What about closed networks?
What happens if I were to type in the URL of a website on a closed network?
A developer has found a hole in secure messaging tool WhatsApp's handling of links that could expose some traffic to third parties. The condition, discovered by developer Adam Wolk, arises when a user types a link into a WhatsApp message. Wolk found that, as the URL is entered into the message, WhatsApp pings the host server, …
There's no such thing as a valid user agent, they're not regulated by anyone and neither should they be. Don't get me started on the stupidity of all major browsers still being labelled as Mozilla/5.0.
Why we can't just cut all this out and just use Firefox/56 or Chrome/127 or whatever we're up to now is beyond me.
In fact, I'm getting a user agent plugin now and updating mine to something sensible. I'm starting a revolution, even if it's just a single grumpy middle aged man revolution.
This post has been deleted by its author
If the website admin is particularly BOFH like there's also a chance you'll get your mobile's IP blacklisted from the webserver. For instance if you've set CSF to block after too many 404's are received, and the file/folder path of the URL being typed is long enough for it to hit that limit.
I'm not overly surprised that whatsapp is doing this, but I'm surprised it's coming straight from the app and not from a WhatsApp server.
What sort of prat does that on a "secure" app? At least Facebook only seems to do it when you hit return.
Hang on... I just used Facebook as a less-worse option. I may need to go kill myself.
Apparently, this application (and others, judging by the replies on the Twatter post) in order to fetch a preview of the link.
But what use is a preview to the person sending the link? As opposed to the person receiving it, they presumably already know the contents of whatever they are sending, so what use is the preview? Eye candy?
ElReg says:
> "Checking URLs, if done properly, still has some major benefits for user security."
Checking URLs against a blacklist? Maybe¹, but sending a request to the potentially evil URL to see if it crashes / takes over your app does not seem like the most effective approach, security-wise.
E.g.: https://twitter.com/dr4ys3n/status/874725257722179584
¹ Blacklists should be provided as a compressed file to be downloaded and used client-side, as is done with Geo-IP, otherwise the benefits of blacklists are neutralised by the loss of privacy in having the blacklist provider know every detail of your browsing habits.
... here is bollocks design!
Leaving aside the obvious information leakage and privacy issues (well covered above), who thinks it is acceptable to waste bandwidth ('cheap' xDSL/DOCSIS or 'expensive' cellular) and server-side resources with this 'char by char' lookup rubbish?
And don't get me started on the probable* piss-poor performance of the client app due to the latency if the public WAN/lower layers.
What a waste! When will people realise that bandwidth is neither free or limitless, and as a designer you have an obligation to minimise it's use by what you write.
This shoddy design makes my teeth itch!
No wonder ever increasing broadband speed is of such importance...it has to carry all this cruft..as well as the cruft that masquerades as 'content'.
(* One is not a WhatsApp user, so I cannot test my assumption)