如何修复WebRTC安全漏洞

According to research recently posted to reddit here, a new security vulnerability has been uncovered that is affecting both Windows firefox and chrome web browsers. This new IP check method allows websites to determine a web user’s actual ISP issued IP address, even when using a VPN. This is accomplished by running a WebRTC JavaScript code within the visitor’s web browser and can be executed behind the scenes without the user’s prior knowledge. Android, Linux and Max OSx versions of these web browsers do not appear affected at this time.
While developments like this can appear frightening, the good news is there is a simple fix. The real problem here however is not the fix, but rather the fact that many users will go about their day to day activities without knowledge of this flaw. It is important that you take a few minutes to make sure your system is patched.
More information on what this does is available from the researcher’s github page:
“Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”

How to fix the WebRTC Security Hole

In Chrome browser there is now a free extension available that will patch this problem directly. You can install this add-on from the Chrome Store here.
In Firefox, there are a few more steps to patch the problem. First, type “about:config” directly into the URL bar and hit enter. Then search for “media.peerconnection.enabled” and double click this option to set it to false.

Lockdown your Network with a VPN Router

Those who are accessing the VPN by means of a VPN router are not affected by this vulnerability, however we do suggest fixing your browsers as a precaution. A VPN router runs the private tunnel directly and broadcasts the VPN via wifi so devices can connect to the network like they normally would. This leaves zero chance that a rogue script will be able to bypass the software VPN and find your ISP issued IP address because the VPN is in fact running on your router. TorGuard’s VPN router store sells a variety of high speed VPN routers that are capable of securing any network without sacrificing privacy or performance.

FROM  https://torguard.net/blog/browser-security-vulnerability-may-allow-real-ip-leak/
-------------------------------
 测试你的VPN是否泄露了真实IP

 VPN被认为是非常安全的网络匿名方法，但最近爆出它并不如人们认为的那样安全，只要在网站上放上一段简单的代码，就可以准确地测出浏览者的真实IP地址，这被称为WebRTC特征。下面这个页面就可以测试你的VPN是否泄露的真实IP（低版本IE无法查看）。

Demo for: https://github.com/diafygi/webrtc-ips

This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).

Your local IP addresses:

Your public IP addresses:

目前WebRTC特征漏洞主要体现在支持WebRTC的浏览器上，包括Firefox和Chrome浏览器，但可以防止。Chrome浏览器在下面两个插件中任意选择1个使用

• WebRTC Block ：https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm?hl=en
• ScriptSafe：https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

针对WebRTC特征漏洞，Firefox可在浏览器上输入：about:config。之后搜索：media.peerconnection.enabled。找到它后双击，将其改成 false 即可。
------------

【防范DNS/WebRTC泄漏真实ip】=========

《Chrome》
浏览器地址栏输入 chrome://flags/ 修改实验室参数
启用“停用 WebRTC 设备枚举..”
安装WebRTC Block扩展 https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm
or:

谷歌Chrome延伸程式ScriptSafe。

若你曾在使用谷歌Chrome浏览器的话，有一个名为ScriptSafe的延伸程式能有效的掩藏你的IP地址。它非常容易安装。只需要去 这里，点击“加入Chrome”就能进行安装及自动作为眼神程序加入Chrome。然後，在此网页查看你的IP是否已经被隐藏起来。
《Firefox》
浏览器地址栏输入 about:config
将media.peerconnection.enabled 开关设置为false

最后，管理员权限打开cmd，输入命令添加防火墙规则
netsh advfirewall firewall add rule name="webrtc" action=block protocol=udp dir=out remoteport=3478,3479


---测试WebRTC泄漏：https://ipleak.net
---测试DNS泄漏：https://dnsleaktest.com

相关帖子：http://briteming.blogspot.com/2015/03/webrtcchromefirefox.html 

-----------

WebRTC for desktop is now in Firefox Nightly and is also in Firefox Aurora, though Nightly has the hottest up-to-date fixes.

We support mozGetUserMedia, mozRTCPeerConnection and DataChannels. We have a basic UI for mozGetUserMedia which we expect to be updating in the
coming weeks.

Enabling WebRTC in Firefox

The code is behind a pref for now, pending more testing. To enable our WebRTC code in Firefox’s Nightly desktop build, browse to about:config
and change the media.peerconnection.enabled preference to true.

Here are the 3 relevant prefs to getUserMedia() and mozRTCPeerConnection():

media.navigator.enabled enables calls to mozGetUserMedia() only
media.navigator.permission.disabled automatically gives permission to access the camera/microphone and bypasses the permission/selection dialog
media.peerconnection.enabled enables use of mozRTCPeerConnection()


Note: media.peerconnection.enabled implies media.navigator.enabled has been set to true.

Demos & upcoming changes

There’s a lot you can do with these APIs, even today. For examples, check out our test landing page on GitHub. We’ll try and put up notices if you’re running an out-of-date browser — as well as news updates about important bug fixes and API changes there!

Upcoming changes include:

Support for constraints (to getUserMedia and createOffer/Answer)
Control of bandwidth, resolution, echo cancellation, etc.
Statistics
TURN support (to allow connections between devices behind symmetric NATs)
Fixes for audio drift (progressive loss of A/V sync)
Trickle ICE, rtcp-mux and BUNDLE support
getUserMedia() UI updates
And many bugfixes


To give you an idea of the power of these APIs, in a couple of days our team whipped up a Social API integration demo that allows you to video +
text chat with your friends, drag-and-drop files to each other, drop links, tabs, etc, all making simple use of the DataChannel API.

The DataChannel API is quite simple on the surface, and has an API very similar to WebSockets. A quick example:





1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

/**

* Assume we’ve connected a PeerConnection with a friend – usually with audio

* and/or video. For the time being, always at least include a ‘fake’ audio

* stream – this will be fixed soon.

*

* connectDataConnection is a temporary function that will soon disappear.

* The two sides need to use inverted copies of the two numbers (eg. 5000, 5001

* on one side, 5001, 5000 on the other)

*/

pc.connectDataConnection(5001, 5000);



function handle_new(channel) {

channel.binaryType = “blob”;

channel.onmessage = function(evt) {

if (evt.data instanceof Blob) {

console.log(“I received a blob”);

// assign data to an image, save in a file, etc

} else {

console.log(“I got a message: ” + evt.data);

}

};



channel.onopen = function() {

// We can now send, like WebSockets

channel.send(“The channel is open!”);

};



channel.onclose = function() {

console.log(“pc1 onclose fired”);

};

};



/* For when the other side creates a channel */

pc.onDataChannel = handle_new;



channel = pc.createDataChannel(“My Datastream”,{});

if (channel) {

handle_new(channel);

}





view raw datachannels.js hosted with ❤ by GitHub



Filing bugs & moving forward

Progress on WebRTC (and bug-fixing) is rapid, and we encourage you to try it out and submit bugs. (We have plenty! But we’re nailing them as fast as we can, so make sure you’re on nightly and update regularly.)

Bug reports are highly appreciated. Please file them on
Bugzilla under “Product:Core”, “Component:WebRTC”.

The team is both excited by all the progress, and exhausted. The work so far represents tons of hours of work from so many people on the Firefox team (too many people to name — especially because we don’t want to forget
someone — but you know who you are!). Thank you to everyone who helped us land this “747″ on the flight deck.

We’ll continue to blog regularly on our progress as we work to make this a great product feature for Firefox and the web.

------------

WebRTC Experiments & Demos » Source code on Github!


RecordRTC — A library for cross-browser audio/video recording
RTCMultiConnection — A JavaScript library for streams renegotiation and sharing; multi-session establishment and much more.
DataChannel.js — A JavaScript library for data/file/text sharing!
Pre-recorded media streaming — Most demanded and useful feature!


Group sharing

Video conferencing — Demo-1 / Demo-2
Video one-way broadcasting — Demo
Text chat — Demo-1 / Demo-2
File sharing — Demo-1 / Demo-2


Screen sharing

Plugin-free screen sharing — Demo-1 / Demo-2
Tab sharing using tabCapture APIs — Demo / Download Extension


Part of screen sharing

Part of screen sharing using Firebase — Demo
Part of screen sharing using WebRTC Data Channel — Demo


One-to-One

Audio-only calls — Demo
Using WebSockets for signaling — Demo
Using socket.io for signaling — Demo


Broadcasting

Video broadcasting — Demo-1 / Demo-2
Audio broadcasting — Demo-1 / Demo-2


SdpSerializer.js — An easiest way to modify SDP. It is an object-oriented way of sdp declaration, manipulation and serialization.
RTCall.js — A library for Browser-to-Browser audio-only calling
MediaStreamRecorder.js — A cross-browser implementation to record audio/video streams. Demos
Socket.io over Node.js — Demo
WebSocket over Node.js — Demo


DataChannel

DataChannel basic demo — Demo
Auto Session Establishment — Demo


RTCMultiConnection-v1.4 Demos

All-in-One test — Demo
Renegotiation & Mute/UnMute/Stop — Demo
Video-Conferencing — Demo
Multi-streams attachment — Demo
Admin/Guest audio/video calling — Demo
Session Re-initiation Test — Demo
Preview Screenshot of the room — Demo
RecordRTC & RTCMultiConnection — Demo


RTCMultiConnection

RTCMultiConnection-v1.3 test — Demo
Customizing Bandwidth — Demo
Users ejection and presence detection — Demo
All-in-One test — Demo
Multi-Session Establishment — Demo
File Sharing + Text Chat — Demo
Video Conferencing — Demo
Video Broadcasting — Demo
Audio Conferencing — Demo
Audio Conferencing + File Sharing + Text Chat — Demo
Join with/without camera — Demo
Screen Sharing — Demo
One-to-One file sharing — Demo
Manual session establishment + extra data transmission — Demo
Manual session establishment + extra data transmission + video conferencing — Demo


Experimental

Recording Remote Audio Streams / RecordRTC — Demo
Attaching Remote Media Streams — Demo
mozCaptureStreamUntilEnded for pre-recorded media streaming — Demo


One-page demos

Switch streams from screen-sharing to audio+video. — Demo
Share screen and audio/video from single peer connection! — Demo
Text chat using RTCDataChannel APIs — Demo
Direct video sharing without using external signaling methods — Demo
Video sharing using socket.io for signaling — Demo
Video sharing using websockets for signaling — Demo
MediaStreamTrack.getSources — Demo


Documentations / Tutorials

WebRTC PeerConnection Tutorial
How to use RTCPeerConnection?
How to use RTCDataChannel APIs?
RTCDataChannel for Beginners
WebRTC for Beginners
WebRTC for Newbies
How to video conferencing in WebRTC?
How to share files using RTCDataChannel APIs?
STUN or TURN? Which one to prefer; and why?
WebRTC RTP Usage
How to switch streams?
How to echo cancellation? / Noise management?


from https://github.com/muaz-khan/WebRTC-Experiment