So you think you’re anonymous online?

Think again.
Over the last couple years, Firefox and Google Chrome have been building out their browser features. Google Chrome has promoted their computer-to-computer calls and Google Hangouts. This month, Firefox introduced their Skype-like service named Hello. Both services employ a technology known as WebRTC and with it you’re losing your ability to remain anonymous online

WebRTC or Real-Time Communication is protocol that enables browsers to communicate with each other peer-to-peer. You’d normally use an intermediary platform like Skype to do this. Google released the code to the public in 2011 and that typically leads to lots of development, experiments, and sometimes unintended consequences.

Developers recently learned how to use WebRTC to identify a user’s private IP address, which is assigned to their PC or device by their Internet connected router. This is something that only users on the internal network would see. They also learned how to use it to detect proxy connections and identify both your proxy IP address and the address you are concealing: your Internet connection.

Below is what WebRTC can reveal about a proxy connection. This first example is a connection made through the desktop application HideMyAss VPN. You can see the private IP address of the PC and the proxy server, along with the IP addresses of the proxy and the user’s Internet connection:

Hidemyass VPN proxy IP address

Want to see if your browser is exposed? Check out our Reveal Proxy test page or the Github source.

This exposure is currently limited to browsers that use the Firefox and Chrome platforms and the key is whether or not JavaScript is enabled. Some versions of Opera, Internet Explorer, Maxathon, and other browsers are unaffected.



You’re at risk if you use a popular desktop VPN like HideMyAss, as shown above. However, we also tested another popular desktop application, CyberghostVPN and received different results.

CyberghostVPN proxy IP address

WebRTC revealed Cyberghost as proxy, but it did not reveal the source IP address in our tests.  Desktop apps generally do not tunnel your traffic and the browser picks this up. For the same reason, you’re also at risk if you use these browsers on TOR with JavaScript enabled.

It may be possible to disable JavaScript on-demand using an add-on, like NoScript for Firefox and WebRTC Block for Chrome.


For a certain fix, try a NAT firewall, which tunnels all traffic between your PC and a VPN server. You can also assign different tasks to your browsers and hold back on using Firefox or Chrome on a sensitive website.

The question is: Can website operators use WebRTC to detect your IP address? And, if so, should you be concerned?  It has been reported that webmasters can capture this information using an Ajax request (JavaScript). While the typical webmaster may not know or be interested in employing this, it should certainly be a consideration when coming in contact with sophisticated operators and web pages that host suspect content.