this post was submitted on 02 Oct 2023

39 points (91.5% liked)

Privacy

30753 readers

1114 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

PSA: Do not enable URL thumbnail generation in Element (lemm.ee)

submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]

13 comments fedilink hide all child comments

As I noted within my post, #[email protected] (alternate link), URL thumbnail generation in Element is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:

In encrypted rooms, like this one, URL previews are disabled by default to ensure that your homeserver (where the previews are generated) cannot gather information about links you see in this room.

Post Edit History

2023-10-02T00:54Z
1c1,2
&lt; As I noted within my post #[email protected] ([alternate link](https://lemm.ee/post/9955859)), thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server.
***
> As I noted within my post #[email protected] ([alternate link](https://lemm.ee/post/9955859)), thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:
> > In encrypted rooms, like this one, URL previews are disabled by default to ensure that your homeserver (where the previews are generated) cannot gather information about links you see in this room.

2023-10-02T01:28Z
1,2c1,2
&lt; As I noted within my post #[email protected] ([alternate link](https://lemm.ee/post/9955859)), thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:
&lt; > In encrypted rooms, like this one, URL previews are disabled by default to ensure that your homeserver (where the previews are generated) cannot gather information about links you see in this room. 
***
>  As I noted within my post, #[email protected] ([alternate link](https://lemm.ee/post/9955859)), thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:
> > In encrypted rooms, like this one, URL previews are disabled by default to ensure that your homeserver (where the previews are generated) cannot gather information about links you see in this room.

2023-10-02T03:44Z
1c1
&lt; As I noted within my post, #[email protected] ([alternate link](https://lemm.ee/post/9955859)), thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:
***
> As I noted within my post, #[email protected] ([alternate link](https://lemm.ee/post/9955859)), URL thumbnail generation in [Element](https://element.io/) is an enormous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server. Here is a notable excerpt from the settings within Element:

Post Signature

ul7mHTfs8xA/WWwNTVQ9HzKfj/b+xw+q9csWf60OJrT58jMJpmsX8/BicwFodR8W
Llo93EMtboSUEtYZ+wQhaL/HmrEr6arup7gJzZgslOBWPFj5azADHSpjX9RYuvpt
Fk2muTUgJP2e+SW3BGDPmlcluw6mQOYcap84Fdc1eU47LOZprBXob97qInMK5LrL
tzNqARRtXGdogZtQYlNCqCd9eQgqTwPfxKVadmM6G3xQMh6mWQxQz56sCXqj+mlG
OqJyZIgB1UXEuVZeAO3pl9wN+cSM4eqHLHQwEd+aVeSPf75r2d7mZs+VNwr1WfMu
0sWcPh3aZLXKqdls6UJMEA==

top 13 comments

sorted by: hot top controversial new old

[–] [email protected] 24 points 10 months ago* (last edited 10 months ago) (1 children)

Yeah it literally tells you in the UI before enabling it

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

Indeed, it does. It can be overlooked, however. I added that info to my post, though. Thank you for the note.

AcN4ig5AQaP5RPDXd4zDkAmFvg+Xp65zI6i5ossToWdpV7Ad2r7s0UAn6TRKG5NbiBOvr+ZWk8fVS8abFcXGEmEp9axEG/BOxJVSMteDTjhf74fVmRbIxik8EpYR2FA5DXTK/r6nrxxiuTTak5kNUrSi2Bb4ebdFEEhrdikuDm68jjHiXsqOS2O4JYxUhhd0qrjnzaCAtiCr1KnqyR+9eEtUDv8nx8IvAnk/9EmzSnPxn5BinJYFjM3qEh3KYyqfY//d0brUQFkbKJmqn1KGdhmzZG7SUtZPsAozJSrVFHynavEwx6SIhxAbJYojQ10RjkYYXVQ10RNmB+NiPs1Zgg==

[–] [email protected] 1 points 10 months ago (1 children)

With my friend we have a bot who does this for us. Check out on maubot - at least it is mot client side work

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

Using a bot to generate a URL preview is an interesting workaround.

Content Signature: cLObDckmLviCA8xG832rJ8PFk9UTYN/PrdRb5/lCZkl+GsjtkMp90r6PWD+Ffxby0izyxVeDocLbJh8xrP7L3a1dUX2whEABb8mAhl+cHJqbxq07Z3SWBcroLyolMjmIfUQIgRRRB6lUhbsiwCfKcoVrf0HQchXZS+83YcyMtr+dgiIhVQar3/WMkIk+4nJ/sS+O2vz7c/RfxAzYYzFSPErFVe8Y1NWXWqPOajV/BdLS0U8239ElxUb7Q2Zq8SCgzqoOBtFbgWXTsa6lHFj4gqkRiaDzH6jlJhuO4rRZdA6E2dP+G0Ru7MexI1P6ev65I6VMWxYye0nqtdXC8Alp3A==

[–] [email protected] 3 points 10 months ago

Is there a way to disable client image loading in general?

Syphon does this by default, but I can't find an equivalent setting anywhere in Element

[–] [email protected] 3 points 10 months ago (1 children)

That doesn't make any sense.. If the URLs are server side that means there is no e2ee at any time because the server has to know when to shown the preview..

If that's true disabling preview generation doesn't really matter because the vulnerability would be elsewhere

I never used matrix, but do clients own the keys or are they stored on the server?

[–] [email protected] 6 points 10 months ago* (last edited 10 months ago) (2 children)

If you look at this documentation it outlines various methods of generating URL thumbnails. Essentially, a separate request from the client for only the URL is made to the server which then returns a thumbnail. It's an absolutely moronic design choice, if you ask me.

EDIT (2023-10-02T01:35Z): Do note that the link that I provided is for Synapse v1.37 -- Synapse is currently on v1.97. Curiously, the documentation for the new versions of Synapse have removed the sections talking about URL previews. I'm not sure what's up with that.

RT373YSQwMB+y28d7xm/Xybihcmx9jgkd4RskvPuoFQ3hapIv4exdmtMe+QxsVqos5odxTVuKAftj53zXFFQyD7MK0985zDvfKYjIj+b+8rNSAG0fArG2SXVBW0mLXqRnXiZXiknoPekyu7MKr1aD8k9DMQzCap60oNWmOLoCQXdmEetiEnhGL8zW2KR9P4MxtzxMzLzPWJyLmpLbXVJdxTmHFN32IvMHiyY29iJqZegmIuav0+IP2c3leGrJs75eGW2uWoj8J8VWWzflWfRRO3FwzJFRIvrptPN0osD0wMrgLJ4FYwXZQetIEJ99TxWvxqTYak90q6HxvVygOyHPw==

[–] girsaysdoom 3 points 10 months ago (1 children)

I agree. That's a terrible choice to me.

Why would they not just offload this as a feature for the client to handle? At least then the security and privacy ultimately would be up to the user's decision.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago) (2 children)

Post a link to a channel of 1k users and 1k users send a request to the website, instead of only the server once?

/edit: From a privacy standpoint I'd really trust my chat server provider over random websites. So I definitely don't see how it's a terrible choice for these two reasons.

That being said, if you're concerned, disabling previews is the answer.

[–] [email protected] 1 points 10 months ago

Post a link to a channel of 1k users and 1k users send a request to the website, instead of only the server once?

That would only happen if the URL is generated on the recipients side. What Signal does, for example, is it generates the preview on senders side, and sends the preview with the URL, so the preview is only generated once.

/edit: From a privacy standpoint I’d really trust my chat server provider over random websites. So I definitely don’t see how it’s a terrible choice for these two reasons.

What do you mean? How would "random websites" come into play?

That being said, if you’re concerned, disabling previews is the answer.

Thankfully, they are disabled by default.

content-signature:qGFf4UPQ4M6XKPDbSyjOuKK5erMVrib4GPgJTPSifQT6qiijr1MRJxucdCk8rBol/AB+Blsv+aVn1zxs6D8cHttXu7E0uZuGYuS1UyYq/sVyjW6XSgvwpMqmozHaLh61+je8LDeFXVyR8t+okNYEzugMcmZsbes4gPchoxkkk9Mpo9AzIkmh40JEiz3WTrLMOT6Kwc5B0SIu3QENq2ucqSPUJ9HfOM4yMhYV57wQgk6VyssUWRlntq9RD3gauVa2CKi7g21LppoUiVRoxuxlalXM6azmza4M1z3cAK/F2x8ZEaeQbHjec3Q8LD4/w50dWN5hhuRyGdQTRqY+U0ACLA==

[–] girsaysdoom 1 points 10 months ago

Fair points. I'd say it depends on what we're focusing on.

Maybe a good compromise would be to have the account that sent the message generate the preview. At least that way you'd maintain E2EE and save the webserver some unnecessary demand.

I can also see how this could be less reliable (because we're now relying on a client with all sorts of variables) and less safe (malicious sender could mask malicious links with benign previews) than the server method but it all depends on which you prefer more.

After thinking about it in this situation, previews are just a nightmare to deal with privately and I'd probably just want to turn them off.

[–] [email protected] 1 points 10 months ago (1 children)

Have you posted a suggestion on github? I feel like this was a proof on concept during development and maybe it was forgotten about further along the life cycle.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago)

Have you posted a suggestion on github?

There are existing issues on GitHub:

OmPLoYXUOIPhnGr5krVHtCI4knI0pbb4zO/7u4iEWtsBXQbEFOJQITsUYRtvd+9lQvbuKYgEF8tip5O7mZcvgFRNdE2jUR+IE9ewoi5prn7pNTx4+xKR5vgVpXYaixpLI1qMMA+iXD+XobZJRGz9nHi+vzcTMkyHD0X6UpS2GVYztqgghxyxkMhvneR2PtwnjJo/KUi5KAtD4Le/p6wAxS/SZHSzKJIS4vflTayYU/zfZhlc/ElDPy/hoZAeLmq3fWJDMQN5ZPIyS9/mMp+/CkIfRj/GvkDfI2+OdHW23WACezuMHBnvO4w2LPakLDasUKpeUx7bJrNdC1qBcDIDAg==