Signal :signal: optionally enables link previews:

– the feature uses a proxy to conceal your IP address from third parties
– currently only available for Imgur, Instagram, Reddit, and YouTube links
– available in Signal beta and Signal Desktop 1.21.0

@infosechandbook Hmm, who controls the proxy (and thus knows who is sending/receiving links)..?


According to the post, the endpoints of the TLS connection are the Signal client and the previewed website. Additionally, they generate a fixed packet size.

However, as always, you must analyze the full code client-side and server-side to be 100% sure.

@infosechandbook Okay, so you're revealing to Signal that you're sending a link (and what it is)...


As long as you enable this feature, and as long as it is one of the four websites mentioned in the article – maybe.

We can't say this without analyzing the implementation of this feature.

@infosechandbook Yeah, understood, just going by what's in that blog-post (and the one they link to about the gif-search feature). Opt-in is good. If it's all "as the label says" I guess the user gets to decide if "reveal self directly to website" or "tell Signal what websites you're linking" is better...

@infosechandbook IMO it might be better to do the "preview" operation client-side, since I suspect most people will have the website open on their computer/phone anyway (to paste the link) so have already revealed themselves to that website (but NOT to Signal)...

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.