URI:teller & a Call for the Curious
Last friday we quietly rolled out a new service called URI:teller. When I say “quietly” I don’t count our friends whom we immediately spammed with links to uriteller.io. Sorry about that, friends! #notsorry
URI:what?
We built URI:teller to scratch a specific itch: Verifying that end-to-end encrypted messaging apps don’t leak links we exchange via chats.
A major selling point of end-to-end encrypted (E2EE) chat apps is that only the intended recipient can decrypt the data. No outsider, indeed not even those controlling the app’s central servers, should be able to read your messages. One could reasonably assume that absolutely nothing sent over the private pipeline leaks out. Signal, WhatsApp and Wire are well known examples, with new contenders springing up all the time.
On the other hand most of these apps offer link previews. Enter a URL and up pops a sneak peek of its contents. How do secure chats achieve this without inadvertently revealing parts of the messages — the links — to a third party?
And this is what URI:teller can help to figure out. By clicking the big blue button on the front page you create a pair of unique URLs, a trap and a monitor. The monitor URL leads to a page showing a live-updating list of who’s visited the trap URL. Copy and paste the trap to your E2EE messenger of choice and follow the monitor to see who’s calling back.
Pick Your Battles
Thus far our main focus has been in instant messaging. It’s a huge part of our daily lives as JavaScript-writing, latte-sipping digital monad nomads who are just totally with it.
There are other delicious uses for URI:teller. Some URL shorteners follow passed links, as do social media sites. How enterprise messengers such as Skype or Cisco deal with links is also worth looking into — there’s some historical precedent there. Oh, and don’t forget DLP, another fan favorite in enterprise contexts.
Still, secure messaging is a topical target for scrutiny. E2EE communication is getting attention in the mainstream. Just now, while writing this blog post, Time featured Signal in their list of 50 best apps of the year. Electronic Frontier Foundation is also about to redo their secure messaging scorecard. Amnesty International recently came out with an article scoring chat apps based on their privacy… ness.
URI:teller presents one angle for such evaluation. Someone who needs to pick or recommend a messaging option can use the service to make a slightly more educated choice.
A Plea for Help
Now we need help. We have checked the apps we are personally interested in, and are ready to move on to new adventures. These artisanal lattes don’t pay for themselves! But the matter of the fact is that the world is full of systems which URI:teller could be applied to.
We ask of you, brave net warriors, go forth and pit URI:teller against the multitude of chat apps, enterprise messaging platforms, DLPs, you name it. If you find anything interesting do tell us and the world about it — tweets with the hashtag #uriteller are a great avenue for that. You have no obligation to inform us, though.
Another way to contribute is to take a gander at the repository at https://github.com/HowNetWorks/uriteller. The service is developed in the open and the code is MIT licensed. Learn from our mistakes, maybe even fix them! Our aim has also been to make it relatively simple to spin up your own URI:teller instance. Who knows, maybe someone will run with this idea and take it even further.
