These days there is a page demostrates how WebRTC leaks IP addresses without approval from user. [1] And there is a bug about this long ago. [2]
There are two concerns of this leakage: 1. It can leak the private local IP address to the web, which is a notable fingerprint. 2. It leaks the real IP address of the user even if the user is behind a VPN. I think both of them are critical problems, and we should raise a corresponding concern about them. This information has been exposed to the web on Release since long ago. I remember we and WHATWG rejected landing of navigator.hardwareConcurrency [3] mostly because it exposes the number of cores [4][5], which in my opinion is not that private, and not a significant fingerprint if we are allowed to lie on this value. But this leakage is absolutely a large fingerprint. I think we should at least ask user for the permission before we provide any of this information to the website. [1] https://diafygi.github.io/webrtc-ips/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=959893 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1008453 [4] https://groups.google.com/d/msg/mozilla.dev.platform/QnhfUVw9jCI/PEFuf5a_0YQJ [5] http://lists.w3.org/Archives/Public/public-whatwg-archive/2014May/0025.html - Xidorn _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
