No Pictures/URL Preview in OTR

[Dirk23]

Description:

When in OTR Session it is not possible to see posted Pictures, after ending the OTR Picture appears. The same with URL Previews like giphy or similar. In OTR there is no Picture Preview of a gif or a Website Preview.
With OTR:

Without OTR:

Picture with OTR:

Server Setup Information:

• Version of Rocket.Chat Server: 0.60.4
• Operating System: Ubuntu 16.04 LTE
• Deployment Method(snap/docker/tar/etc): snap
• Number of Running Instances: 1
• DB Replicaset Oplog: ?
• Node Version: ?

Steps to Reproduce:

1. Start a OTR
2. Post a link to a gif or post a picture
3. Picture/URl Preview is not shown
4. stop OTR or use other device with same account (and no active OTR) URL Preview/picture is shown

Expected behavior:

I would like to use RC with OTR the same way as i use it without OTR. That means URl Previews and Pictures should be shown

Actual behavior:

Uploaded Pictures just disapear in OTR Chat and reappear after OTR has ended. URl Previews are not shown

[localguru]

see #7507 - OTR and files is completely buggy

[AmShaegar13]

What is the point of OTR then? With OTR the server cannot read your messages. How do you expect it to detect pictures/URLs then?

If you want the server to read your messages and show previews then do not encrypt them.

[Dirk23]

I heard some whistles blowing that it is possible to encrypt and decrypt files. Mindblowing, isnt it? And i always thougt a link is nothing more than a string and strings are encrypted/decrypted Right now. The Client should be able to show a preview of that Link, Right?

[AmShaegar13]

That's not how it works. URL previews are fetched server-side. With OTR, you explicitly do not want the server to be able to decrypt your messages.

If the client would fetch the URL for previews an attacker could abuse this. For example, I could get your operating system, browser and IP address by sending a URL to you which points to my server.

Also, on poorly written websites, I could do things in your name. Let's assume you are a forum administrator and the software isn't protected against CSRF. If I send one of these links to you it might get executed because the browser visits those links and sends your session cookie with it.

https://forum.domain.tld/admin/users/1337/delete <- delete user with ID 1337
https://forum.domain.tld/admin/users/1337/makeAdmin <- promote user with ID 1337 to admin

Of course, these are unrealistic examples. Today's software does(/should) not work like this. It's just to demonstrate, what would be possible.

All this said, I just want to point out that I am highly against URL previews for OTR.

[Dirk23]

And what about Files? I want to share a screenshot while in OTR but it is Not shown! Ending OTR shows the previously uploaded files. Thats Broken in so many ways.

[AmShaegar13]

As @localguru said, this is a bug already tracked in #7507 and even more issues. There is some progress in #7181 to improve e2e encryption but I can't tell you when this will be done.

[JSzaszvari]

Traditionally OTR has never supported file transfers / image uploads. (With any platform)

[TwizzyDizzy]

@rocket-cat close

I'm closing this issue now. I also think that the problem initially described is tracked in #7507. If somebody disagrees, please get back to me. :)

Cheers
Thomas