VPNs are great for security, but one of the big reasons many people use one is to mask or change their IP address. This lets a user get around location based restrictions on content, or check if his provider is checking his connection.
Unfortunately, a new security flaw can reveal a user’s real IP address to curious eyes, even if he is using a VPN, and it’s easy to exploit.
What’s All This Now? Is My Data At Risk?
A Virtual Private Network, or a VPN, is great for encrypting a user’s data and boosting security, but it’s also useful to unclear the IP address. The IP address is assigned to an internet connection by the service provider, and it can reveal who service provider is and where user is located. If a user is ever visited YouTube and says, sorry, this video isn’t available in his country. If a user tried to sign up for a new service only to find out of his country isn’t supported, the IP address is how they know.
Many people use VPNs specifically to get around those location restrictions. When a user sign in to a VPN, usually he can choose an “exit server,” or a location his VPN will “pretend” he is actually located. Usually that’s enough to convince a service he is in a supported country. However, a recently discovered security flaw allows remote sites to take advantage of Web RTC to reveal a user’s true IP address, even if they’re connected to a VPN. The sites aren’t taking advantage of the flaw yet, but considering services like Hulu, Spotify, Netflix, and others are taking steps to identify and lock out VPN users.
How Can I Protect Myself?
Luckily, a user doesn’t have to wait for VPN providers to address the issue on their ends to protect him. There are a number of things a user can do right now, and most of them are as easy as installing a plug-in, or disabling Web RTC in a browser.
A user’s device is now has both an IPv4 (standard) IP address as well as a new IPv6 address. Many VPNs only support IPv4 traffic and could route IPv6 traffic insecurely (outside the VPN tunnel). This could expose a true identity or location without your knowledge. There are two options (we recommend doing both):
- Choose a VPN with IPv6 leak protection (PIA, Nord VPN, IP Vanish)
- Disable IPv6 traffic on a router or computer (Windows / Mac)
Web RTC is a protocol that lets the web browser control attachments like a webcam. But it can also be used maliciously to trick a browser into exposing a user’s non-VPN IP address. The only solution is to disable Web RTC in a specific browser.
A user’s computer uses DNS (Domain Name System) requests to translate domain names (like vpnuniversity.com) into numerical IP addresses. DNS is like a phonebook for the internet. But your ISP tries to intercept DNS requests and route them to their own DNS servers (allowing them to spy on a user’s browsing history).
Due to weakness in the DNS protocol, some VPNs allow this unless their software takes step to block DNS leaks and force the VPN to only route DNS lookups to secure DNS servers.
So, a user will have to choose a VPN with DNS leak protection or specify his own custom DNS servers on a router.
The Easiest Ways to Disable Web RTC in a Browser
Chrome, Firefox, and Opera (and browsers based on them) generally have Web RTC enabled by default. Safari and Internet Explorer don’t, and thus aren’t affected unless a user has specifically enabled Web RTC. A user can always switch to a browser that doesn’t have Web RTC enabled, but since most of us like the browsers we use, here’s what to do:
- Chrome and Opera: Install the Script Safe extension from the Chrome Web Store. Its overkill, but it’ll disable Web RTC in a browser. Opera users can use this add on as well, they will just have to jump through some hoops first.
- Firefox: A user has two options, he can install the Disable Web RTC add on from Mozilla Add-ons or disable Web RTC directly by opening a tab.
While Roeseler notes that privacy protecting browser extensions like Ad Block, uBlock, Ghostery, and Disconnect don’t stop this behavior, these methods will definitely do the job. We’ve tested them to make sure they work, and keep an eye out of a favorite ad blocker or privacy add-on will likely update to block Web RTC in the near future.
But disabling Web RTC may break some web apps and services. Browser based apps that use a microphone and camera (like some chat sites or Google Hangouts). They can also automatically know a user’s location (like food delivery sites), will stop working until he will enable it.
Others Ways to Check a VPN Security
Whoer – Whoer is our favorite way to truly test a VPN and browser combined. This is an extended test that can seem a little scary, but it’s super easy. Once a user visit the webpage he will want to scroll down a little bit and look for the block labeled ‘Interactive Detection.’ Don’t mind what is or isn’t checked and enabled. Click the green run test button right next to the words ‘Interactive Detection.’ Whoer will check if a user has Flash, Java, Web RTC, etc. enabled and try to use the application. It reaches out to sources within a user’s browser and returns the IP it detects. Ensure that either no IP address is detected or only the VPN IP address appears. If any IP address other than a VPN appears, then it is leaking and one will have to visit the VPN leaks section.
DNS leak test – The best website to test for the most common and critical leak of all the DNS leak. Do extended DNS leak tests, yes the test can take some time or even freeze, one have to be patient. Now, this is where things can get a little spooky. Take a look and ensure that any of the possible dozen DNS servers that may show up are not related to the Internet Service Provider (ISP). A user may see an array of DNS hosts, anything from Google to bizarre sounding names, this is good. The only thing we need to ensure is that the DNS is not a personal DNS, if it is, then check the VPN leaks section for solutions.