[Standards] The Open Graph protocol

Jonas Schäfer jonas at wielicki.name
Tue Nov 10 14:23:35 UTC 2020


On Dienstag, 10. November 2020 12:10:04 CET Marvin W wrote:
> Hi,
> 
> Beside what Jonas said, there is two things I'd like you to consider
> when specifying this that seemed to be out of scope or not considered yet:
> 
> ## Support sender-side link generation
> According to various security/privacy people, the best way to do these
> link previews is to generate them client-side with the sender. By
> sending a link the user expresses some amount of trust into it and it is
> reasonable to assume they won't be sending links with the intention to
> cause harm to their client. However, sending links to cause harms to
> others (being it servers or remote clients) is more likely to be in the
> intention of some people.
> 
> While I understand the wish to do this server-side in MUCs (i.e. clients
> will take some time to support this in sending and you don't want
> receiving users to suffer in UX because of that), sender-side link
> preview creation should be the default and server-side rather an
> optional fallback.
> 
> If link previews are generated by the sender, there is no strict need to
> use message attaching (or fastening or whatever is going to be the next
> big thing), the link preview details could just be in the message that
> has the body with link itself (that said, generating such links might
> impose a delay, so some clients will want to use a second message to
> announce the link preview nonetheless). So the spec IMO should have this
> in mind from the beginning. When using message attaching, this would
> probably be straight forward, when using message fastening it's not.

In this case, please discuss the security implications in regards of phishing. 
With sender-side rich preview, spoofing of such previews becomes trivial. I 
imagine a spoofed rich preview to be even more dangerous than the typical <a 
href="badsite">goodsite</a> in an HTML email.

kind regards,
Jonas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/standards/attachments/20201110/89990b19/attachment.sig>


More information about the Standards mailing list