Your browser leaks your location through multiple channels: the Geolocation API, timezone offsets, `Intl.DateTimeFormat`, and WebRTC. You get almost no control over it. A VPN changes your IP, but these signals still point right back to where youâre sitting.
GeoSpoof is a Firefox add-on that spoofs your geolocation, timezone, and WebRTC to prevent websites from identifying your real location. Set your location to match your VPN, mismatch it on purpose for extra obfuscation, or pick somewhere entirely different. GPS coordinates, timezone, `Intl` locale data, and WebRTC all stay in sync with whatever you choose.
I got tired of the other geolocation spoofing extensions because they either 1) didnât work, 2) didnât have android support, or 3) were extremely finnicky and hard to use.
Can you explain if installing and using this will have any impact on browser fingerprint? Or does it not really matter in your view if this is randomizing it all every browsing session/every time you restart your browser? Also clarify if this is going to be randomizing all that it will be spoofing (cause Iâd really like that and would be an obvious ask to further the obfuscation efforts).
There is no randomization feature as of now. Today the user can either A) provide explicit latitude and longitude values or B) provide a geographical place via the Nominatim api. The extension then injects a script into your browser that overrides the browser geolocation/timezone/WebRTC apis so websites can only see the value you set.
I think a randomization feature would be pretty neat. I would love to know the things you care about regarding geolocation fingerprinting, how often you would like to randomize locations, maybe an âanywhere BUT x, yâŚâ filter, etc.
I have tested the three options you link to in the extension itself. I am however on Mullvad and while Time Zone and Geolocation is matching the location I chose, WebRTC page is showing my VPN location. Is this how itâs supposed to work or is it meant to provide obfuscation primarily when not on a VPN?
Well, I ask this because if I am visiting a website everyday, the website can still try to infer from my browser fingerprint that it is me (hence my first question above). However, if I select or provide a few options within the extension, then ideally Iâd want GeoSpoof to randomize between those selected preferred locations upon every browser reboot/browsing session. Alternatively, itâd be very cool to have it change the location after a set number of hours that we select. For example: location is changed every 4 hours.
These are just ideas I am having for such a tool as it would only further what GeoSpoof is trying to do. No?
More observations: other websites that tell you your geolocation and IP address and whatnot are providing mixed results. Some are showing the one I selected and others are showing my VPN location ( I use Mullvad btw, if that makes any difference).
I have tested the three options you link to in the extension itself. I am however on Mullvad and while Time Zone and Geolocation is matching the location I chose, WebRTC page is showing my VPN location. Is this how itâs supposed to work or is it meant to provide obfuscation primarily when not on a VPN?
Yes, so basically WebRTC is a backdoor that allows websites to see your true IP address even if you are on VPN. WebRTC is allowed to bypass the standard HTTP proxy/VPN settings to ask your operating system for its local and public IP addresses. So consider the example where you live in Los Angeles, set your VPN to Tokyo, and set Geospoof to Berlin:
Without WebRTC Protection: A website can detect your true IP address is in Los Angeles.
With GeoSpoofâs WebRTC Protection: A website will not be able to see your true IP address, they will only see Tokyo.
WebRTC does not impact the geolocation apis in the browser (the ones you set to Berlin).
Moreover the general point is that your IP address is fundamentally different from your browserâs declared Geolocation API (and timezone etc). This extension cannot (and doesnât claim to) obfuscate your IP address.
If a website deduces your location from your IP address, Geospoof will have no effect. However, if a website deduces your location from your geolocation or timezone browser api, your VPN will have no effect (and you will need Geospoof). My original use case was for users to be able to set their VPN and Geospoof settings to the same location so that they could successfully convince any website of a manually selected location. I hope this clears up any confusion
More observations: other websites that tell you your geolocation and IP address and whatnot are providing mixed results. Some are showing the one I selected and others are showing my VPN location ( I use Mullvad btw, if that makes any difference).
This is most likely because some websites are determining your location via IP address, some are determining your location via the geolocation apis. Sophisticated sites use a combination, date/timezone api, offset, Daylight savings time, etc. The original intention of this extension was to align your Browser geolocation to your VPN IP so that all locations you are emitting are synchronized.
Sorry for the dumb question but then how are you defining spoofing in your tool? I mean, how are you seeing and prefer people see and understand the difference between your tool and what a VPN does? Iâm guessing the means through which both try to obfuscate your IP/location is different and thatâs how?
Assumption being that IP address and your time zone being different means youâre in the time zone and not really with that VPN IP address. So, I would not say the VPN has no effect but the VPN does not stop the website from inferring this info. Slight difference but an important distiction if you ask me.
Hah! Thatâs literally what I was thinking too - as to the real use case for such a tool.
Thank you for this clarification. I was confused about this for a minute. Iâm still learning about privacy so WebRTC, Secure DNS, VPNs, and other things your tool uses still confuse me as to how they all work and with each other especially.
I always check on Mullvad if I have WebRTC protection. I always do.
how are you defining spoofing in your tool? I mean, how are you seeing and prefer people see and understand the difference between your tool and what a VPN does? Iâm guessing the means through which both try to obfuscate your IP/location is different and thatâs how?
spoof = user can set browser values to anything they want in accordance with privacy rights and device ownership. Your other questions: this is good feedback because I think I need to make the distinction clearer to people.
Your VPN is not fullproof. You know how you go to a website and it KNOWS you have a VPN on? That is because websites detect inconsistencies in your IP address, WebRTC true IP, browser geolocation apis, timezone, daylight savings time settings, etc. A VPN alone is not enough to fully mask your location.
At the end of the day, if you want to mask your location, you need both:
A VPN to reroute your IP address to a different location
GeoSpoof to reroute your browserâs geolocation and timezone apis to a different location
WebRTC is common in VPNs as a network-level feature, but GeoSpoof ensures that the browser knows WebRTC protection is on.
If you are missing one or the other your location is not truly masked
Thank you for the clarification again. Thatâs what I was thinking too but itâs good to have confirmation from someone much more knowledgeable on the matter.
Btw, reading your Github and using and testing GeoSpoof, Iâm really liking it. It does indeed resolve the issue VPN falls short on. Iâll buy a coffee with that link you have once I get paid later this month.
My main concern going forward using GeoSpoof:
Longevity. Open source products are not always sustainable and last for years one end. Few can make that promise and stick with it. How do you see/respond to such a concern? Iâd like this tool to be maintained for years on end without worrying about it becoming deprecated some time in the future. Are you going to be able to ensure of this? I am no developer but Iâm guessing it is made simply and doesnât take too much to keep up with it?
Lastly, I hope you take the suggestion for it auto selecting and randomizing location. It would be even better coupled with a VPN for all your spoofing and obfuscation needs/wants.
Thank you for engaging with me here. I look forward to the community auditing your tool as best as they can for a more final verdict (not that I donât trust you and your promises being made with it).
Longevity. Open source products are not always sustainable and last for years one end. Few can make that promise and stick with it. How do you see/respond to such a concern? Iâd like this tool to be maintained for years on end without worrying about it becoming deprecated some time in the future. Are you going to be able to ensure of this? I am no developer but Iâm guessing it is made simply and doesnât take too much to keep up with it?
This is a classic problem for open source products, you are correct. While I cannot guarantee I wonât get hit by a bus tomorrow (knock on wood), I can say I fully intend on maintaining this project because I use it myself At its core, Geospoof is a very lightweight extension and quite maintainable (modern tooling, thorough unit/integration tests, etc) so others can contribute as well.
I know you donât have such incentives with an open source project like this, but please be mindful of enshittification. Thatâs the only other concern I have.
Weâd all still like to have at-least some nice things in the future too, as bleak as it is appearing to be.
I think you missed my very first question about impact on browser fingerprinting with this extension. Please clarify on that as well. I didnât catch that until now as I was busy testing the tool while commenting promptly.
It seems WebRTC spoofing is a main feature of the tool - can you speak more towards that threat vector?
How is WebRTC traffic a more vulnerable and potent source of IP leakage than any other kind of traffic? What kind of âbackdoorâ is inherent to WebRTC, but absent from REST, SOAP, gRPC, Webhooks, or GraphQL traffic?
I am not super knowledgable on fingerprinting but my guess is this has very little effect one way or another. But if you set your geolocation to a very lowly populated city, I suppose that would make you more unique than if you set it to a megacity. But to be honest there are so many javascript attributes someone could use to de-anonymize you that the ones my extension changes will probably have little effect.
How is WebRTC traffic a more vulnerable and potent source of IP leakage than any other kind of traffic? What kind of âbackdoorâ is inherent to WebRTC, but absent from REST, SOAP, gRPC, Webhooks, or GraphQL traffic?
WebRTC traffic is designed to find and communicate with unknown peers as a P2P protocol. The goal is to connect two people (ex: like a video call) without a server bridging the gap. To support this, the browser has to bypass any firewall or router etc. To find the shortest path between peers, WebRTC uses ICE (Interactive Connectivity Establishment). This protocol is allowed to bypass standard proxies and can directly ask your computer âwhat is your ip addressâ.
So with standard traffic protocols (REST, gRPC, etc) the browser sends a TCP packet to the VPN tunnel and the VPN sends it to the server.
With WebRTC, my understanding is that the browser sends a UDP package to a STUN server (Session Traversal Utilities for NAT) hosted by Mozilla or Google or even whichever website you are on can inject a STUN server for stun.malicious-marketing.com. This packet literally just bypasses the VPN tunnel and exposes your real IP address. The browser can leverage this to get your true IP address just by running some javascript on your device.
At its core, Geospoof is a very lightweight extension and quite maintainable (modern tooling, thorough unit/integration tests, etc) so others can contribute as well.