Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
William
Newcomer I
‎04-24-2020 04:11 PM
‎04-24-2020 04:11 PM

Member magazine: usage of 3rd party url shorteners

Hi,

 

I noticed while reading the last member magazine Infosecurity Professional (2020, March/April) that a lot of links are presented like:

* http://bit.ly/2TODOfK (article about security.txt)

https://bit.ly/2u6k38L (article about first line of defense (humans).

 

While it might be tempting to use these kind of URLs it's strange to actually use them in an Infosecurity Magazine. 

 

I'd like to share my opinion about this and am interested to see what's yours.

 

Since not all of these links actually are links (but text) and one needs to type them over, making just the slightest mistake (capital, or reading a letter I as l (good luck, it's i vs L :)) will lead you to a potential page with malware/phishing/content you are not interested in.

 

I think some of the url-shortner risks might include:


1) The readers won't actually get to see the final url, as this is hidden, so the reader can’t check if it’s ok. And I consider that a bad thing.


Just think, what you you rather click:
A) https://www.isc2.org/info/ or
B) http://bit.ly/isc2info

 

2) The readers might get errors when they actually click the shorted url.


See for instance Securi Blog or Photo on twitter for examples of errors that might occur.

 

At this current moment bit.ly is marked by Google Safebrowsing .

 

Most probably there is no (payed) contract with the shortner, or one that does not guarantee the intergrity or availability of the service. The links won’t work if their server is down. In addition, that link might just have changed due to bugs at the shortening service if that’s not guaranteed by them.

 

And in the example of bit.ly, that service isn't available on IPv6-only networks.

 

3) If you recently received a phishing e-mail, it will probably link to a url-shorting service. So it might be good for the humans doing 'first line of defense' to actually learn not click these shorted (on non-company domain) links.

 

4) Interesting bonus: The statistics are open to everybody that has an account and wants to see them, as many url shortners allow a surplused 'plus' (+) or (.info) behind to give everybody access to the statistics.

 

5) Funny fact, the first link was even over http. And bit.ly isn't DNSSEC signed. 

 

This might leave you thinking: why are there so many url-shortners?
In the past Twitter actually counted URL length. They however stoped doing that years ago.
On Twitter Support you will now read that "A URL of any length will be altered to 23 characters (...)". Not a character more, even if the link is very long.

 

But why Infosecurity Pro. uses it in a PDF? No clue, creating a link would be more convenient than actually typing a short url.

 

So, that's my opinion. I'm interested to see how the rest of the ISC2 community thinks about this.

Reply
0 Kudos
3 Replies
denbesten
Community Champion
‎04-24-2020 11:08 PM
‎04-24-2020 11:08 PM

Bitly does seem to be an editorial decision, seeing as it first appeared in Mar/Apr and is widely spread throughout.

 

I'm not a big fan of any technology that hides the intended action from the user, such as "randomized" URL shorteners.  Lots of companies have branded permalink systems that probably would fit the bill better for ISP Magazine, including bit.ly. This would allow them to for example use https://go.isc2.org/ISP-Mar2020-2901.  For the cost of only a dozen more characters, it inspires confidence that:

  1. It is an (ISC)²-approved link.
  2. It is intended for with the March, 2020 issue of ISP magazine.
  3. It is the first link on page 29.

I do note that CISSP forum also uses 3rd party shorteners in its messages.  The excuse there is that the environment is fundamentally text-only and word-wrap tends to break long URLs.  Even then, I do not follow URLs that have been obfuscated.  Perhaps it is my loss, but is is also my risk decision.

 

Reply
CraginS
Defender I
‎04-25-2020 11:11 AM
‎04-25-2020 11:11 AM

I don't know about bit.ly (which I think first began appearing as a Twitter aid) but the granddaddy of shorteners, TinyURL, provides both a direct link and a preview version to allow inspection of the target url.

 

Compare 

https://tinyurl.com/y7s7s24h 

and

https://preview.tinyurl.com/y7s7s24h

 

Also, notice the format; you can turn any standard TinyURL into a preview version manually.

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply
William
Newcomer I
‎04-25-2020 03:25 PM
‎04-25-2020 03:25 PM

That 'preview' option is a really nice service by TinyURL. Though I noticed you need to load almost every advertising network that exists on the page, and most of the concerns al still valid.

Bit.ly hasn't got that feature, only the + to see the url (and the stats).

Still, for the magazine: having a company-owned shortner (if the url really needs to be seen as text) as suggested by denbesten for this purpose seems a better idea. Might even just use that feature, without loading facebook, google, amazon, yahoo, etc. 🙂

Reply
0 Kudos