Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge.
Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPNs tested leak users’ IP address via WebRTC.
The protocol is often employed with the ICE (Interactive Connectivity Establishment) framework and STUN (Session Traversal Utilities for NAT) servers, among other options.
VPNs use the STUN server to translate between the VPN user’s local IP address and the public IP address in much the same way that a home router acts as a network intermediary between local devices and the external internet.
VPNs are so insecure you might as well wear a KICK ME sign
According to Stagno, WebRTC can be queried to return information that should remain private.
“WebRTC allows requests to be made to STUN servers which return the ‘hidden’ home IP-address as well as local network addresses for the system that is being used by the user,” he said in a post on Tuesday.
The list of leaky VPNs is available on VoidSec’s website.
Stagno suggests disabling WebRTC, among other measures to protect privacy. In Chrome, that requires an extension, such as uBlock Origin. In other browsers, the fixes vary.
Those in the security industry tend to frown on commercial VPN providers on the basis that they don’t always act in their customers’ interests. Some log your activity, some track you to push ads your way, and some are just plain insecure. Free ones in particular should be avoided.