I noticed while reading the last member magazine Infosecurity Professional (2020, March/April) that a lot of links are presented like:
* http://bit.ly/2TODOfK (article about security.txt)
* https://bit.ly/2u6k38L (article about first line of defense (humans).
While it might be tempting to use these kind of URLs it's strange to actually use them in an Infosecurity Magazine.
I'd like to share my opinion about this and am interested to see what's yours.
Since not all of these links actually are links (but text) and one needs to type them over, making just the slightest mistake (capital, or reading a letter I as l (good luck, it's i vs L :)) will lead you to a potential page with malware/phishing/content you are not interested in.
I think some of the url-shortner risks might include:
1) The readers won't actually get to see the final url, as this is hidden, so the reader can’t check if it’s ok. And I consider that a bad thing.
2) The readers might get errors when they actually click the shorted url.
At this current moment bit.ly is marked by Google Safebrowsing .
Most probably there is no (payed) contract with the shortner, or one that does not guarantee the intergrity or availability of the service. The links won’t work if their server is down. In addition, that link might just have changed due to bugs at the shortening service if that’s not guaranteed by them.
And in the example of bit.ly, that service isn't available on IPv6-only networks.
3) If you recently received a phishing e-mail, it will probably link to a url-shorting service. So it might be good for the humans doing 'first line of defense' to actually learn not click these shorted (on non-company domain) links.
4) Interesting bonus: The statistics are open to everybody that has an account and wants to see them, as many url shortners allow a surplused 'plus' (+) or (.info) behind to give everybody access to the statistics.
5) Funny fact, the first link was even over http. And bit.ly isn't DNSSEC signed.
This might leave you thinking: why are there so many url-shortners?
In the past Twitter actually counted URL length. They however stoped doing that years ago.
On Twitter Support you will now read that "A URL of any length will be altered to 23 characters (...)". Not a character more, even if the link is very long.
But why Infosecurity Pro. uses it in a PDF? No clue, creating a link would be more convenient than actually typing a short url.
So, that's my opinion. I'm interested to see how the rest of the ISC2 community thinks about this.
Bitly does seem to be an editorial decision, seeing as it first appeared in Mar/Apr and is widely spread throughout.
I'm not a big fan of any technology that hides the intended action from the user, such as "randomized" URL shorteners. Lots of companies have branded permalink systems that probably would fit the bill better for ISP Magazine, including bit.ly. This would allow them to for example use https://go.isc2.org/ISP-Mar2020-2901. For the cost of only a dozen more characters, it inspires confidence that:
I do note that CISSP forum also uses 3rd party shorteners in its messages. The excuse there is that the environment is fundamentally text-only and word-wrap tends to break long URLs. Even then, I do not follow URLs that have been obfuscated. Perhaps it is my loss, but is is also my risk decision.
I don't know about bit.ly (which I think first began appearing as a Twitter aid) but the granddaddy of shorteners, TinyURL, provides both a direct link and a preview version to allow inspection of the target url.
Also, notice the format; you can turn any standard TinyURL into a preview version manually.
That 'preview' option is a really nice service by TinyURL. Though I noticed you need to load almost every advertising network that exists on the page, and most of the concerns al still valid.
Bit.ly hasn't got that feature, only the + to see the url (and the stats).
Still, for the magazine: having a company-owned shortner (if the url really needs to be seen as text) as suggested by denbesten for this purpose seems a better idea. Might even just use that feature, without loading facebook, google, amazon, yahoo, etc. 🙂