Thursday, July 29, 2010

not all URL shorteners are created equal

... and some are considerably less equal than others.

one of the most fundamental problems with URL shorteners in general is that they obfuscate the final destination. when you follow one of these shortened URLs you're often putting your online safety at risk because you literally can't see where you're going.

some URL shortening services try to mitigate this problem. tinyurl.com, for example, allows anyone to add the preview subdomain to a shortened url (ex. tinyurl.com/whatever -> preview.tinyurl.com/whatever) in order to change the behaviour of the shortened URL so that instead of taking you directly to a potentially suspect site it will take you to a safe page on tinyurl.com's own site that displays the URL of your final destination so that you can examine it and make an informed decision about whether you want to continue. it's a nice feature, but it's hidden - only people familiar with tinyurl.com know about it and would have the know-how to use it.

other services like bit.ly forgo letting the user decide on safety and actually filter bad URLs themselves, so as to protect the user even when s/he doesn't care or know how to protect themselves. this is also a nice feature but there are limits to the effectiveness of filtering badness (as readers of this blog surely are aware).

yesterday, however, i encountered one of the worst URL shortening behaviours i've encountered in quite some time. the th8.us URL shortening service, instead of redirecting you to the original URL like most URL shorteners do, shows the contents of the original URL in a frame underneath some google ads (at least that's how it appeared in iron - a privacy enhanced derivative of google's chrome that i used in a sandbox after seeing some rather strange behaviour in firefox). this means that normally you can never see where you're going, even after you've gotten there. it gets worse, though.

if you're like me and normally use firefox with noscript, what you'll likely see when trying to visit a th8.us shortened URL is a blank page with a noscript icon on it indicating that you have to add the site to your whitelist in order to see any of the content. what that means is that not only can you not see where you're going, you have to lower your defenses in order to get there without knowing where there is. it gets even worse than this, however. while you do need to add th8.us to your whitelist, you also have to add the site with the actual content (so technically noscript is giving you at least some idea of where you're going) even though that site wouldn't require whitelisting if you go there directly. this essentially amounts to forcing an unnecessary privilege escalation for a site that would have normally been usable and (more importantly) examinable without it. a privilege escalation, moreover, before you have any information with which to judge the safety of the page or evaluate whether whitelisting is truly required for your purposes.

this is pretty horrendous behaviour from a security perspective (ironic, then, that it was a representative of a security software company i found using it) and i hope that people can see fit to steer clear of services like this and that th8.us can find some way to improve the security footprint of their service. while they do actually have a preview feature similar to tinyurl.com's, it suffers from the same drawback of being hidden functionality that only people familiar with the service would know about (and i dare say that there are far fewer people familiar with th8.us than with tinyurl.com).

2 comments:

Richard X. Thripp, Creator of Th8.us said...

If a user has JavaScript disabled, the shortened URL will still display fine but the AdSense iFrame will just show the "Hide this" link (which goes to the actual URL) without ads. There may be an issue with the Noscript add-on you are using.

Th8.us gets a lot of spam and has just hit 21 million URLs. It's expensive to run, and those ads pay for it. Most URL shorteners lose money, but mine doesn't, which means it will be around for a long time. Just look at all the URL shorteners that have gone offline due to money woes or "abuse": tr.im, urlb.at, idek.net, lin.cr... the list goes on and on.

kurt wismer said...

@richard x. thripp creator of th8.us:
"If a user has JavaScript disabled, the shortened URL will still display fine but the AdSense iFrame will just show the "Hide this" link"

clearly you are not a user of noscript. it does a heck of a lot more to enhance security than simply disable javascript. it blocks frames and iframes (and a host of other things) as well, due to the security ramifications of those features. the behaviour you describe for disabled javascript is a non-sequitur.

i can appreciate that you need to find a way to pay for the service you provide, but your reliance on technologies heavily abused by online criminals in order to show ads (which are themselves well known vectors for online criminals) makes your service a security nightmare.

i'm sorry to have to be the bearer of this bad news, especially since i don't have any solutions for you, but your business model endangers your users.