In today’s remote working situation most people, if not everyone, is working more at home than they ever have before. That means more sensitive transactions, browsing and overall Internet use have increased. Your employer may have provided you with a secure laptop but chances are the other members of your house do not use equipment that is as secure and private as you’d like.
There are tools that you can use to test and check to see how private your browsing and browsers actually are. I wanted to create a How-To guide to help you easily check and review your home or work browser settings. This will be focused on a website called Browserleaks.com. There are many sites that do similar functions but I find this website to have many helpful options in one place. This website can be overwhelming to those not knowledgeable on the underlying technology but I will try to make it as easy as possible. That means lots of pictures.
Browserleaks.com has many tools but I will cover the ones to get you started and are easiest to resolve.
In the lower-left corner of the page is the menu. You can easily access each section I discuss from there.
Your IP address is the first identifier to who and where you are. The first tool you should review is IP Address. This will report back what your external IP address is and provide additional information about it. The IP Address can show what ISP you are using, your physical location and maybe even your PC operating system and what browser you are using.
The IP Address tool can also be used to verify if your VPN is working properly by hiding your real location. For example, as I write this my VPN is using servers/proxies based in New York. The IP Address results for me confirms I am appearing to originate from New York where in reality I am nowhere near NY.
WebRTC stands for Web Real-Time Connections. Most likely you are not using it, so you should disable it. WebRTC is used to transmit audio and video streaming data between browsers and mobile apps. However, WebRTC can be used to get your real IP address and other information. Browserleaks WebRTC Leak test will show you if you are leaking or not. The results should come back as False. If you see True, you’re leaking.
Here’s how to disable WebRTC settings in Firefox and Chrome. Be careful when you change these types of settings and that you only change these.
Disable WebRTC in Firefox
- WebRTC in Mozilla Firefox is supported since Firefox 22, and it’s enabled by default.
To disable RTCPeerConnection and protect IP addresses leakage, go to
To disable Media Devices, toggle
media.navigator.enabledas well as
Disable WebRTC in Chrome
- WebRTC in Google Chrome and Chromium-based web browsers is supported and enabled by default since Chrome version 23.
To protect IP addresses from leaking, using the official webrtc.org extension WebRTC Network Limiter. It has few options, depending on what you’re looking for.
Canvas fingerprinting is a trick way to create a unique fingerprint about you and your browser for advanced tracking. You don’t necessarily want to block the funcitonlaity as this could break some websites for you but you can obfuscate or hide your real fingerprint using browser extensions. I use Canvas Defender by Multilogin but there are others that do similar protections.
The SSL/TLS test is browser version-specific. If you are using the latest version of a current browser you should be up to TLS 1.3 support, which is what you want. If you come back and TLS 1.3 is not Enabled, upgrade your browser.
This feature is another verification on how websites can pinpoint your physical locations. Depending on your ISP it may even be able to locate you down to your neighborhood or closer to your home. This also is another VPN verification checker. I am not in NY but it appears I am.
On the main page or the three dots in the menu select More Tools. There are several more technical tools but I want to highlight DNS Leak Test and Social Media Login Detection.
DNS Leak Test
A misconfiguration can have your DNS requests go directly to your ISP instead of an Internet DNS. This can allow a malicious website identify your ISP and your ISP knows exactly where you go. Instead you should be using a VPN or manually configuring your home router for all traffic or your PC/Mobile to use DNS servers directly. I recommend Cloudflare’s or Google’s. Those addresses are:
- Cloudflare: 188.8.131.52 and 184.108.40.206
- Google: 220.127.116.11 and 18.104.22.168
The DNS Leak Test will tell you if you are leaking. As you can see through my VPN I am using Cloudlfare and my listed ISP is the ISP of the VPN backend not my ISP.
Social Media Login Detection
Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you’re signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.
More details on this can be found here – https://robinlinus.github.io/socialmedia-leak/.
The threat is well known for a long time, back in the previous decade. But as the hardering cross-origin resource sharing to disallow images and blocking third-party cookies by default is looks unreal for normal users, it won’t fix. Major websites also do not consider it as a significant security risk. At the moment, only geeks oriented resources have fixed it quickly.
What you can do to protect yourself:
Disable Third-Party Cookies. It solves the problem but obviously can cause some inconvenience at casual web browsing.
Use Tracking Protection. There are built-in solutions like Firefox Tracking Protection, as well as some special filters lists that you can use with any ABP-based add-ons, uBlock Origin with Fanboy’s Enhanced Tracking List works well.
I hope this provides some new knowledge and assistance to get more visibility into your protections or lack thereof you have on your home equipment. There are many resources and links throughout Browserleaks to get more detail and explanations on what the tools are showing you but at a high level I hope these explanations will clarify what works and what doesnt.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.