Secure chats should not load YouTube (and so on) preview images by
default, since it leaks exactly which links were pasted. This should
be an opt-in setting.
An eavesdropper can notice that just a preview image was loaded
immediately after the client received an encrypted message and
determine that there is a high probability of a link to that video in
the encrypted chat. This can give the eavesdropper quite a bit of
information about what is being discussed in the chat, particularly if
several related videos are posted. This is not good if the
eavesdropper is an ISP owned by a repressive government.
Can you please also address the DNS information leak
(https://trac.jitsi.org/ticket/1060)? If someone is using Jitsi over
Tor or any other proxy, DNS lookups should be done over the proxy to
avoid eavesdropping and maintain privacy.