPN is another of our favorite, security-geared VPN services. It is affordable, offers over 5,400 servers in 50 countries all across the globe, and works on nearly all operating systems. They have a strict no-logging policy, and also prevent WebRTC leaks consistently and reliably, so you can be sure your data is safe and remains anonymous.

Besides that, NordVPN is easy to install and has a clear, user-friendly interface, making it pleasant software to use on a daily basis. You can try NordVPN out free for 30 days to see if you’d prefer its WebRTC protection over Surfshark’s.

NordVPN
Our pick
Our pick
Deal:
Only $2.99 a month for a two-year subscription with a 30-day money-back guarantee!
From
$2.99
9.3
  • Excellent protection and a large network of servers
  • Nice and pleasing application
  • No logs
Visit NordVPN

How Do I Check Whether My Browser is Leaking Private Information?

Image showing microscope looking at the folderThere are multiple websites you can use to check whether your browser is leaking any of your personal information. With a simple click, you’ll see these sites can read your IP address, the type of operating system you use, and your browser, among other data.

Check WebRTC leaks

If you’re checking for WebRTC leaks, it’s especially important to check if your real public IP address is exposed. When we used NordVPN and Surfshark on these sites, our WebRTC IP address showed up as the VPN’s anonymous IP, and not our true IP — which is exactly the outcome you want.

https://vpnoverview.com/wp-admin/Your public IP address is the address you send out to any other online entities, such as websites, cookies, trackers, etc. Some of the best testing sites are:

Check WebGL leaks

VPNs can protect your true location and identity, but unfortunately, WebGL can still give away some information on your hardware, like your browser and operating system. You can check exactly which information you’re leaking with Browserleaks. While WebGL doesn’t give away your IP address like WebRTC has a tendency to do, it does contribute to creating a unique browser fingerprint.

In the table below, you can see a number of WebGL functions taken from the Microsoft Edge browser as well as Firefox. Take notice that as Firefox is a more privacy-oriented browser, there are fewer functions than Edge.

Supported WebGL Extensions (Edge)Supported WebGL Extensions (Firefox)
WEBGL compressed texture s3tcEXT color buffer float
OES texture floatEXT float blend
OES texture float linearEXT texture compression bptc
EXT texture filter anisotropicEXT texture filter anisotropic
OES standard derivativesOES texture float linear
ANGLE instanced arraysWEBGL compressed texture s3tc
OES element index uintWEBGL compressed texture s3tc srgb
WEBGL depth textureWEBGL lose context
EXT frag depth
OES texture half float
OES texture half float linear
WEBGL lose context
OES vertex array object
WEBGL draw buffers
EXT blend minmax
EXT shader texture lod
EXT color buffer half float
WEBGL color buffer float
WEB GL debug renderer info

How Do I Prevent WebRTC and WebGL Leaks?

Using a top-tier VPN service like Surfshark or NordVPN is the starting point for preventing WebRTC and WebGL leaks. These VPN providers have built-in protection against such leaks — especially WebRTC. However, VPNs cannot make up for all information points being leaked. This has to be manually adjusted by the user for each browser, to whatever extent is possible.

Of course, if you choose to use a subpar VPN, or no VPN at all, it’s necessary to download and install a special extension, like uBlock Origin.

uBlock Origin

To prevent potential WebRTC leaks, you can use uBlock Origin. This is a reliable and trusted adblocker that is often regarded as one of the best free adblockers on the market. It’s completely free to use and works on Safari, Opera, Edge, Chrome, Firefox, Brave, and Epic Privacy Browser.

Simply download the extension to your browser, and you’re ready to go. You’ll be protected against most forms of online tracking and won’t have to see as many annoying ads as usual. uBlock Origin also easily disables the WebRTC functionality. All you have to do to make sure you’re protected is change a setting. Here’s how you do that:

  1. Click on the extension in the top-right corner of your browser.
  2. Click on the Settings icon on the far right, just below the big on/off switch.
  3. Check the box “Prevent WebRTC from leaking local IP address,” which is the third item under the “Privacy” tab.

Once you’ve done this, you can rest assured your browser leak your local IP address by means of WebRTC. You can now re-check if you are leaking with one of the checkers linked above.


WebRTC and WebGL Protection By Browser

Your browser can make a real difference when it comes to the amount of WebGL information that is being sent out. Because of that, the steps you have to take to protect your online traffic from WebRTC and WebGL leaks differ depending on which browser you have.

Below, we’ll show you how to improve your privacy on the most popular browsers out there today.

Firefox

Firefox Logo

We’re leading with Firefox because it’s the most easy-to-use, privacy-oriented browser we’ve come across. You can customize this browser as much as you’d like, and we’ve even compiled a complete guide on how to set up Firefox as an anonymous browser. Once you’ve changed those settings, only the Tor browser will offer more anonymity.

To withstand WebRTC and WebGL leaks and browser fingerprinting specifically, there are four important settings to tweak:

Setting 1: Block content and trackers

This setting will help you stop trackers and cookies from following you across the web. Click on the information symbol (the circle with the “i” in the middle) on the left side of the address bar. You’ll be shown this menu:

Firefox settings

Click on the wheel on the right side of “Content Blocking,” right next to “Custom.” Select the option “Custom” and check the boxes before “Trackers,” “Cryptominers,” and “Fingerprinters” as shown in the image below.

Firefox content blocking

You could also check the box in front of “Cookies” and choose “Cookies from unvisited websites” from the dropdown menu. This stops cookies from websites you haven’t visited from tracking you across the web. It’s even possible to block all cookies from third-party trackers, but this will seriously limit the browser’s ability to load a large number of websites.

Setting 2: Turn off WebRTC functionality

To prevent WebRTC leaks, type in “about:config” in the browser’s address bar and press Enter. You’ll be shown a warning, stating that changes you make might derail the browser. As long as you follow the steps lined out here and don’t change any additional settings, you won’t have to worry.

Click past the warning and type “media.peerconnection.enabled” in the search bar, as shown in the picture below. This setting is by default set to “True.” Right-click this setting and click “Toggle” to switch the value to “False.”

Firefox toggle options

Setting 3: Turn off WebGL

Similarly to turning off WebRTC, you can disable WebGL by typing in “about:config” in the address bar and searching for “webgl.disabled.” Toggle this setting to “True” by right-clicking on the toggle button to the right. Restart Firefox and you should’ve turned off WebGL.

Setting 4: Use the Trace extension

Trace is a browser extension that allows you to spoof different settings that make up your browser fingerprint. Although adding an extension to your browser goes a bit beyond changing basic settings, it can be very useful and we would heavily recommend it if you worry about browser fingerprinting.

The Trace extension gives you many different options to adjust your fingerprint. You can adjust your “Canvas,” “Audio,” “Screen Resolution,” “Hardware,” and many other functions. The picture below gives an idea of what this extension looks like.

Trace extension settings

Once you’ve added Trace to your browser, you can find the settings by clicking the extension in the top right corner. This will open a new tab, where you’ll have to click on Settings again.

Next, you can turn on “Trace Features,” “WebRTC Protection,” and “WebGL Fingerprinting Protection.” Your browser fingerprint will now no longer be as unique as before, which increases your online privacy.

Chrome

Google Chrome LogoThough it’s hands-down the world’s most popular browser, Chrome isn’t the safest option when it comes to protecting yourself against WebRTC and WebGL leaks. Its standard settings don’t do much to keep you anonymous.

However, there are many options to improve Chrome’s security. The easiest way is to add a number of extensions that allow you to spoof your WebRTC and WebGL settings.

There are multiple options available for WebRTC spoofing. Simply pick one of the extensions listed below and add them to your browser.

At the time of writing, there is only one extension that effectively helps you tackle the WebGL problem, and that’s WebGL Fingerprint defender.

Brave

Brave browser logo

The Brave browser runs on Chromium, an open-source project by Google. This means that all Google Chrome extensions also work for Brave. If you want to make this browser safer by adding extensions, you can use all of the programs mentioned above.

Additionally, you can play around with the settings in Brave to better protect yourself against cookies, trackers, and WebRTC leaks. Here are a few ways in which you can do that:

  • Use an anonymous search engine such as DuckDuckGo, Qwant, and Startpage. Make sure to set it as your default search engine. Don’t use Google, as Google is one of the biggest data harvesters in the world.
  • Go to “Settings” by clicking on the three stripes in the top-right corner of your browser. Scroll down to the section “Shields” and enable “Upgrade connections to HTTPS.” An HTTPS connection is safer than HTTP, so this option will help you protect your online privacy while browsing.
  • You could also check to see if you can “force” secure HTTPS connections under Privacy and Security if it is listed.
  • At the “Cookies” section of your settings, select “Only block cross-site cookies.” This will keep websites from following you across different parts of the internet.
  • Scroll down and go to “Additional Settings.” Check the option “Safe Browsing” if it is listed.
  • Minimize the chance of WebRTC leaks by selecting “Disable non-proxied UDP” underneath “WebRTC IP Handling Policy.” You could also choose to select one of the less safe options, such as “Default public interface only” or “Default public and private interfaces.” These options allow the browser to load certain WebRTC functions if a website requests it. However, they will also increase the risk of leaking private information. That’s why we recommend going for the safest option and disabling the function altogether.
  • Under the “Shields” tab you will find a “Block fingerprinting” option. Set that to “Strict.”
  • In that same area, set “Trackers & ads blocking” to “Aggressive.”
  • In the “Privacy and security” tab, untick any analytics, diagnostics and usage options.

Safari

Apple Safari Logo

The standard settings of Safari are set to block website requests that seek access to your camera or microphone. Default settings also hide your IP address. Because of that, you won’t have to worry too much about WebRTC leaking your real IP address.

Even so, you can completely disable WebRTC functionality in the settings, if you want to make sure your information stays safe. First, go to the Safari main menu. Under the “Develop” tab, go to the “WebRTC” tab and make sure “Legacy API” is disabled.

Secondly, in the settings, you can visit the “Experimental Features” section under the “Develop” tab. Here you can disable all features relating to WebRTC and WebGL except the “profile 2 codec.” You can also disable the “VP9 codec.” If for any reason you experience an issue with your browsing, write down what you’ve disabled so that you can turn it back on.

It’s also possible to install uBlock Origin. If you’re specifically looking for protection against potential WebGL fingerprinting, however, you’d be better off using a different browser.

Opera

Apart from adding uBlock Origin to your Opera browser, it’s also possible to alter the settings to increase your online safety.

To do so, type “WebRTC” into the search bar in the Settings menu. You will be shown four options, which correspond with four different levels of safety against WebRTC leaks. Set the WebRTC function to “Turn off proxied UDB.” Just as is the case with the Brave browser, you could also pick one of the other three options. However, this does mean that your browsing experience will be slightly less safe.

Tor

Tor The Onion Router LogoTor probably is the most private browser out there. With the Tor browser, users can browse the web pretty much anonymously, as the network that Tor uses consists of different nodes that reroute and encrypt your online traffic.

This browser also allows you to visit the dark web, although that can be very dangerous without taking the right safety measures.

Thankfully, the Tor browser is not susceptible to most WebRTC and WebGL leaks. The basic settings of Tor are so strict that the average user won’t need to install any extra extensions. Once you’ve turned off JavaScript in the “Safest” mode, you will be safe from most forms of online tracking.

However, the “Safer” mode will be more than enough for most. This doesn’t mean Tor is invulnerable to leaks or other vulnerabilities. If you want to learn more about these vulnerabilities, you can read our article on the safety of the Tor browser.

Edge

Microsoft Edge Logo

Microsoft Edge is undoubtedly the best and safest browser Microsoft has released so far. Unfortunately, Edge is less resistant to potential WebRTC and WebGL leaks than some other browsers. Edge uses these protocols by default and doesn’t allow you to disable them.

Should you want to continue using Edge, it’s best to protect yourself with other extensions such as uBlock Origin or the NordVPN browser extension.


Wrapping Up: Test Your Anonymity

The internet allows for a tremendous amount of information about its users to be stored and collected. This is done through website trackers, cookies, fingerprinting, and more. As a frequent internet user, it’s good to be aware of the different types of online identification that exist and the options available to protect yourself.

Each browser and VPN has its own strengths and weaknesses. We recommend checking out our list of the best internet browsers for your privacy, and couple that with either Surfshark or NordVPN, and you’ll be well-protected against WebRTC and WebGL leaks.

After you’ve made these tweaks, you can revisit one of the anonymity checking sites via the links above and see if your WebRTC leak is sealed, and your anonymity score has improved. Need one more tip for the road? Most browsers will even perform better when these adjustments are coupled with the “Incognito” or “Private” browsing modes.

WebRTC and WebGL Leaks: Frequently Asked Questions

Got a question about WebRTC or WebGL leaks? We may have answered it already below.

WebRTC (Real-Time Communication) is a plug-in to makes it possible to stream peer-to-peer audio and video directly through your browser, rather than a video calling app. While WebRTC makes video calls more convenient, it has been known to accidentally leak true IP addresses. If you need a VPN with full WebRTC protection, make sure to read our full guide on WebRTC and WebGL.

To disable WebRTC, you’ll need to adjust your browser settings. We’ve compiled step-by-step guides on how to tweak settings on popular browsers like Firefox, Chrome and Brave, among others, in our full guide on WebRTC and WebGL leaks. If you’re concerned about WebRTC leaks, there are only a select few VPNs that we’ve found consistently provide protection.

WebGL (Graphics Library) is a plug-in that enables hardware rendering of 3D graphics in your browser. Though this extension improves your browsing experience, WebGL can leak hardware information about your devices — such as its operating system and browser. Check our full guide on WebRTC and WebGL leaks for more information and fixes.

VPNs with weak security measures will not stop WebRTC leaks. You’ll need a premium service with high-level security protocols. We’ve found that NordVPN and Surfshark both offer consistent protection against WebRTC leaks, keeping your true IP address from being discovered by online trackers.

Cybersecurity analyst
David is a cybersecurity analyst and one of the founders of VPNoverview.com. Since 2014 he has been gaining international experience working with governments, NGOs, and the private sector as a cybersecurity and VPN expert and advisor.
2
Comments
Leave a comment
  1. Explain what the acronyms mean up front, at the top, otherwise we are left dangling, so to speak, without the key thing you are painstakingly explaining.

    Otherwise, thanks. Good stuff. Sad I have to lie and make up name and email. The whole point of visiting you is to maintain best practices before doing other things. Surrendering info unnecessarily results in the opposite. I do not like to lie at all.

    Roger?

    • Thank you for your feedback! The reason we ask you to leave a name and email is so we and other readers are more easily able to navigate the comments and make sense of conversations. Your email won’t be shared with anyone – it’s just to notify you when someone replies to your comment. We understand that many of our users will not use their real names and emails, and we even encourage this: privacy is one of our main concerns, after all. You’re always welcome to use a private and anonymous email, such as ProtonMail, as well.

Leave a comment