It is well known that the WebRTC functionality in Javascript provides the IP address so peer-to-peer communications like video conferencing can occur. However, this functionality can be used for other reasons, like to track a person on the web who is trying to stay anonymous. There are web browser plug ins and browser settings which prevent this, beyond the nuclear option of disabling Javascript altogether. Disabling Javascript is a valid option in certain security situations, but it breaks the functionality of a lot of web sites. Those sites simply cannot be used in these special security situations.
I do not know if WebRTC’s device enumeration function can provide characteristics which fingerprint someone’s system. The website WebRTC Leak Test shows all information retrievable by the WebRTC Javascript package, as of this date. You will see that Unique device IDs are listed. Again, this is good functionality in the right situation, though.
I am asking security professionals about the security implications regarding device enumeration with WebRTC. When I find out, I will post to the blog.
Edit: Oops! I missed reading an important section on the WebRTC Leak Test. https://browserleaks.com/webrtc#webrtc-device-id
It *is* a security issue that needs to be handled by various methods depending on the circumstances. There’s a statement on the website that only Chromium-based browsers (such as Chrome and now Opera) can be used to track. However, I have to wonder, will this be implemented in other browsers? It’s yet another problem privacy-focused people need to carefully handle.
Computer Security Research 