Question: Can one sniff which page is called?

[ovalseven8]

Just a short question:
When I want to write a message to Alice, I have to open the page https://web.threema.ch/#/messenger/conversation/contact/THREEMA_ID_OF_ALICE.

Can people in the network see that I loaded that page? So they would know with which Threema IDs I communicate.

Question because for normal websites one can sniff which websites I visit even if I use HTTPS.
Did a short test and I couldn't sniff it for the Threema app, but I am not sure if I did everything correctly.
Can Threema see it?

[rugk]

The URL you see in the browser bar is never sent over the network. Of course Threema IDs and more are submitted e2e-encrypted via SaltyRTC/WebRTC from your phone to your browser - that's how the system works.
Additionally the web client (or the server where the web client is running on) uses different techniques (referrer policy e.g.) to prevent that this URL is sent as a referrer when you click on a link.
I've also created a PR for better support of this policy: #49

One might only sniff the URL when one can access your local browser history (or when this history is uploaded somewhere with a sync service or nasty browser add-ons (link to a German article)).

[dbrgn]

Question because for normal websites one can sniff which websites I visit even if I use HTTPS.

That should not be the case. With TLS, the URL should be encrypted, only the host and port should be visible.

As @rugk wrote, everything after the hash symbol (#) is never sent through the network. All data transmitted is end-to-end encrypted with SaltyRTC and sent through the WebRTC data channel.

You can find some more technical details in the whitepaper: https://threema.ch/en/blog/posts/threema-web-whitepaper

[ovalseven8]

Thanks for your explanations! :)