{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,19]],"date-time":"2026-05-19T14:48:03Z","timestamp":1779202083573,"version":"3.51.4"},"reference-count":46,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2020,5,22]],"date-time":"2020-05-22T00:00:00Z","timestamp":1590105600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>To establish peer-to-peer connections and achieve real-time web-based communication, the Web Real-Time Communication (WebRTC) framework requires address information of the communicating peers. This means that users behind, say, Network Address Translation (NAT) or firewalls normally rely on the Interactive Connectivity Establishment (ICE) framework for the sake of negotiating information about the connection and media transferring. This typically involves Session Traversal Utilities for NAT (STUN)\/Traversal using Relays around NAT (TURN) servers, which assist the peers with discovering each other\u2019s private and public IP:port, and relay traffic if direct connection fails. Nevertheless, these IP:port pieces of data can be easily captured by anyone who controls the corresponding STUN\/TURN server, and even more become readily available to the JavaScript application running on the webpage. While this is acceptable for a user that deliberately initiates a WebRTC connection, it becomes a worrisome privacy issue for those being unaware that such a connection is attempted. Furthermore, the application acquires more information about the local network architecture compared to what is exposed in usual HTTP interactions, where only the public IP is visible. Even though this problem is well-known in the related literature, no practical solution has been proposed so far. To this end, and for the sake of detecting and preventing in real time the execution of STUN\/TURN clandestine, privacy-invading requests, we introduce two different kinds of solutions: (a) a browser extension, and (b) an HTTP gateway, implemented in C++ as well as in Golang. Both solutions detect any WebRTC API call before it happens and inform accordingly the end-user about the webpage\u2019s intentions. We meticulously evaluate the proposed schemes in terms of performance and demonstrate that, even in the worst case, the latency introduced is tolerable.<\/jats:p>","DOI":"10.3390\/fi12050092","type":"journal-article","created":{"date-parts":[[2020,5,25]],"date-time":"2020-05-25T06:43:40Z","timestamp":1590389020000},"page":"92","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Neither Denied nor Exposed: Fixing WebRTC Privacy Leaks"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9673-0002","authenticated-orcid":false,"given":"Alexandros","family":"Fakis","sequence":"first","affiliation":[{"name":"Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, 83200 Samos, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0142-7503","authenticated-orcid":false,"given":"Georgios","family":"Karopoulos","sequence":"additional","affiliation":[{"name":"European Commission, Joint Research Centre (JRC), 21027 Ispra, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6348-5031","authenticated-orcid":false,"given":"Georgios","family":"Kambourakis","sequence":"additional","affiliation":[{"name":"European Commission, Joint Research Centre (JRC), 21027 Ispra, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,5,22]]},"reference":[{"key":"ref_1","unstructured":"(2020, April 26). WebRTC 1.0: Real-Time Communication between Browsers. Available online: https:\/\/www.w3.org\/TR\/webrtc\/."},{"key":"ref_2","unstructured":"(2020, April 26). WebRTC Market. Available online: https:\/\/www.acumenresearchandconsulting.com\/webrtc-market."},{"key":"ref_3","unstructured":"(2020, April 26). Global WebRTC Market Will Reach USD 21,023 Million By 2025: Zion Market Research. Available online: https:\/\/www.globenewswire.com\/news-release\/2019\/02\/15\/1725959\/0\/en\/Global-WebRTC-Market-Will-Reach-USD-21-023-Million-By-2025-Zion-Market-Research.html."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Ker\u00e4nen, A., Holmberg, C., and Rosenberg, J. (2018). Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal, IETF. RFC 8445.","DOI":"10.17487\/RFC8445"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Petit-Huguenin, M., Salgueiro, G., Rosenberg, J., Wing, D., Mahy, R., and Matthews, P. (2020). Session Traversal Utilities for NAT (STUN), IETF. RFC 8489.","DOI":"10.17487\/RFC8489"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Reddy, K.T., Johnston, A., Matthews, P., and Rosenberg, J. (2020). Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN), IETF. RFC 8656.","DOI":"10.17487\/RFC8656"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Syverson, P., Dingledine, R., and Mathewson, N. (2004). Tor: The Second Generation Onion Router, Usenix Security.","DOI":"10.21236\/ADA465464"},{"key":"ref_8","unstructured":"Zantout, B., and Haraty, R. (2011, January 23\u201328). I2P data communication system. Proceedings of the ICN, St. Maarten, The Netherlands."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Liu, C., Cui, X., Wang, Z., Wang, X., Feng, Y., and Li, X. (2018, January 18\u201321). MaliceScript: A Novel Browser-Based Intranet Threat. Proceedings of the 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), Guangzhou, China.","DOI":"10.1109\/DSC.2018.00039"},{"key":"ref_10","unstructured":"Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. (2002). SIP: Session Initiation Protocol, IETF. Updated by RFCs 3265, 3853, 4320, 4916, 5393, 5621, 5626, 5630, 5922, 5954, 6026, 6141, 6665, 6878."},{"key":"ref_11","unstructured":"Uberti, J., Jennings, C., and Rescorla, E. (2019). JavaScript Session Establishment Protocol, IETF, Network Working Group. Work in Progress."},{"key":"ref_12","unstructured":"Johnston, A.B., and Burnett, D.C. (2012). WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web, Digital Codex LLC. [3rd ed.]."},{"key":"ref_13","unstructured":"Begen, A.C., Kyzivat, P., Perkins, C., and Handley, M.J. (2019). SDP: Session Description Protocol, IETF. Work in Progress."},{"key":"ref_14","unstructured":"Rescorla, E. (2019). Security Considerations for WebRTC, IETF, RTC-Web. Work in Progress."},{"key":"ref_15","unstructured":"(2020, April 26). AdBlock Plus. Available online: https:\/\/github.com\/adblockplus\/adblockplus."},{"key":"ref_16","unstructured":"Krasnyansky, M., and Yevmenkin, M. (2020, April 26). Virtual Point-to-Point (TUN) and Ethernet (TAP) Devices. Available online: http:\/\/vtun.sourceforge.net\/tun\/index.html."},{"key":"ref_17","unstructured":"TunnelBear LLC (2020, April 28). Tunnelbear. Available online: https:\/\/www.tunnelbear.com\/."},{"key":"ref_18","unstructured":"(2020, April 28). AnchorFree, Hotspot Shield. Available online: https:\/\/www.hotspotshield.com\/."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Al-Fannah, N.M. (2017, January 23\u201326). One leak will sink a ship: WebRTC IP address leaks. Proceedings of the 2017 International Carnahan Conference on Security Technology (ICCST), Madrid, Spain.","DOI":"10.1109\/CCST.2017.8167801"},{"key":"ref_20","unstructured":"Mohammadreza, H., and Mohammad, G. (2018, January 26\u201327). One leak is enough to expose them all. Proceedings of the Engineering Secure Software and Systems: 10th International Symposium, Campus Paris-Saclay, France."},{"key":"ref_21","unstructured":"(2020, April 26). Fix Shared VPN\/Tor Server Leak Bug. Available online: https:\/\/github.com\/adrelanos\/vpn-firewall\/issues\/12."},{"key":"ref_22","unstructured":"(2020, April 26). Media Capture and Streams. Available online: https:\/\/www.w3.org\/TR\/mediacapture-streams\/."},{"key":"ref_23","unstructured":"(2020, April 26). European Union Public Licence. Available online: https:\/\/ec.europa.eu\/info\/european-union-public-licence_en."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Leech, M.D. (1996). SOCKS Protocol Version 5, IETF. RFC 1928.","DOI":"10.17487\/rfc1928"},{"key":"ref_25","unstructured":"(2020, April 26). The Average Web Page Is 3MB. How Much Should We Care?. Available online: https:\/\/speedcurve.com\/blog\/web-performance-page-bloat."},{"key":"ref_26","unstructured":"(2020, April 26). 10 Ad Blocking Extensions Tested for Best Performance. Available online: https:\/\/www.raymond.cc\/blog\/10-ad-blocking-extensions-tested-for-best-performance\/3\/."},{"key":"ref_27","unstructured":"(2020, April 26). A Primer for Web Performance Timing APIs. Available online: https:\/\/w3c.github.io\/perf-timing-primer\/."},{"key":"ref_28","unstructured":"(2020, April 26). Coturn TURN Server Project. Available online: https:\/\/github.com\/coturn\/coturn."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Reiter, A., and Marsalek, A. (2017, January 4\u20136). WebRTC: Your privacy is at risk. Proceedings of the Symposium on Applied Computing, Marrakech, Morocco.","DOI":"10.1145\/3019612.3019844"},{"key":"ref_30","unstructured":"(2020, April 26). JSLanScanner. Available online: https:\/\/code.google.com\/archive\/p\/jslanscanner\/."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Hosoi, R., Saito, T., Ishikawa, T., Miyata, D., and Chen, Y. (2016, January 7\u20139). A browser scanner: Collecting intranet information. Proceedings of the 2016 19th International Conference on Network-Based Information Systems (NBiS), Ostrava, Czech Republic.","DOI":"10.1109\/NBiS.2016.10"},{"key":"ref_32","unstructured":"Fablet, Y., Borst, J.D., Uberti, J., and Wang, Q. (2019). Using Multicast DNS to Protect Privacy When Exposing ICE Candidates, IETF, RTCWEB. Work in Progress."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Cheshire, S., and Krochmal, M. (2013). Multicast DNS, IETF. RFC 6762.","DOI":"10.17487\/rfc6762"},{"key":"ref_34","unstructured":"(2020, April 26). EFForg\/Privacy Badger. Available online: https:\/\/github.com\/EFForg\/privacybadger."},{"key":"ref_35","unstructured":"Hill, R. (2020, April 26). uBlock Origin. Available online: https:\/\/github.com\/gorhill\/uBlock."},{"key":"ref_36","unstructured":"Klein, A., and Pinkas, B. (2019, January 14\u201316). From IP ID to Device ID and KASLR Bypass. Proceedings of the 28th USENIX Conference on Security Symposium (SEC\u201919), Santa Clara, CA, USA."},{"key":"ref_37","unstructured":"Obana, S., and Chida, K. (2017). Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability. Advances in Information and Computer Security, Springer International Publishing."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Englehardt, S., and Narayanan, A. (2016, January 24\u201328). Online Tracking: A 1-Million-Site Measurement and Analysis. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201916), Vienna, Austria.","DOI":"10.1145\/2976749.2978313"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Liu, X., Liu, Q., Wang, X., and Jia, Z. (2016, January 13\u201316). Fingerprinting Web Browser for Tracing Anonymous Web Attackers. Proceedings of the 2016 IEEE First, International Conference on Data Science in Cyberspace (DSC), Changsha, China.","DOI":"10.1109\/DSC.2016.78"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Alaca, F., and van Oorschot, P.C. (2016, January 5\u20139). Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC \u201916), Los Angeles, CA, USA.","DOI":"10.1145\/2991079.2991091"},{"key":"ref_41","first-page":"2","article-title":"Anonymity and closely related terms in the cyberspace: An analysis by example","volume":"19","author":"Kambourakis","year":"2014","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1016\/j.jnca.2009.07.004","article-title":"A framework for identity privacy in SIP","volume":"33","author":"Karopoulos","year":"2010","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"301","DOI":"10.1016\/j.csi.2010.07.002","article-title":"PrivaSIP: Ad-hoc identity privacy in SIP","volume":"33","author":"Karopoulos","year":"2011","journal-title":"Comput. Standards Interfaces"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Karopoulos, G., Fakis, A., and Kambourakis, G. (2014, January 8\u201312). Complete SIP Message Obfuscation: PrivaSIP over Tor. Proceedings of the 2014 Ninth International Conference on Availability, Reliability and Security (ARES), Fribourg, Switzerland.","DOI":"10.1109\/ARES.2014.36"},{"key":"ref_45","first-page":"969","article-title":"OnionSIP: Preserving Privacy in SIP with Onion Routing","volume":"23","author":"Fakis","year":"2017","journal-title":"J. Univ. Comput. Sci."},{"key":"ref_46","unstructured":"Rodriguez, P., Cervi\u00f1o, J., Trajkovska, I., and Salvach\u00faa, J. (2012, January 19\u201321). Advanced videoconferencing services based on webrtc. Proceedings of the IADIS International Conferences Web Based Communities and Social Media, Lisbon, Portugal."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/12\/5\/92\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T09:31:41Z","timestamp":1760175101000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/12\/5\/92"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,5,22]]},"references-count":46,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2020,5]]}},"alternative-id":["fi12050092"],"URL":"https:\/\/doi.org\/10.3390\/fi12050092","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,5,22]]}}}