What the fuck, this leaked your real IP behind VPN since January 2014 and this isn't fixed yet? This sure looks like a Heartbleed-tier high-priority security hole to me. How is this not bigger news?
Leaking a client IP address is not even near the same universe of severity as remotely obtaining a web servers private TLS key. Given the lack of perfect forward secrecy used by web servers at the time, Heartbleed was a "read any encrypted traffic sent by the server, ever" issue.
WebRTC doesn't just leak the client IP address, it also leaks the public IP address of all network interfaces on the machine. If you're on a VPN, it can mean you leak your real IP address, too. Many Chinese use VPNs to circumvent censorship or participate in speech, so leaking your real IP address is potentially life threatening.
Yes, and Java can leak your real IP address and Flash can leak your real IP address.
If you attack scenario is trying to circumvent authoritative governments, don't use a web browser with extra features or plugins like WebRTC turned on.
"Hiding a users 's true IP at all costs who are using a VPN" is not a reasonable design expectation for mainstream browsers. They are fixing bugs and adding features. This is an extreme edge case at best for them.
You listed two things that are optional plugins and are being aggressively deprecated.
The vast majority of Chinese users who use VPNs aren't technologically savvy and just want to read the NYTimes or watch Netflix. Now any embedded ad or tracker can rat them out[1]. We shouldn't ask them to jump through 15 hoops or deal with the the slowness of Tor. A VPN offers a very good compromise of ease vs. security for casual users.
It's not a leak. It's integral to the way WebRTC works. The purpose is to implement a highly-secure, multiplexed audio/video/data channel on top of IP. To do that, you must exchange publicly addressable IP addresses.
There are already forced opt-ins for accessing the microphones and cameras, this should probably be fully extended to require the user to opt-in when any WebRTC feature is used.
They leak the internal IP assigned to you by a VPN, which is not the same IP as the one seen by the websites you browse, nor is it the same as the IP assigned to you by your ISP.
Yes, the internal IP is leaked. But, also the IP assigned to you by your ISP is leaked (just tested with http://net.ipcalf.com/ & a vpn).
Though, I did test this on a college campus, so the network might just be leaking my internal ip, which ends up being my external ip also because of how they have the network setup. Which in hindsight is actually even scarier.
Approximately nobody outside the tech industry uses VPNs to hide their real IPs (the number of people using VPNs, period, is relatively tiny compared to the overall population of the internet); approximately everybody who uses the internet uses HTTPS.
By nobody you of course mean "nobody in the US". You're forgetting about the people of China and other states with widespread Internet censorship for whom this leak might not only be critical, but possibly life-threatening.
