It isn't caching, it's CDNing. It is just an artefact of CDNs that they act as caches for the original content, and for improved distribution response time they cache to the nearest server from the response. ('Nearest' being an approximate heuristic, it is property of the anycast route tables in the BGP routers the request passes through, it is actually a 'best route'.)

That caching is something you can turn off, at least for every CDN that I have worked with.

The Cache-Control http header has a `private` directive specifically to inform CDNs and similar not to cache the response.

> it seems like CloudFront could very easily fix this by not returning the cf-ray header

Then you just look at the response time. If the resource needs to be fetched from another continent, this is probably reliably measurable

Same for websites trying to hide which users exist: do a login request for an existing username and it'll do the password hashing (usually adds at least 50 ms to the response time), whereas for an invalid username it early exits. The fix is to always run the same code, so always do the hashing, which very few sites do. (Or not care about revealing this and telling people straight out that their username is unknown, if that fits with your threat model.) So to get back to Cloudflare's case: it won't help unless they delay responses, which is the opposite of what they're supposed to do

I dont' believe the Signal app/network is choosing to cacheimages in a CDN?

But any user can send anyone other user a message that includes a link to a CDN-cached resource. Isn't that the "attack" here? Or am I misunderstanding?

Signal does cache them in a CDN. If the vulnerability was sending any link, you could just set up your own web server and get the person’s IP

Ah, and the attack is knowing what CDN that is that signal itself is using, and examining it directly? I had missed that somehow.

Yes, Cloudflare should allow customers to disable that header, and Signal shouldn't cache images sent to a single person, or even groups of less than a few hundred people.

> the total number of requests for that resource should be very small

"For that server" is the other number-of-requests..

So that law enforcement can ask Cloudflare for the IP logs... Signal is a joke.

https://simplex.chat/

Signal claims to be a private, not anynomous, chat application.

Theirt defaults are set so they can get mass market addoption, whilst beeing a big step up in privacy compared to the usual players in the space (like whatsapp and telegram). You simply won't be able to get the average user on apps that make use more complicated and apps like simplex doe exactly that.

If you want Signal to be more secure, you can circumvent this attack vector by disableing auto downloads for media.

I'm not saying Signal is perfect, there has been a bunch to critisize over the years.

But why argue about use cases they never claimed to solve?