[nycbug-talk] The Security Implications of URL Shortening Services

maddaemon at gmail.com maddaemon at gmail.com
Wed Apr 8 17:22:19 EDT 2009


On Sat, Apr 4, 2009 at 2:33 PM, Hans Zaunere <lists at zaunere.com> wrote:
>> http://unweary.com/2009/04/the-security-implications-of-url-shortening-
>> services.html
>
> To prevent wrap for future thread followers, here we go:
>
> http://tinyurl.com/dxk943
>
>> I post this because some people on this list (*ahem* George) love
>> tinyurl. I never understood why there's so much love for these
>> services. They introduce latency, obfuscate the target, and add a
>> layer of dependency: tinyurl, believe it or not, may go down!
>>
>> Thoughts?
>
> unweary needed something to post about.
>
> I especially love the conclusion:
>
> "A hacker or spammer is empowered by using a "benign" URL shortening service
> that everyone uses and everyone trusts"
>
> If that's an advantage that hackers/spammers have then I'll sleep easier
> tonight.  And by that measure, it's also an advantage most search engines -
> like Google - have every time you click a search result.
>
> The fact is a destination URL is dangerous - if we want to continue the
> paranoia - whether you know the domain, path, etc. ahead of time or not.
>
> Perhaps a new service would convert the above link to:
>
> tiny.com/er32-unweary.com
>
> So at least the domain is visible.  But then again, that's not really safety
> either.
>
> H
>

Or you can use the preview feature, so you wind up with something like this:

http://preview.tinyurl.com/dxk943

-- 

<insert witty random quote here>



More information about the talk mailing list