|
|
|
|
|
|
by kevincox
909 days ago
|
|
|
It's a security tradeoff. Given that you want to provide a link preview (which is a nice feature) you have a few options: 1. Generate on the sender side. Downside: Can be spoofed. 2. Generate on the receiver side: Downside: Leaks receiver IP. 3. Generate via third party: Downside: Leaks information to the third party. Overall I think that 1 is the best option. The sender can "spoof" all of their messages anyways, including the preview as part of the message is really no different. The problem here is that it isn't obvious that this content comes from the sender, it is displayed as a separate bubble and I would bet that 99% of users don't realize that the content is from the sender. Plus the URL is all that really matters anyways. If you are clicking on an attacker-controlled URL they can make the preview display anything they want. So you gain very little by forcing the preview to be "authentic". Option 3 can be good as well. Especially if implemented with something like double-blinding. So you connect to one party which forwards you to a second party. This way the first sees your IP and the second sees the destination IP but neither sees both (unless they collude). However that is a lot of infrastructure to set up and maintain for relatively little benefits. |
|
|