[Standards] The Open Graph protocol

Marvin W xmpp at larma.de
Tue Nov 10 15:25:24 UTC 2020


On 10.11.20 15:23, Jonas Schäfer wrote:
> In this case, please discuss the security implications in regards of phishing. 
> With sender-side rich preview, spoofing of such previews becomes trivial. I 
> imagine a spoofed rich preview to be even more dangerous than the typical <a 
> href="badsite">goodsite</a> in an HTML email.

Absolutely. However this also applies to MUC generated previews as MUC
servers in general cannot be considered trustworthy (even though many
clients nowadays just do that). Also servers are not able to look into
E2EE messages.

Also it's not said anywhere that the link preview can be clicked on at
all. If you can only click on the actual link in the original message,
spoofing what is displayed below is far less of an issue.

Also regarding phishing: Nothing keeps me (as a phisher) from actually
using the same opengraph tags on the phishing site as on the original
site, so even a server generated preview does not protect in any way
from that.

Marvin


More information about the Standards mailing list