Signal optionally enables link previews:
– the feature uses a proxy to conceal your IP address from third parties
– currently only available for Imgur, Instagram, Reddit, and YouTube links
– available in Signal beta and Signal Desktop 1.21.0
@infosechandbook Hmm, who controls the proxy (and thus knows who is sending/receiving links)..?
According to the post, the endpoints of the TLS connection are the Signal client and the previewed website. Additionally, they generate a fixed packet size.
However, as always, you must analyze the full code client-side and server-side to be 100% sure.
@infosechandbook Okay, so you're revealing to Signal that you're sending a link (and what it is)...
As long as you enable this feature, and as long as it is one of the four websites mentioned in the article – maybe.
We can't say this without analyzing the implementation of this feature.
@infosechandbook Yeah, understood, just going by what's in that blog-post (and the one they link to about the gif-search feature). Opt-in is good. If it's all "as the label says" I guess the user gets to decide if "reveal self directly to website" or "tell Signal what websites you're linking" is better...
@infosechandbook IMO it might be better to do the "preview" operation client-side, since I suspect most people will have the website open on their computer/phone anyway (to paste the link) so have already revealed themselves to that website (but NOT to Signal)...
mastodon.at is a microblogging site that federates with most instances on the Fediverse.