Worth noting WhatsApp also provides link previews now. Although it is supposedly e2e communication, the link previews are likely generated by reaching out to a similar facebook unfurl service.

They can then have a single map of phone num -> links rendered between fb and whatsapp.

WhatsApp fetches a link preview on the sender's device before the message is encrypted, and packages it up with the message before sending. Depending on how exactly they implement the fetch, they may or may not know what links you sent.

At least links in PDF over WA didn't get visited from FB servers. I just personally tested it moments ago.

What's visiting the links? Your phone?

Try sending a link immediately and you'll see that it doesn't get a preview.

Give it a few second after pasting it and you'll get the preview, because it gets it from your device.

I experienced this too, Facebook will block most torrent links, regardless of if they're legal or not. I've taken to encoding these with Base64 first and instructing the recipient to decode them.

Why not just make it a broken link and tell them how to correct it?

Why not just use an e2e messaging service? If you can convince people to decode a link then I am sure you can convince them to use Signal.

This was just a quick fix, but I agree with you on the e2e messaging service. However, I do wish more e2e services like Telegram would open source their backend. Looks like Signal does now at least!

Telegram is barely e2e.

Messages in plain text on the server? That's /not/ e2e at all! That's just a con. Advice: avoid telegram completely, always.

Or is my news old and that's no longer the case?

Q: What is this ‘Encryption Key’ thing?

When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has — if the two images are the same, you can be sure that the secret chat is secure, and no man-in-the-middle attack can succeed.

Newer versions of Telegram apps will show a larger picture along with a textual representation of the key (this is not the key itself, of course!) when both participants are using an updated app.

Always compare visualizations using a channel that is known to be secure — it's safest if you do this in person, in an offline meeting with the conversation partner. Q: Why not just make all chats ‘secret’?

All Telegram messages are always securely encrypted. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud (more here). This enables your cloud messages to be both secure and immediately accessible from any of your devices – even if you lose your device altogether.

The problem of restoring access to your chat history on a newly connected device (e.g. when you lose your phone) does not have an elegant solution in the end-to-end encryption paradigm. At the same time, reliable backups are an essential feature for any mass-market messenger. To solve this problem, some applications (like Whatsapp and Viber) allow decryptable backups that put their users' privacy at risk – even if they do not enable backups themselves. Other apps ignore the need for backups altogether and fade into oblivion before ever reaching a million users.

We opted for a third approach by offering two distinct types of chats. Telegram disables default system backups and provides all users with an integrated security-focused backup solution in the form of Cloud Chats. Meanwhile, the separate entity of Secret Chats gives you full control over the data you do not want to be stored.

This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents, so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries. We are convinced that the separation of conversations into Cloud and Secret chats represents the most secure solution currently possible for a massively popular messaging application.

https://telegram.org/faq#q-what-is-this-encryption-key-thing

Telegram supports "secret chats", which only work on a single device and for private conversations.

Every other telegram feature has no security.

I imagine it is quite easy to reassemble a broken link with some extra whitespace or random characters (unless you really scramble it which makes the process of manually "decoding" tedious). At that point you might as well automate the process and use base64

This one. I believe I tried that but they are able to reconstruct them to some extent at least with trivial broken-ness

I have had similar experiences, numerous to be more exact. The latest was 10 yrs old WordPress blog living on WordPress.com subdomain, definitely not hacked. It was about science, to be more exact, about neurology.

e2e would not necessarily stop it. Since FB controls the apps that send and receive the message, they can do whatever they want to the unencrypted message on both sides.

You can choose to enable e2e on Messenger

Couldn't you sort of test this by enabling E2E, sending a link that was previously blocked, and seeing if it is still blocked? That would at least show some sign if it's all a sham or not.

That would guarantee absolutely nothing.

If the link was still blocked it would guarantee that Facebook is still eavesdropping.

Other guy was right. Think about this easy scenario

  If (E2E_ENABLED) {

  SkipCrawler();  

  SkipContentChecks();  

}

Again, it isn't to prove the encryption works, it is only a test that could prove that it doesn't work.

Ah, yea, I got the argument backwards. I thought he was saying if content wasn’t blocked that it proved encryption worked. Can’t prove the negative.

Yes, totally understood. I am just thinking in line with a different response that this could be an easy way to prove if they’re still snooping - not a guarantee that they aren’t.

Agreed. There is nothing stopping the sender's app from parsing and reporting URLs in any and all content before e2e occurs... Even to FB servers

This argument applies to any messenger app that claims e2e encryption. You could build signal from source. But how much do you trust your compiler?

I trust my compiler more than Facebook

For any value of “compiler.”

Can you actually use Signal built from source with official servers? Anyways, we have open-source chat platforms that have been audited by independent third parties, on one side, and closed-source mergacorporations' unaudited chat software on the other. Point being, why would you argue for using the bigger "evil"?

Same can be done if e2e is enabled. Nothing prevents Facebook from sending links from client to a "validation" service.

They do this already in WhatsApp for instance.

Maybe I'm being foolish, but isn't the point of e2e that Facebook wouldn't even know what you were sending (a link or otherwise), it being encrypted in flight?

The WhatsApp client knows, since that's the "end." Nothing technical stops Facebook from bundling some code in the client to pass data about the messages back to a central server.

Yes, but it's hard to trust e2e when keys go through a blackbox (Facebook's API), and clients are controlled by Facebook (closed source applications and JS).

It's better than no encryption, but not what technical people usually mean by e2e encryption

Facebook can send the URLs from client to their service, that just bypasses the e2e channel and opens up a nice side channel for Facebook to peek into messages.