Note
1. Raw data on the WebRTC evaluation of IP address leaks
1.1. Reminder about the network configuration
1.2. Reminder about the client configurations
1.3. Data organisation
2. Raw data on the performance evaluation of the containerised solution
2.1. Reminder about the client configurations
2.2. Data organisation
References
For privacy purposes, all public IP addresses have been anonymised using those reserved for documentation given in RFC 5737 for IPv4 [1] and RFC 3849 for IPv6 [2].
| Public IPv4 address | Public IPv6 address | Private IPv4 address | Operating System | Architecture | Service | Version | Listening port |
|---|---|---|---|---|---|---|---|
| 192.0.2.1 | 2001:db8::1 | 10.132.0.8 | Ubuntu Server 22.04 LTS | arm64 | coturn | 4.5.2 | 5349 (TLS) |
| TShark | 4.2.5 | N/A |
| Public IPv4 address | Public IPv6 address | Private IPv4 address | Operating System | Architecture | Service | Version | Listening port | Virtual private IPv4 network | Virtual private IPv6 network |
|---|---|---|---|---|---|---|---|---|---|
| 198.51.100.1 | 2001:db8::2 | 192.168.1.91 | Ubuntu Server 24.04 LTS | arm64 | OpenVPN UDP | 2.6.9 | 1194 | 10.7.0.0/24 | fddd:1194:1194:1194::/64 |
| WireGuard | 1.0.20210914 | 2050 | 10.8.0.0/24 | fd4c:61b4:9648::/64 | |||||
| Dante SOCKS5 proxy | 1.4.3 | 1080 | N/A | ||||||
| mitmproxy HTTP/HTTPS proxy | 8.1.1 | 8081 | N/A | ||||||
| TShark | 4.2.5 | N/A | |||||||
Each VPN (OpenVPN and WireGuard) provides one IPv4 tunnel per client with IPv4 and IPv6 packet forwarding capabilities thanks to their IPv4 and IPv6 virtual networks. A virtual interface per VPN attaching a private IPv4 and IPv6 will therefore be offered to the VPN client.
The leak evaluation was carried out on Linux Ubuntu 22.04 LTS, Microsoft Windows 11 23H2 and macOS Sonoma 14.5. Full details of the software and versions used in this evaluation are described in the table below:
| Linux | Windows | macOS | |||
|---|---|---|---|---|---|
| Machine | Dell Latitude 5520 (2022) | Machine | Dell Latitude 5540 (2023) | Machine | Apple MacBook Pro (13-inch, 2022) |
| CPU | Intel Core i5-1145G7 @ 2.60 GHz | CPU | Intel Core i5-1335U @ 1.30 GHz | CPU | Apple M2 |
| RAM | 16 GiB | RAM | 8 GiB | RAM | 16 GiB |
| GPU | Intel® Iris® Xe Graphics | GPU | Intel® Iris® Xe Graphics | GPU | Apple M2 |
| Screen resolution | 1920x1080 | Screen resolution | 1920x1080 | Screen resolution | 2560x1600 |
| Host OS | Ubuntu Desktop 22.04 LTS | Host OS | Windows 11 Pro 23H2 | Host OS | macOS Sonoma 14.5 |
| Architecture | x86-64 | Architecture | x86-64 | Architecture | arm64 |
| Network configurations | |||||
| Ethernet IPv4 address | 203.0.113.20 | Ethernet IPv4 address | 203.0.113.20 | Ethernet IPv4 address | 203.0.113.20 |
| Ethernet temporary IPv6 address | 2001:db8::20 | Ethernet temporary IPv6 address | 2001:db8::20 | Ethernet temporary IPv6 address | 2001:db8::20 |
| Ethernet permanent IPv6 address | 2001:db8::21 | Ethernet permanent IPv6 address | 2001:db8::21 | Ethernet permanent IPv6 address | 2001:db8::21 |
| Wi-Fi IPv4 address | 203.0.113.30 | Wi-Fi IPv4 address | 203.0.113.30 | Wi-Fi IPv4 address | 203.0.113.30 |
| Wi-Fi temporary IPv6 address | 2001:db8::30 | Wi-Fi temporary IPv6 address | 2001:db8::30 | Wi-Fi temporary IPv6 address | 2001:db8::30 |
| Wi-Fi permanent IPv6 address | 2001:db8::31 | Wi-Fi permanent IPv6 address | 2001:db8::31 | Wi-Fi permanent IPv6 address | 2001:db8::31 |
| Natively installed browsers on the host client | |||||
| Mozilla Firefox | v125.0.3 | Mozilla Firefox | v125.0.3 | Mozilla Firefox | v125.0.3 |
| Google Chrome | v126.0.6478.126 | Google Chrome | v126.0.6478.127 | Google Chrome | v126.0.6478.127 |
| Microsoft Edge | v126.0.2592.81 | Microsoft Edge | v126.0.2592.81 | Microsoft Edge | v126.0.2592.81 |
| Opera | v111.0.5168.55 | Opera | v111.0.5168.55 | Opera | v111.0.5168.55 |
| Brave Browser | v1.67.123 | Brave Browser | v1.67.123 | Brave Browser | v1.67.123 |
| Safari | v17.5 | ||||
| VPN and SOCKS clients | |||||
| OpenVPN UDP client | OpenVPN 2.5.9 | OpenVPN UDP client | OpenVPN GUI v11.48.0.0 | OpenVPN UDP client | Tunnelblick 4.0.1 |
| WireGuard client | v1.0.20210914 | WireGuard client | v0.5.3 | WireGuard client | v1.0.16 |
| Mozilla Firefox built-in SOCKS client | v125.0.3 | Mozilla Firefox built-in SOCKS client | v125.0.3 | Mozilla Firefox built-in SOCKS client | v125.0.3 |
| Mozilla Firefox built-in HTTP/S client | v125.0.3 | Mozilla Firefox built-in HTTP/S client | v125.0.3 | Mozilla Firefox built-in HTTP/S client | v125.0.3 |
| Containerised Mozilla Firefox solution via docker | |||||
| Docker image | Ubuntu Server 22.04 LTS | Docker image | Ubuntu Server 22.04 LTS | Docker image | Ubuntu Server 22.04 LTS |
| Docker image architecture | x86-64 | Docker image architecture | x86-64 | Docker image architecture | arm64 |
| Containerised Firefox | v125.0.3 | Containerised Firefox | v125.0.3 | Containerised Firefox | v125.0.3 |
| Docker Engine | v26.1.4 | Docker Desktop | v4.30.0 | Docker Desktop | v4.30.0 |
| Docker Compose | v2.27.1 | ||||
| Host Wayland compositor | Mutter v42.9 | Host Wayland compositor | Weston (provided by WSLg) GitHub commit f227edd6
|
Host Wayland compositor | N/A |
| Host X server (X.Org/XWayland) | Host X server (XWayland) | Host X server (XQuartz) | v2.8.5 | ||
| Host PulseAudio server | PulseAudio (on PipeWire 0.3.48) | Host PulseAudio server | (provided by WSLg) GitHub commit 6f045ff0
|
Host PulseAudio server | v17.0 |
| WSL 2 | v2.2.4.0 | ||||
| WSL 2 Linux Kernel with camera driver support | v5.15.153.1 - Download | ||||
| WSLg | v1.0.61 | ||||
In the 1-webrtc-leak-data folder, the data are classified as follows:
- 1 - Major web browser leaks, corresponding to raw leak data on the various popular web browsers on the market.
- 2 - MF diff confs leaks, corresponding to raw data from the vanilla Firefox web browser in different configurations (with or without VPN, SOCKS, containerised or not...)
- 3 - Compro MF diff confs leaks: corresponding to raw data from the compromised Firefox web browser in different configurations (vanilla, with or without VPN, SOCKS, containerised or not...)
where
MF = Mozilla Firefox;
Compro = Compromised;
diff confs = different configurations.
Each configuration tested has two folders: ClientData and STUN-TURN-ServersData.
The data generated by the WebRTC clients is located in the ClientData folder. This is the final list of ICE candidates created by WebRTC clients (file ice-candidates.txt) and the traffic data captured by Wireshark for STUN/TURN requests and responses at the client interfaces. There is one file per mode (RFC 8828 [3] & draft-uberti-ip-handling-ex-mdns-00 [4]) tested ([default|forced]-modeX-stun-turn.pacpng) where X is the mode number, and if present, UC - User consent, NUC - No user consent (handled by getUserMedia() [5]).
The traffic data captured by Wireshark on the STUN/TURN server side (located at the same IPv4 and IPv6 addresses) is located in the STUN-TURN-ServersData folder. The naming rule is: name-of-the-configuration-tested-mode-X.pcapng and if present, UC - User consent, NUC - No user consent (handled by getUserMedia() [5]).
If UC and NUC are not present then the consent is defined by the mode [3, 4].
The list of interfaces present and the associated information on the client machine in the test state is present in the ip-addr-interfaces-[host|docker-(default|forced)-modeX].txt file. This file is either placed at the root of a set of tests if the machine configuration does not change for the set of tests, or placed specifically in the ClientData folder associated with a particular test.
Our containerised solution, initially designed for Linux, was later ported to macOS and Windows to demonstrate its viability on systems other than Linux. This is also why Docker was chosen, as it exists on these three operating systems.
The evaluation of the performance impact of our dockerised solution compared with running Firefox natively was carried out in these configurations:
| Linux | Windows | macOS | |||
|---|---|---|---|---|---|
| Machine | Dell Latitude 5520 (2022) | Machine | Dell Latitude 5520 (2022) | Machine | Apple MacBook Pro (13-inch, 2022) |
| CPU | Intel Core i5-1145G7 @ 2.60 GHz | CPU | Intel Core i5-1145G7 @ 2.60 GHz | CPU | Apple M2 |
| RAM | 16 GiB | RAM | 16 GiB | RAM | 16 GiB |
| GPU | Intel® Iris® Xe Graphics | GPU | Intel® Iris® Xe Graphics | GPU | Apple M2 |
| Screen resolution | 1920x1080 | Screen resolution | 1920x1080 | Screen resolution | 2560x1600 |
| Host OS | Ubuntu Desktop 22.04 LTS | Host OS | Windows 11 Pro 23H2 | Host OS | macOS Sonoma 14.5 |
| Architecture | x86-64 | Architecture | x86-64 | Architecture | arm64 |
| Native Firefox | v125.0.3 | Native Firefox | v125.0.3 | Native Firefox | v125.0.3 |
| Docker image | Ubuntu Server 22.04 LTS | Docker image | Ubuntu Server 22.04 LTS | Docker image | Ubuntu Server 22.04 LTS |
| Docker image architecture | x86-64 | Docker image architecture | x86-64 | Docker image architecture | arm64 |
| Containerised Firefox | v125.0.3 | Containerised Firefox | v125.0.3 | Containerised Firefox | v125.0.3 |
| Docker Engine | v26.1.4 | Docker Desktop | v4.30.0 | Docker Desktop | v4.30.0 |
| Docker Compose | v2.27.1 | ||||
| Host Wayland compositor | Mutter v42.9 | Host Wayland compositor | Weston (provided by WSLg) GitHub commit f227edd6
|
Host Wayland compositor | N/A |
| Host X server (X.Org/XWayland) | Host X server (XWayland) | Host X server (XQuartz) | v2.8.5 | ||
| Host PulseAudio server | PulseAudio (on PipeWire 0.3.48) | Host PulseAudio server | (provided by WSLg) GitHub commit 6f045ff0
|
Host PulseAudio server | v17.0 |
| WSL 2 | v2.2.4.0 | ||||
| WSL 2 Linux Kernel with camera driver support | v5.15.153.1 - Download | ||||
| WSLg | v1.0.61 | ||||
Raw data are available in the following folder: 2-performance-data.
[1] J. Arkko, M. Cotton, and L. Vegoda, IPv4 Address Blocks Reserved for Documentation, Internet Engineering Task Force, Request for Comments RFC 5737, Jan. 2010. doi: 10.17487/RFC5737.
[2] G. Huston, A. Lord, and P. F. Smith, IPv6 Address Prefix Reserved for Documentation, Internet Engineering Task Force, Request for Comments RFC 3849, Jul. 2004. doi: 10.17487/RFC3849.
[3] J. Uberti, WebRTC IP Address Handling Requirements, Internet Engineering Task Force, Request for Comments RFC 8828, Jan. 2021. doi: 10.17487/RFC8828.
[4] J. Uberti, J. D. Borst, Q. Wang, and Y. Fablet, WebRTC IP Address Handling Extensions for Multicast DNS, Internet Engineering Task Force, Internet Draft draft-uberti-ip-handling-ex-mdns-00, Nov. 2018. Accessed: Feb. 27, 2024. [Online]. Available: https://datatracker.ietf.org/doc/draft-uberti-ip-handling-ex-mdns-00.
[5] Mozilla, MediaDevices: getUserMedia() method, MDN Web Docs. Accessed: Feb. 22, 2024. [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia.