On 10.11.20 15:23, Jonas Schäfer wrote: > In this case, please discuss the security implications in regards of > phishing. > With sender-side rich preview, spoofing of such previews becomes trivial. I > imagine a spoofed rich preview to be even more dangerous than the typical <a > href="badsite">goodsite</a> in an HTML email.
Absolutely. However this also applies to MUC generated previews as MUC servers in general cannot be considered trustworthy (even though many clients nowadays just do that). Also servers are not able to look into E2EE messages. Also it's not said anywhere that the link preview can be clicked on at all. If you can only click on the actual link in the original message, spoofing what is displayed below is far less of an issue. Also regarding phishing: Nothing keeps me (as a phisher) from actually using the same opengraph tags on the phishing site as on the original site, so even a server generated preview does not protect in any way from that. Marvin _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
