alt Hacker NewsWhy has Signal even enabled caching for those URLs? The most common case is going to be that the attachment is downloaded once, and that's it.
I would even expect that Signal wouldn't allow you to download it more than once, and would immediately delete it after the first successful download. Well, ok, maybe the client fails mid-way through, so allow some grace period for a re-download. But I can't imagine that would be the common case either, and so disabling caching on their CDN would fix this issue, and hopefully not increase their costs much.
At any rate, "deanonymization" is a bit clickbaity here. Narrowing someone's location to within 250 miles or so isn't great, but it doesn't deanonymize them.
Edit: I didn't think about the case where an attachment is sent to a group chat, where multiple people will be downloading it. But in that case wouldn't the attachment be encrypted individually for each person in the group? I'm not sure how this works, of course.
Replies
Group chats and multi-device users maybe
Signal's default setup is more usability focused while supporting E2E, and less about tinfoil hat threat models about being present on a continent you're a citizen of.
The items you mentioned can essentially be configured, for those that want the insane level of privacy / security. Messages can be auto-deleted 30 seconds after being seen, a proxy can be configured to route all your traffic through it, and tons of other things can be done to customize it more to the user's liking.
I'd imagine they're caching it because of egress costs. File attachments, voice mail, video, etc. can all add up.