Dragon 36. leaks your IP address when using a vpn

So I read the above article today and decided to check out my browsers as suggested at the following url : https://diafygi.github.io/webrtc-ips/

The first one I tested which is my up to date copy failed spectacularly and gave up all my info.

Oddly enough I have a older copy installed as a portable (Version (portable) and it did not pass any information at all so no worries on that one.

To make sure it was not a portable vs full install I went ahead and created a portable install with the new version and it passed all my IP info just like the first one did so yes it is a new version vs old version.

So if you want to be save from prying eyes while using a Chromium based browser with your vpn you either need to use a older version or install a plugin to stop javascript from running in your browser.

On the other hand I was able to kill it in my FF based browsers in about 15 seconds…

i just checked this and it is true!

my CD is leaking my IP! my VPN plugins are useless!

this is because of web RTC ( web real time communication) option that CANNOT be disabled in chrome!
only via extension!

but there is a problem!
tried to download “webRTC block” extension from chrome store and some error appears when i try to install!

its a no GO! be careful people! will this be fixed in V41???

this webRTC option can be disabled in Firefox! why not in chrome?

OK! disregard my previous post!

i had one advertisement blocker plug in preventing me from installing the “webRTC block”…

it was a new adblocker called “µBlock” in chrome store… and well… could be a bug…

anyway i remove it… and returned to the use of good old “ADBLOCK PRO” plugin.
it all works like a charm!

i was then able to install the “webRTC block” plug in.

returned to this page to check:

the webRTC is now DISABLED ( it appears FALSE on the value)
and so does the Device enumeration field!

so i assume the reason of the ip leakage on CD it is now resolved!

BUT I decided to test it anyway so:
i activated my “ZENMATE VPN” plug in to a german IP:

visited the following 2 sites:

Whats my ip : OK ( gave a german IP trace)

BUT on Roseler’s WebRTC test page website (https://diafygi.github.io/webrtc-ips/) no ip appeared… it was blank.

I found it strange so i played a bit with this and:

i deactivated the “webRTC block” and refreshed the Roseler’s WebRTC test page (https://diafygi.github.io/webrtc-ips/) AND voilá! my ip appeared!

i activated the “webRTC block” plug in and again refresh the page and my ip was gone!
no value shown on display! total blank! so assume there is no leakage…

i am protected now! ( for the time being at least…)


Don’t also forget to change your DNS servers. If you obtain DNS server addresses automatically via DHCP you’ll be using your ISPs DNS server which will leak your IP address. Change to OpenDNS servers or ComodoDNS servers instead.

Ive installed the extension for chrome: “webRTC block” and did a test with chromodo v36.6.0.50:

Is WebRTC Enabled - × false
Local IP Address - n/a
Audio Context - true
RTP-based Data Channels - false
SCTP-based Data Channels - false
Screen Capturing - false

WebRTC Media Device Enumeration:

Device Enumeration - ×false
Has Microphone - false
Has Webcam - false
Unique Device ID’s - n/a

Im running: zenmate, flash control, scriptblock, ublock, ghostery, quick javascript switcher and so on…

You can also switch to private DNS servers that dont log IP adress and censor your search queries.

Here you have some free and non logging DNS:

Free DNS, censurfridns.dk, DNS watch, DNSCrypt.eu or OpenNIC Tier 2 servers.

Also a good site for DNS servers updated february 2015: http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm

Another good site to check your privacy and what your browser show and tell about you is:

Tried that link and … it’s bad… red warnings all over the place!

it detected the false IP given by ZENmate VPN plug-in BUT…
also detected my own personal IP via flash! it got me pretty good!
the site says i should deactivate the plug-in.

i tried the work around flash problem stated here and im only using the pepperflash from chrome installation. ( deactivated the adobe flash plug in in settings)
and still it does not even work on my CD… i cant see no flash videos embedded on websites!

how i hate flash…

i dunno what to do in this case.

either way how do i know my DNS servers are bad?

Use flash control and quick javascript switcher extension for chrome, to hide your real IP. Zenmate suggest flash control extension on their site.

When using flash control, whitelist sites you trust to show flash content (videos as example). Also set up your browser to click and play stuff like flash content, this way you can choose to run flash on sites you trust or know is safe.

For DNS servers, i dont know if your current DNS server is secure and private or log your IP adress and so on, but i suggested non logging DNS servers in my previous post, that you can add to your router or set up for specific computers. Search google for tutorials.

Your DNS servers is bad if you search something or try to access a site, and the search redirects you to something else than the site you try to access. Thats how i understand it, reading on different forums. But im no expert, maybe someone better can explain with more detail.

If you install flash control extension and block flash on the jondo site i suggested, it should show zenmate IP and not your real IP.

OK! installed the flash control plug in and did not tweak a thing on the plug in option menu.
i leaved it as it is after installation!

i turned on my ZENMATE VPN plug in and set it to a USA IP (Virginia). >:-D

went to the link you gave and Voilá!
my real IP did not show in the beginning below the fake USA IP! :slight_smile:
HOWEVER i reloaded the flash table (middle of the page) and it showed my real IP
…SO blacklisted that JONDO site on the flash control plug in… and now it wont even show the flash table! its like … it’s not there.

as for the java table ( right above the flash table)… an error occurs…
it blocks automatically saying that my “security settings blocked the application from running!
it only shows the red frame where the java table results should be…

So…i assume Java is blocked by CD it self perhaps?! :o

As for DNS… well i really wanted to avoid messing around with my router. if there is a way to test it easily it would be nice…
anyway i think i am much much better now.

still get some red warnings ( FONTS, HTTP session, MIME TYPES, some plug ins, etc)… but as far as IP goes… i think im ok! (for now)

its amazing how much vulnerable we are!

should i assume any of this flash vulnerability issues to be addressed in the next CD v41 release?
cause on JONDO site it seems to be a solution for every problem regarding firefox browser!

My flash in comodo STILL DOES NOT WORK at video level! but at game level it works! weird huh?


Why would CD have to address flash vulnerabilities ?

If you install adobe spyware thats your responsibility not Comodo

Have you looked at the history of adobe flash … It has always been a security and privacy problem with regular zero day exploits for many years, there have been a couple of such critical fixes to adobe software in the last week

It also breaks Chromes privilege levels ( google tried to address that problem by making their own version of flash, called pepperflash, but even then it is still a major privacy concern ) - Adobe do not care that it does this, so if you are using the full version of adobe flash / shockwave then you only have yourself to blame for undermining the Privacy and Security which Comodo Dragon is trying to give you.

Read from here Google Chrome

The relevant bit starts at the bottom of page 27 ( trusted levels ), and continues over the page. But its worth reading page 26 aswell to understand what you are breaking with bad plugins such as flash. Then read on pages 28 / 29 / 30 / 31 ( page selection is top right of the screen )

After reading that, ask yourself what else these free plugins and games could be doing with an advanced programming language in your browser ( Action Script ) which flash provides, along with all the communications channels it opens up with third parties.

If you are going to use flash - Install Google Chrome aswell with its pepperflash. Uninstall Adobe Flash
Play games / get scammed etc in google chrome

And save your important secure browser ( Comodo Dragon ) from being undermined by plugins

It can easily be fixed in firefox since you can just disable Disable WebRTC in about:config. Chrome users now must run script safe.

This is why i dont like using chrome any more 0 choice they force features on you firefox you can disable things.

As said before, just install the extension WebRTC block. You can also install scriptblock or umatrix.

Listen Internet still needs Adobe flash for to work properly on several websites!

what am i suppose to do?
pepperflash work around does not work on my CD browser on video level. but game level it works!

i have known for a long time flash layer has several bugs! fortunately HTML5 is here and is better… BUT many sites still use flash!

if i didn’t need it i would not install it! this thread showed my how vulnerable we are!
weird thing is firefox has a lot of workarounds as stated on jondo site! so should chrome!

for now i am quite good. i am using flash control plug in. … it helps a bit!

I think you did not understand the last three lines of my post which you quoted, lets try it with slightly different wording :

Install Google Chrome ( which comes with pepperflash ) Use this browser for games / videos

Uninstall Adobe flash / shockwave - You dont need it anymore

Use Comodo Dragon for serious Privacy and Security ← Dont ruin this with pepperflash OR adobe flash

So you now have two browsers installed.
Google Chrome ( with pepperflash ), and Comodo Dragon ( no flash )

No Adobe flash needed, anything Dragon cannot play, Google Chrome with Pepperflash can

( Actually, you will have three browsers installed, if you want Windows Update to work you still need parts of Internet Explorer installed )

Now do you understand ?

Google Chrome is less privacy, pepperflash is less privacy, if you need to use pepperflash why not use google chrome ( no need to use workarounds, keep it in google browser )

If you want good privacy and security online, then load up Comodo Dragon instead of google chrome.

Choose the correct tool for the job :wink:

The WebRTC block extension does not completely protect you as pointed out by some of the comments on the extension page.

If you install it and go to


Then chances are that none of your info shows.

However if you go to

Some of your information still leaks. Not as much but there is still enough to identify your true location rather than the one that your vpn is using.

I have no idea of why one test comes up clean and the other picks up info when they both are checking the same thing.

This is where scriptblock is good. As long as you block that site it shows nothing, its only when you ALLOW or TEMP ALLOW with scriptblock that the page shows the real IP. So install scriptblock and only ALLOW sites you trust, and BLOCK all the other sites.

uMatrix is even better, as it works with firewall types of rules. A bit advanced for novice users, but a very good extension and a must have. Its like noscript for firefox, but for chromium based browsers.

Even with or without VPN or any extensions it only shows my local IP and not my public IP when visiting those sites… I don’t mind but I don’t understand what’s different on my system…

Edit: Using Comodo Dragon on Windows 10 TP 9926

While blocking scripts are effective the problem is that most sites will not work correctly without them and a lot (most?) of the time there are so many scripts running on a page with names that do not really make it easy to identify what script is doing what it takes quite a bit of time to figure out which ones are necessary and which ones are just trying to pull in your info. I use no script on a couple of the FF based browsers that I use and sometimes I just give up and say ■■■■■ it I did not really want the info anyway (which is not true or I would not have gone to the site) or I just tell it to “allow all” so I can read the information which is really not a good choice either.

For sites you go to on a regular basis it is one thing but for new sites or sites you may only go to once in a great while taking the time needed to get the setting correct is sometimes just too high. Honestly not sure what the answer is but having to spend 2-3 times the actual reading time of an article just to make sure that I am not giving everyone and their brother the key to all my info is ■■■■■■■ up to say the least.

What version of CD are you running? On my version 33. it does not show any info either it is just ver 36. that was doing so.