-----BEGIN PGP SIGNED MESSAGE-----
I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.
Emil, can we ensure this bug gets addressed?
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <email@example.com>
Subject: [jitsi-users] Bug report: turn off image autoloading during
Content-Type: text/plain; charset="iso-8859-1"
I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San
Francisco, CA 94109 +1 415 436 9333 x134
Gillian "Gus" Andrews
Senior Program Associate, Secure User Practices
Open Internet Tools Project
On 7/29/14, 6:10 PM, firstname.lastname@example.org wrote: