Signal now enables Link previews. I'm not sure I'm happy with this idea.
Not even days ago there was a detailed article how bad link previews are for privacy. Of course right now the previews are quite limited, but I'm sure they'll open them up soon.
Previews can be bad if private data is transmitted to third parties. However, Signal implemented the same proxy technology as for GIPHY which is present in Signal for months. Furthermore, it is optional.
@infosechandbook The main problem with it is: Other than a gif, a link can be personalized before you get it. And as soon as you send it to another person, the link preview will leak that this link was shared.
I recommend this read on link previews:
All shared links have the potential to leak your IP address etc.
AFAIK Signal's link preview proxy only protects your data when generating the preview. It doesn't allow you to search for content to get a link.
So you likely already leaked your data to get the link. After sharing, other people will likely leak their identity by clicking the shared link.
In contrary, GIPHY gifs can be directly retrieved, shared and viewed using Signal only.
@infosechandbook Let me try to illustrate the problem I see:
I get a suspicious, personalized link by email. Because I'm not sure about it, I copy it and send it (via Signal) to a friend with the question what he thinks about it.
Now, without me opening the link, the attacker gets notified that the link was shared. Based on the user agent information the attacker can probably even assume that it wasn't a regular browser opening it.
This may be true for attacker-controlled websites and, of course, if the proxy doesn't mask the UA.
However, at the moment only 4 websites are supported, and we don't know the proxy implementation.
@infosechandbook That's why I mentioned initially that I'm concerned that they'll open the number of websites up after a while.
I don't mind the current way of link previews, but I'm quite sure it won't stay that limited. And that again open up the mentioned attack vector.
About the proxy implementation: The proxy can't mask the UA as do a layer 4 proxying. So it's up to the client implementation. That again doesn't seem to implement any special mitigations to hide the UA.
@infosechandbook Just saw it, while on android, they basically use what the HTTP library provides as UA, in the desktop version they explicitly tell that they are Signal:
Which makes the whole thing even worse, as you can craft even better websites that explicitly target those previews done by Signal desktop.