Sunday, June 15, 2008

URL Truncation

I know that this topic has been discussed ad nauseum in the past but I believe the more risks are discussed the better. So I humbly present some dead-horse beating for your reading pleasure. I have been spending a bit of time on twitter lately and have noticed that to save space (you are limited to 140 character messages) people use services such as TinyURL that truncate long URL strings into very short (22 characters or so) URL strings. The benefits of this are obvious since some links can be rather lengthy and would kill any message you wanted to add to the tweet. I myself have used it many times to send out links regarding blog posts, news, downloads, etc. The problem with this is that there is no way for the "clicker" to know that they are going to go to the website they think they will. So when I click on http://tinyurl.com/18r I may be going to about:blank or I may be going to a site hosting malicious javascript exposing me to cross-site scripting attacks, cross-site referrer forging, et. al. Unfortunately I don't see any fix for the problem since URL truncation is a very handy and sometimes necessary tool in order to communicate effectively. My defense? I run firefox loaded with the NoScript, safehistory, and safecache extenstions. I also only click on short URL links from people I know and trust. So ultimately we are back to following the same advice security folks have been doling out since the 90's... The more things change the more they stay the same. P.S. - I will be tweeting this post via TinyURL... oh the irony! :)
Posted by at
Labels: , ,

5 comments:

Anonymous said...

Tiny URL can be configured via a cookie to show you the link before going there.

I sure there's some residual risk there, but it's an improvement. Before I knew about this, I never followed tiny url links except under rare circumstances.

June 17, 2008 at 11:20 AM
djglass@gmail.com said...

That may be true but how many links do you see that use the preview option? At least on twitter the majority of truncated URLs are straight redirection links.

The fact that you read a security blog (thank you btw :) ) indicates you are more knowledgeable than the average Internet user that will click on just about anything that is blue and underlined.

Perhaps the preview option should be the default for URL truncation. I'd be interested to know what you think.

June 17, 2008 at 1:15 PM
Anonymous said...

I'm pretty sure that the option is global for all of tinyurl.com. Hmmm ...

It's called Preview and can be found at http://tinyurl.com/preview.php

I read many security blogs :)

Security Bloggers Network is your friend.

June 17, 2008 at 4:41 PM
djglass@gmail.com said...

What I meant by default behavior is that you would have to "opt out" of the preview option. Most users (and those on twitter and SBN that use twitter don't utilize preview. That leaves us with one of three options.
1) Don't click on the link. Now that's no fun!
2) Copy the link paste it to the address bar, then manually add the preview modifier. PITA
3) Have trust in your fellow humans, close your eyes, and click the link.

June 17, 2008 at 7:35 PM
Unknown said...

Just use http://307.to/ when you need a tiny URL...
There you have some more features and its very secure! =)

[]s

June 19, 2008 at 9:25 AM

Post a Comment

Subscribe to: Post Comments (Atom)