Opened 4 years ago

Closed 3 years ago

#16669 closed defect (wontfix)

check.torproject.org should have WebRTC IPv4 and IPv6 address leak detection to protect Orbot VPN users

Reported by: diafygi Owned by: arlolra
Priority: High Milestone:
Component: Applications/Tor Check Version:
Severity: Normal Keywords:
Cc: diafygi, amoghbl1, n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Orbot for Android offers an option to use Tor as a VPN. This is great because Orweb is End-of-Life, and other browsers don't allow configuring proxies and the VPN feature also tunnels traffic for apps through Tor.

However, the Android's VPN feature doesn't hide the IP addresses from WebRTC's STUN requests. This means that Orbot users will still leak their IP addresses when using the VPN feature and using a browser with WebRTC capabilities.

Here's the proof-of-concept I wrote to detect IP addresses via WebRTC. Please include this test code in your https://check.torproject.org/ website, so that users who are stuck using regular browsers on Android can know about the IP address leak.

https://github.com/diafygi/webrtc-ips

Child Tickets

Attachments (3)

Screenshot_2015-07-25-11-14-38.png (149.5 KB) - added by diafygi 4 years ago.
Orbot VPN feature (Apps button) enabled
Screenshot_2015-07-25-11-14-00.png (81.3 KB) - added by diafygi 4 years ago.
check.torproject.org showing successfully on Tor network
Screenshot_2015-07-25-11-27-26.png (76.5 KB) - added by diafygi 4 years ago.
WebRTC still leaking IPv4 and IPv6 addresses

Download all attachments as: .zip

Change History (7)

Changed 4 years ago by diafygi

Orbot VPN feature (Apps button) enabled

Changed 4 years ago by diafygi

check.torproject.org showing successfully on Tor network

Changed 4 years ago by diafygi

WebRTC still leaking IPv4 and IPv6 addresses

comment:1 Changed 4 years ago by diafygi

Component: WebsiteTor Check
Owner: changed from Sebastian to arlolra

comment:2 Changed 4 years ago by diafygi

Cc: diafygi added

comment:3 Changed 4 years ago by arlolra

Cc: amoghbl1 n8fr8 added

Thanks for the research and suggestion.

Orweb is being replaced by Orfox, a port of Tor Browser for Android. If it's susceptible to this leak, that would indeed be pretty major bug. I've cc'd the developers to verify that it is not the case.

However, the Android's VPN feature doesn't hide the IP addresses from WebRTC's STUN requests. This means that Orbot users will still leak their IP addresses when using the VPN feature and using a browser with WebRTC capabilities.

I think this is analogous to the desktop situation where the recommendation is to use Tor Browser, full stop. It goes to great pains to ensure a safe browsing environment, only one of which is preventing proxy leaks. While a warning for this particular issue might be nice, a positive result on check.tpo should never be take as an indication that all is well.

comment:4 Changed 3 years ago by arlolra

Resolution: wontfix
Severity: Normal
Status: newclosed
Note: See TracTickets for help on using tickets.