URL shorteners: annoyance, not menace

[kpreid]

I've several times seen the complaint that URL shortening services (tinyurl.com, bit.ly, etc etc) eliminate the ability to see where you're going by viewing the “real” URL and that this is dangerous.

In my opinion, if it is unsafe (except in the “seeing something you'd rather not” sense) to not know what the destination site is, then there's something wrong with the system. After all, you visit unknown sites all the time whenever you're learning about some new-to-you topic; it shouldn't be necessary to trust them.

The info visible from the URL is useful as a time-saving hint — “oh, that info is being presented as a video on YouTube — I don't have time to watch that now” or “I've seen that already” or “that site requires an account to do anything useful with”, but if it's neccessary to check it, then something needs fixing. I'm not saying you need fixing — it might be “the design/defaults of current web browsers” (e.g. that any web page is permitted to play sound by default) or “such-and-such protocol or plugin” — but something needs fixing.

That said, I don't actually approve of URL shorteners — because they do remove that helpful hint, and they create opportunities for links to break in the future.

Comments

[juan-gandhi.livejournal.com]

+1
You've expressed my vague thoughts on it.

[seawasp]

The "unsafe" part comes from a link that you THINK leads to something harmless, and actually is part of a malware trap.

[kpreid.livejournal.com]

That falls under “there's something wrong with the system”. The web browser and operating system should be designed with defense-in-depth such that there are multiple layers that would have to be broken to get malware installed on your system.

Right now, that just isn't the case — any little glitch instantly becomes “code execution as YOU” and you lose. (Google Chrome's sandboxed tabs are a step in the right direction, but not nearly complete enough or built on the right foundations.) This must be fixed if we're ever to have reliable software.

[seawasp]

I suppose, but in this case that's not really a very useful observation. Yes, technically the problem CAN be seen as "your software isn't protecting you adequately", but as software isn't designed by a single entity or even small group of entities, and the OSes they work on aren't designed for optimal security, etc., it's a huge undertaking to even ATTEMPT to change that level of the design, while simply not shortening URLS while removing the underlying address would solve the problem without requiring a major industry-wide change.

Me, I don't click on links I don't know.

[kpreid.livejournal.com]

software isn't designed by a single entity or even small group of entities, and the OSes they work on aren't designed for optimal security, etc.

This is not an excuse, except perhaps for the OS part. Even a crappy HTML renderer shouldn't be able to install software — but it can, because if it is tricked into executing some input data as code then that process can do anything “you” can. Even a crappy web browser shouldn't be able to affect other software or documents on your computer — but it can, because it can write to any file “you” can. We (http://www.youtube.com/watch?v=eL5o4PFuxTY) can (http://en.wikipedia.org/wiki/Capability-based_security) fix (http://www.erights.org/) this (http://code.google.com/p/google-caja/).

while simply not shortening URLS while removing the underlying address would solve the problem without requiring a major industry-wide change.

This doesn't solve the problem because you can't know the safety of every URL you might want to visit. And if you're using an automated database of dangerous sites, well, your browser can check the URL the shortening service redirects you to.

[(Anonymous)]

Don't overlook the privacy-tracking bits that don't depend on malware as such... just a cookie here, a cookie there, pretty soon you're talking real web usage profiling!

[atheorist.livejournal.com]

We apparently are striving for defence-in-depth against actual computer-to-computer attacks (the boundaries of the flash or javascript virtual machines, the process-to-process boundaries around browser, and then privilege escalation to root).

We don't really have defense-in-depth against phishing attacks (that is, attacks that target the human vulnerabilities), and the domain name is one of the most important of the barriers that we have. Doctorow's story is an example. http://www.boingboing.net/2010/05/05/how-i-got-phished.html

The ability to mouse over the link (or in twitter, reading the text of the link) before clicking is one more opportunity to get suspicious. This opportunity matters - phishers use url shorteners because it increases their yield.

As writers, we should establish an norm and aesthetic that prefers a real domain name (and a shorter message, in twitter) to (a longer message and) a shortened URL. As readers, we should consider a shortened url somewhat shady (http://www.shadyurl.com), like this (http://5z8.info/startdownload_p5z8u_uniqueinvestmentopportunity).