UPDATED: moved to a port-based approach 9 Feb 2015; crossposted to github, & onsite echo.
We've implemented a client-side solution to this Windows leak, which has just recently been posted.
NOTE that one must have Windows Firewall enabled on the local machine for this patch to function (h/t, again, @KaganKongar). If WF isn't your preferred firewall setup, feel free to port these rules into whatever you use - and if you think to report back here or in the github repository on the rules you develop, that'd be helpful for others doing the same. Thanks.
As kongar noted, the problem isn't so much the webRTC protocol itself as the fact that the Windows kernel consistently leaks UDP packets carrying the protocol's payload outside of the virtual NIC & thus encrypted tunnel. That means both that they're not able to be nullrouted simply by "catching" them as they show up at cryptostorm exitnodes (for example) - since the leaked packets don't follow that routing pathway - and that they're difficult to squash with some conventional packet management tools given that they're already "out-of-pocket."
Turns out there's a small number of STUN servers used by Firefox and Chrome for these lookups. With the help of a hefty pack of friends and fellow investigators on twitter today (full details in the opening post at our new blog: cryptostorm.is/bloggy (we also pointed kfuckoffnow.com at it because it was sitting around and... why not, really?)
Here's the whittled-down final script to implement the needs packet filtering rules on Windows to ensure none of these packets get off the machine. It requires no fiddling with browsers, adding extensions that may or may not work consistently, etc.
[quote]@echo off
::save as a .bat file, run as administrator
::then visit https://diafygi.github.io/webrtc-ips/ to verify
::no more public IP leaking

netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=3478
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=3478
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=3478
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=3478
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=19302
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=19302
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=19302
netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=19302[/quote]
(yes, the emoticon is in df's pushed-to-production script - it's not an unintended render...)
And, lastly, we striped in a little workspace at github both to help in collecting & de-duplicating the STUN addresses, and to publish the above-quoted script so it's easily accessible for anyone who decides to build on it, expand it, etc.
Thanks again to everyone who helped us out with this today, and we hope this unassuming bit of script-fu helps keep folks safe.
Cheers,
~ df & pj