WebRTC and WebGL leaks

A VPN vulnerability: What are WebRTC and WebGL leaks?

Last edited: August 20, 2020
Reading time: 14 minutes, 35 seconds

A VPN (Virtual Private Network) protects your data from hackers, advertisers, and many other unwanted online trackers and keeps your privacy intact by encrypting your internet traffic. Unfortunately, online surveillance techniques are consdtantly changing and becoming more sophisticated. Even with the safety of a VPN, your identity might still be traced using new techniques such as browser fingerprinting, which makes use of WebRTC and WebGL leaks.

In this article, we’ll explain exactly what WebRTC and WebGL leaks are and why you might want to be weary of them if you want to be completely anonymous online.

Browser Fingerprinting

Browser Fingerprinting ComputerBrowser fingerprinting is a prime example of a new kind of online tracking. If you truly want to protect your online privacy, you’ll have to put in even more of an effort to stop this form of tracking. Browser fingerprinting is a technique that attempts to assign a unique profile to you based on your browser and computer settings. WebRTC (Web Real-Time Communication) and WebGL (Web Graphics Library) form an important part of this fingerprint and can reveal your IP address as well as a lot of other personal information – even when you use a VPN. So, what are WebRTC and WebGL exactly? Here are the facts.

WebRTC and WebGL fingerprints

WebRTC and WebGL are two plug-ins that have become a standard feature of most browsers, such as Chrome and Firefox. WebRTC enables you to video chat directly from your browser, so you don’t have to install and open a separate piece of software, like Skype. On the other hand, WebGL enhances and enables the rendering of 3D graphics within your browser, allowing for hardware acceleration if your computer has a graphics card.

These two plug-ins were introduced to enhance your overall browsing experience. Unfortunately, they also decrease your online anonymity. While WebGL is generally a strong indicator of your browser fingerprint, WebRTC will sometimes accidentally leak your real IP-address, even if you use a VPN.

How does WebRTC leak my real IP address?

Many people use a VPN in order to hide their real IP address. This helps them remain more anonymous and secure. Sometimes, however, the peer-to-peer functionality of WebRTC has to send out your real IP address in order to work. Once your browser asks for permission to connect to your webcam, your IP address has to be transmitted in order to establish the connection. This direct connection allows you to easily videochat within the browser, but also betrays your real location.

Your IP address could even be leaked without your consent. Through the clever use of JavaScript, a website could gather a lot of personal information about your computer and identity. This type of leak is often referred to as ‘a persistent vanilla leak’. Most popular VPNs claim to protect you against this invasion of your privacy, but not all of them actually do.

Which VPNs protect you against WebRTC leaks?

As of December 2019, only two popular VPN providers consistently pass the WebRTC leaks test: ExpressVPN and NordVPN. Other VPN providers are capable of neutralizing the WebRTC leak on occasion, but aren’t consistent enough to disregard the problem altogether. Most budget or free VPN providers don’t even try to solve the WebRTC leak. This problem emphasizes the importance of choosing a reliable, established VPN provider, rather than going with a cheap or free one.

ExpressVPN

ExpressVPN is arguably one of the very best VPN providers of this moment. Although it isn’t the cheapest option out there, it’s a service you can rely on. Besides keeping you safe from WebRTC leaks, ExpressVPN also has thousands of servers all over the world. It works with some of the strongest encryption protocols out there and allows you to connect with up to five different devices on one account at the same time. It’s an all-round great VPN when it comes to speed and safety.

ExpressVPN
Our pick
Our pick
Deal:
3 months for free with a one-year subscription
9.5
  • Very easy to use VPN
  • Perfect for anonymous browsing, downloading, and streaming (i.e. Netflix)
  • 3000+ servers in 94 countries
Visit ExpressVPN

NordVPN

Just like Express, NordVPN is among our favourite VPN services. It is affordable, offers over 5000 servers in locations all across the globe and works on nearly all systems. They have a strict no logging policy, and also prevent WebRTC leaks, so you can be sure your data is safe and remains anonymous. Besides that, NordVPN is easy to install and has a clear user-interface, making it pleasant software to use on a daily basis.

NordVPN
Deal:
Only $3.71 a month for a 2-year subscription
9.3
  • Excellent protection and a large network of servers
  • Nice and pleasing application
  • No logs
Visit NordVPN

How do I check whether my browser is leaking private information?

There are multiple websites you can use to check whether your browser is leaking any of your personal information. Some of the best are:

These websites will tell you whether your browser is leaking any unwanted data. If you’re checking for WebRTC leaks, it’s especially important to look whether there’s a difference between your public and your local IP address. Your public IP address is the address you send out to any other online entities (websites, cookies, trackers etc.). Your local IP address is associated with your router. Both of these IP addresses can be falsified. The important thing is to make sure neither of these IP addresses is your real one.

While WebGL doesn’t give away your IP address like WebRTC has a tendency to do, it does contribute to creating a unique browser fingerprint. This fingerprint is another way of identifying you, regardless of your IP address. In the table below, you can see a number of WebGL functions taken from the Microsoft Edge browser as well as Firefox.

Supported WebGL Extensions (Edge) Supported WebGL Extensions (Firefox)
WEBGL compressed texture s3tc EXT color buffer float
OES texture float EXT float blend
OES texture float linear EXT texture compression bptc
EXT texture filter anisotropic EXT texture filter anisotropic
OES standard derivatives OES texture float linear
ANGLE instanced arrays WEBGL compressed texture s3tc
OES element index uint WEBGL compressed texture s3tc srgb
WEBGL depth texture WEBGL lose context
EXT frag depth
OES texture half float
OES texture half float linear
WEBGL lose context
OES vertex array object
WEBGL draw buffers
EXT blend minmax
EXT shader texture lod
EXT color buffer half float
WEBGL color buffer float
WEB GL debug renderer info

Note that there are fewer functions displayed in the Firefox browser than in Edge, meaning there are fewer points of identification for Firefox. In other words, Firefox is the more secure and private of the two, because it has less WebGL functions that are allowed to run in the browser.

How do I prevent WebRTC and WebGL leaks?

If you use a top-tier VPN service like ExpressVPN or NordVPN, you don’t have to worry. These VPN providers have built-in protection against such leaks. However, if you use one of the many other VPN providers or no VPN at all, it’s necessary to download and install a special extension.

uBlock Origin

To prevent potential WebRTC leaks, you can use uBlock Origin. This is a reliable and trusted adblocker that is often regarded as one of the best free adblockers on the market. It’s completely free to use and works on Safari, Opera, Edge, Chrome, Firefox, and Brave. Simply download the extension to your browser, and you’re ready to go. You’ll be protected against most forms of online tracking and won’t get to see as many annoying ads as usual. uBlock Origin also easily disables the WebRTC functionality. All you have to do to make sure you’re protected, is change a setting. Here’s how you do that:

  1. Click on the extension in the top-right corner of your browser
  2. Click on the settings icon on the far right, just below the big on/off switch
  3. Check the box “Prevent WebRTC from leaking local IP address“, which is the third item under the “Privacy” tab

Once you’ve done this, you can rest assured your browser won’t be leaking your local IP address by means of WebRTC.

WebRTC and WebGL protection for each browser

As mentioned before, your browser can make a real difference when it comes to the amount of WebGL information that is being sent out. Because of that, the steps you have to take to protect your online traffic from WebRTC and WebGL leaks differ depending on which browser you have. Below, we’ll tell you how to improve your privacy on most popular browsers.

Chrome

Google Chrome LogoUnfortunately, the Chrome browser isn’t the safest option when it comes to protecting yourself against WebRTC and WebGL leaks. Its standard settings don’t do much to keep you anonymous. However, there are many options to improve Chrome’s security. The easiest way is to add a number of extensions that allow you to spoof your WebRTC and WebGL settings.

There are multiple options available for WebRTC spoofing. Simply pick one of the extensions listed below and add them to your browser.

At the time of writing, there is only one extension that effectively helps you tackle the WebGL problem, and that’s WebGL Fingerprint defender. There’s also an extension available that protects you from every form of browser fingerprinting. This extension, called Browser Plugs Fingerprint Privacy Firewall, will take a while to set up, but offers a wider range of protection.

Brave

Brave browser logo

The Brave browser runs on Chromium, an open-source project by Google. This means that all Google Chrome extensions also work for Brave. If you want to make this browser safer by adding extensions, you can use all of the programs mentioned above. Additionally, you can play around with the settings in Brave to better protect yourself against cookies, trackers and WebRTC leaks. Here are a few ways in which you can do that:

  • Use an anonymous search engine such as DuckDuckGo, Qwant and Startpage. Make sure to set it as your default search engine. Don’t use Google, as Google is one of the biggest data harvesters in the world.
  • Go to “Settings” by clicking on the three stripes in the top-right corner of your browser. Scroll down to the section “Shields” and enable “Upgrade connections to HTTPS“. An HTTPS connection is safer than HTTP, so this option will help you protect your online privacy while browsing.
  • At the “Cookies” section of your settings, select “Only block cross-site cookies“. This will keep websites from following you across different parts of the internet.
  • Scroll down and go to “Additional Settings“. Check the option “Safe Browsing“.
  • Minimise the chance of WebRTC leaks by selecting “Disable non-proxied UDP” underneath “WebRTC IP Handling Policy“. You could also choose to select one of the less safe options, such as “Default public interface only” or “Default public and private interfaces“. These options allow the browser to load certain WebRTC functions if a website requests it. However, they will also increase the risk of leaking private information. That’s why we recommend going for the safest option and disabling the function altogether.

Edge

Microsoft Edge is undoubtedly the best and safest browser Microsoft has releasedMicrosoft Edge Logo so far. Unfortunately, Edge is less resistent to potential WebRTC and WebGL leaks than some other browsers. Edge uses these protocols by default and doesn’t allow you to disable them. It does, however, give you the option of hiding your local IP address when making use of the WebRTC functionality. Do keep in mind that this is not nearly as safe as simply disabling these features altogether. Should you want to continue using Edge, it’s best to protect yourself with other extensions such as uBlock Origin or the ExpressVPN browser extension.

Safari

Apple Safari Logo

The standard settings of Safari are set to block website requests that seek access your camera or microphone. Because of that, you won’t have to worry too much about WebRTC leaking your real IP address. Even so, you can completely disable the WebRTC functionality in the settings, if you want to make sure your information stays safe. It’s also possible to install uBlock Origin. If you’re speficially looking for protection against potential WebGL fingerprinting, however, you’d be better off using a different browser.

Opera

Apart from adding uBlock Origin to your Opera browser, it’s also possible to alter the settings in Opera to increase your online safety. To do so, type “WebRTC” into the search bar in the Settings menu. You will be shown four options, which correspond with four different levels of safety against WebRTC leaks. Set the WebRTC function to “Turn off proxied UDB“. Just as is the case with the Brave browser, you could also pick one of the other three options. However, this does mean that your browser experience will be slightly less safe.

Firefox

Firefox Logo

The great thing about Firefox is that you can customize this browser as much as you’d like. In other words, the level of safety of Firefox depends on the way you configure it. By changing a few settings, you can turn it into the most private browser available (apart from the Tor-browser, that is). Want to know exactly which settings to change in order to make your Firefox browser withstand WebRTC and WebGL leaks as well as browser fingerprinting? Here are four important ones.

Setting 1: Block content and trackers

This setting will help you stop trackers and cookies from following you across the web. Click on the information symbol (the circle with the i in the middle) on the left side of the address bar. You’ll be shown this menu:

Firefox settings

Click on the wheel on the right side of “Content Blocking“, right next to “Custom“. Select the option “Custom” and check the boxes before “Trackers“, “Cryptominers“, and “Fingerprinters” as shown in the image below.

Firefox content blocking

You could also check the box in front of “Cookies” and choose “Cookies from unvisited websites” from the dropdown menu. This stops cookies from websites you haven’t visited from tracking you across the web. It’s even possible to block all cookies from third-party trackers, but this will seriously limit the browser’s ability to load a large number of websites.

Setting 2: Turn off WebRTC functionality

To prevent WebRTC leaks, type in “about:config” in the browser’s address bar and push enter. You’ll be shown a warning, stating that changes you make might derail the browser. As long as you follow the steps lined out here and don’t change any additional settings, you won’t have to worry. Click past the warning and type “media.peerconnection.enabled” in the search bar, as shown in the picture below. This setting is by default set to “True“. Right-click this setting and click “Toggle” to switch the value to “False“.

Firefox toggle options

Setting 3: Turn off WebGL

Similarly to turning off WebRTC, you can disable WebGL by typing in “about:config” in the address bar and searching for “enableWebGL“. Toggle this setting to “False” by right-clicking.

Setting 4: Use the Trace extension

Trace is a browser extension that allows you to spoof different settings that make up your browser fingerprint. Although adding an extension to your browser is something that goes a bit beyond changing basic settings, it can be very useful and we would heavily recommend it if you worry about browser fingerprinting. The Trace extension gives you many different options to adjust your fingerprint. You can adjust your “Canvas”, “Audio”, “Screen resolution”, “Hardware”, and many other functions. The picture below gives an idea of what this extension looks like.

Trace extension settings

Once you’ve added Trace to your browser, you can find the settings by clicking the extension in the top right corner. This will open a new tab, where you’ll have to click on Settings again. Next, you can turn on “Trace Features“, “WebRTC Protection”“, and “WebGL Fingerprining Protection“. Your browser fingerprint will now no longer be as unique as before, which increases your online privacy.

Tor

Tor The Onion Router LogoTor probably is the most private browser out there. With the Tor browser, users can browse the web pretty much anonymously, as the network that Tor uses consists of different nodes that reroute and encrypt your online traffic. This browser also allows you to visit the dark web, although that can be very dangerous without the right safety measures.

Thankfully, the Tor browser is not susceptible to most WebRTC and WebGL leaks. The basic settings of Tor are so strict that the average user won’t need to install any extra extensions. Once you’ve turned off JavaScript, you will be safe from most forms of online tracking. This doesn’t mean Tor is invulnerable to leaks or other vulnerabilities. If you want to learn more about these vulnerabilities, you can read our article on the safety of the Tor browser.

Conclusion

The internet allows for a tremendous amount of information about its users to be stored and collected. This is done through website trackers, cookies, fingerprinting and more. As a frequent internet user, it’s good to be aware of the different types of online identification that exist and the options available to protect yourself against this.

WebRTC and WebGL are two very persistent tracking methods used online. The fact that the WebRTC plugin could be leaking your real IP address even with an active VPN is particularly problematic. Therefore, it’s always a good idea to know how your browser implements this plugin and what you can do to change that. Each browser has its own strengths and weaknesses. Even so, our advice is to use Firefox as your standard browser. Firefox has many customizable features that allow you to turn it into a highly private and anonymous browser. With Firefox and a little bit of time spent in its settings, you’ll be well-protected against WebRTC and WebGL leaks.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of VPNoverview.com. Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.

More articles from the ‘Anonymous Browsing’ section

Comments
Leave a comment
2
Comments
  1. Explain what the acronyms mean up front, at the top, otherwise we are left dangling, so to speak, without the key thing you are painstakingly explaining.

    Otherwise, thanks. Good stuff. Sad I have to lie and make up name and email. The whole point of visiting you is to maintain best practices before doing other things. Surrendering info unnecessarily results in the opposite. I do not like to lie at all.

    Roger?

    • Thank you for your feedback! The reason we ask you to leave a name and email is so we and other readers are more easily able to navigate the comments and make sense of conversations. Your email won’t be shared with anyone – it’s just to notify you when someone replies to your comment. We understand that many of our users will not use their real names and emails, and we even encourage this: privacy is one of our main concerns, after all. You’re always welcome to use a private and anonymous email, such as ProtonMail, as well.

Leave a comment