Signal-android: Link previews automatically enabled (should be opt-in)
- [x ] I have searched open and closed issues for duplicates
- [x ] I am submitting a bug report for existing functionality that does not work as intended
- [x ] I have read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports
- [x ] This isn't a feature request or a discussion topic
Bug description
Describe here the issue that you are experiencing.
When you first install Signal, it has link previews enabled by default.
Steps to reproduce
Just install the app.
Actual result:
Notice that "Send link previews" is enabled under Privacy in Settings.
Expected result:
This should be disabled by default. It's bad enough that Signal uses phone numbers plus SMS for signup as opposed to usernames plus proof-of-work. At least, we can always get the SMS on one phone, and enter it into another phone, in order to obscure the association between Signal usage, phone number, and IMEI. But with link previews enabled, this all goes out the window. We end up sending our social network configuration to Imgur, Instagram, Pintrest, Reddit, and YouTube in the form of common content fetches within tight time windows. Say I visit reddit/something. Then I send it to you. You're smart about social network reverse engineering, so you do the right thing and delay for a long time (probably days) before clicking the link. But that's defeated by the fact that the link preview hit reddit/something as soon as the phone got the message. As a result, Reddit sees that IP address X and IP address Y hit the same thing at nearly the same time. After a "few" more such samples, it works out that the people living at X and Y are associated, probably direct friends. Worse, if we are both logged in, then it knows a lot more about us, perhaps our names and approximate locations. Link previews is great for apps that don't care about anonymity. In Signal, though, it should be opt-in-to-shoot-self-in-foot type of stuff.
The only thing worse is having to report this at Github, which deanonymizes everyone via fckcing 2FA, no stylometry needed! But that's not your fault. Please just consider it as evidence of how concerned I am about this issue.
Finally, links in general shouldn't just fire off the browser when touched. It's just waaay to easy to do that by mistake. Even ignoring all the potential malware ramifications, it's broadly deanonymizing for exactly the reasons stated above. At the very least, it should come up with a dialog saying "Are you sure you want to effectively tell this website that you're socially connected to your messaging peer? Do you trust this website? Will browsing this link tell your internet provider about you?" Better yet, have an option to just display links as "https://..." so they can be copied into an anonymizing browser elsewhere.
Device info
Device: Samsung Galaxy S5
Android 5.0
Signal: 4.42.3
signaltester
All 5 comments
First of all, this is not a bug report, but more of a discussion/feature request. These types of topics are more appropriate for the community forum per CONTRIBUTING.md.
But it seems that you are also not aware of how Link Previews work in Signal at all. You should absolutely read the I link therefore I am blog post or the support article.
Quoting the mentioned blog post (emphasis mine):
- The Signal app establishes a TCP connection through a privacy-enhancing proxy that obscures IP addresses from the site that is being previewed.
- A TLS session is negotiated directly between the app and the previewed site through the proxy to ensure that the Signal service never has access to the URL. Previews are not generated for non-HTTPS links.
- The Signal app retrieves preview images using overlapping range requests so that the proxy service only sees repeated requests for a fixed block size when media is transferred.
u32i64
on 3 Aug 2019
With reference to the blog post:
The Signal app establishes a TCP connection through a privacy-enhancing proxy that obscures IP addresses from the site that is being previewed.
There is no description of the proxy used in that blog post. "Privacy enhancing" doesn't cut it for me, I'm afraid.
You can also remove any individual link preview by tapping on the ‘X’ icon in the corner of the preview before sending a message.
At that point it is too late.
Sending link previews is completely optional
Yes, after you realise that your safety may have been compromised.
It's all very clever, if I trust your implementation. But by trusting how clever you are, you are deciding to risk other people's safety with the things that you have forgotten.
You are in the business of getting users to trust you. It is a bug. Make the default disabled.
ghost
on 5 Aug 2019
@privacy-wonk I'll note one thing below, for the rest it's probably better to wait for an official response from the Signal team.
It is a bug.
Referencing CONTRIBUTING.md again (emphasis mine):
Bug reports should only be submitted for existing functionality that does not work as intended.
I believe the fact that the current default (on for new installs and off for existing users before this feature was introduced) is what the developers intended, thus changing this default is actually a feature request/discussion, which should as mentioned above be directed to the community forum.
u32i64
on 5 Aug 2019
If that was the original intent, then that design decision was fundamentally flawed. If the CONTRIBUTING.md makes that not an issue, then that document is also fundamentally flawed.
ghost
on 5 Aug 2019
As @u32i64 helpfully linked to, we have a blog post on link previews (link) that explains how things work. That post links to our post on giphy search (link), which uses the same proxy. To quote the giphy article:
the Signal service knows who you are, but not what you’re searching for or selecting. The GIPHY API service sees the search term, but not who you are
You can sub in "GIPHY API service" for any of the sites we're previewing. Same deal.
This feature is working as intended. If you want to discuss this more, feel free to do so on the forum. Thanks!
greyson-signal
on 7 Aug 2019
Related issues
McLoo
·
3Comments
j3fffff
·
3Comments
Dyras
·
3Comments
notthematrix
·
3Comments
5boro
·
3Comments
Most helpful comment
First of all, this is not a bug report, but more of a discussion/feature request. These types of topics are more appropriate for the community forum per CONTRIBUTING.md.
But it seems that you are also not aware of how Link Previews work in Signal at all. You should absolutely read the I link therefore I am blog post or the support article.
Quoting the mentioned blog post (emphasis mine):