[javagram]

This will keep happening until they enable e2e.

I’ve had Facebook block several links sent in private message groups, to completely legal and safe sites (Messenger prints out an obscure API error and refuses to send the content). They have done this for a long time.

[rohug]

Worth noting WhatsApp also provides link previews now. Although it is supposedly e2e communication, the link previews are likely generated by reaching out to a similar facebook unfurl service.

They can then have a single map of phone num -> links rendered between fb and whatsapp.

[yawaramin]

WhatsApp fetches a link preview on the sender's device before the message is encrypted, and packages it up with the message before sending. Depending on how exactly they implement the fetch, they may or may not know what links you sent.

[Sami_Lehtinen]

At least links in PDF over WA didn't get visited from FB servers. I just personally tested it moments ago.

[Thorrez]

What's visiting the links? Your phone?

[exadeci]

Try sending a link immediately and you'll see that it doesn't get a preview.

Give it a few second after pasting it and you'll get the preview, because it gets it from your device.

[imanobody]

WhatsApp also scans pdf files you send to a contact. Easy to confirm as well: get some random pdf with chinese filename and chinese content. Send it to a contact. Watch the delay in send/receive. Now do the same for any random pdf that's all English. Watch the regular send/receive time occur.

The only conclusion: it takes a little time for a file that's flagged - based on its language - to pass the scanners?

[yellow_lead]

I experienced this too, Facebook will block most torrent links, regardless of if they're legal or not. I've taken to encoding these with Base64 first and instructing the recipient to decode them.

[BubRoss]

Why not just make it a broken link and tell them how to correct it?

[hermanradtke]

Why not just use an e2e messaging service? If you can convince people to decode a link then I am sure you can convince them to use Signal.

[yellow_lead]

This was just a quick fix, but I agree with you on the e2e messaging service. However, I do wish more e2e services like Telegram would open source their backend. Looks like Signal does now at least!

[ttsda]

Telegram is barely e2e.

[harry8]

Messages in plain text on the server? That's /not/ e2e at all! That's just a con. Advice: avoid telegram completely, always.

Or is my news old and that's no longer the case?

[datameta]

I imagine it is quite easy to reassemble a broken link with some extra whitespace or random characters (unless you really scramble it which makes the process of manually "decoding" tedious). At that point you might as well automate the process and use base64

[yellow_lead]

This one. I believe I tried that but they are able to reconstruct them to some extent at least with trivial broken-ness

[9HZZRfNlpR]

I have had similar experiences, numerous to be more exact. The latest was 10 yrs old WordPress blog living on WordPress.com subdomain, definitely not hacked. It was about science, to be more exact, about neurology.

[TooCreative]

e2e would not necessarily stop it. Since FB controls the apps that send and receive the message, they can do whatever they want to the unencrypted message on both sides.

[espes]

You can choose to enable e2e on Messenger

[SlowRobotAhead]

Because the key, nonce, result, and keyshare or Diffie-Hellman exchange are all done inside of messenger... why would anyone believe this is legit?

It might be, IDK, but if it’s all inside their system, how could you audit that?

[heynk]

Couldn't you sort of test this by enabling E2E, sending a link that was previously blocked, and seeing if it is still blocked? That would at least show some sign if it's all a sham or not.

[jacquesm]

That would guarantee absolutely nothing.

[0xffff2]

If the link was still blocked it would guarantee that Facebook is still eavesdropping.

[SlowRobotAhead]

Other guy was right. Think about this easy scenario

  If (E2E_ENABLED) {

  SkipCrawler();  

  SkipContentChecks();  

}

[heynk]

Yes, totally understood. I am just thinking in line with a different response that this could be an easy way to prove if they’re still snooping - not a guarantee that they aren’t.

[cmroanirgo]

Agreed. There is nothing stopping the sender's app from parsing and reporting URLs in any and all content before e2e occurs... Even to FB servers

[wskinner]

This argument applies to any messenger app that claims e2e encryption. You could build signal from source. But how much do you trust your compiler?

[gbear605]

I trust my compiler more than Facebook

[braythwayt]

For any value of “compiler.”

[Avamander]

Can you actually use Signal built from source with official servers? Anyways, we have open-source chat platforms that have been audited by independent third parties, on one side, and closed-source mergacorporations' unaudited chat software on the other. Point being, why would you argue for using the bigger "evil"?

[kerng]

Same can be done if e2e is enabled. Nothing prevents Facebook from sending links from client to a "validation" service.

They do this already in WhatsApp for instance.

[JadeNB]

Maybe I'm being foolish, but isn't the point of e2e that Facebook wouldn't even know what you were sending (a link or otherwise), it being encrypted in flight?

[roywiggins]

The WhatsApp client knows, since that's the "end." Nothing technical stops Facebook from bundling some code in the client to pass data about the messages back to a central server.

[progval]

Yes, but it's hard to trust e2e when keys go through a blackbox (Facebook's API), and clients are controlled by Facebook (closed source applications and JS).

It's better than no encryption, but not what technical people usually mean by e2e encryption

[kerng]

Facebook can send the URLs from client to their service, that just bypasses the e2e channel and opens up a nice side channel for Facebook to peek into messages.