> I just found that we shared a link pointing to a governmental domain. I cleaned every log today and retrieved the link then sent it back. The domain has been contacted again. So yes it is related to link preview.
> I just found that we shared a link pointing to a governmental domain. I cleaned every log today and retrieved the link then sent it back. The domain has been contacted again. So yes it is related to link preview.
But I can't believe Signal devs left such a huge data leak channel in their app.
You can disable this. But just to be clear, the preview is from the sender. I think it’s reasonable to assume that someone sending a link is willing to click the link, no?
If the preview comes from a proxy why does the helper perform a dns lookup or hit on that domain ?
> I think it’s reasonable to assume that someone sending a link is willing to click the link, no?
I think it's reasonable in most cases but my assumption was that Signal was doing the clicking for me discreetly from their servers but reading their blog post now I think I understand it's only for some domains.
Good question. Without looking into it, one theory I might have is that the client does the DNS resolution and then just proxies the HTTP request through Signal's servers.
In general, I find the privacy implications of either solution a bit hard to reason about. Having Signal proxy the requests leaks to the website that someone is sending a link to the site via Signal, but not who is sending the link. If the link itself is sufficiently unique, though, that could be an issue.
On the other hand, if someone sends me a link and I in turn send it on (without clicking) via Signal, and doing so causes my client IP to be revealed, that seems sorta bad. So the proxy makes sense here.
/shrug
I don't think any of the risks here are huge, and the options all have tradeoffs, which I guess is why you can disable the feature.
Not surprisingly, this turns out to have a totally benign explanation.
Still, I do think this demonstrates how hard it is for (apparently) well-meaning, somewhat-technical users to understand what their software does.
I don’t think reading over firewall logs is a very good way to ensure trust in client-side software, of course. (Aside from just being ridiculously time-consuming, there are too many easy ways to exfiltrate data. Like…sending it to the Signal servers?)
But I do sort of idly wonder, given the ever-increasing complexity of the trusted computing base, how we can make it so users who are (apparently) concerned enough to read over firewall logs can more productively evaluate trust.
