cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

An experiment in re-URLing ...

Since the "community" is not private, but open to the entire world, I often crosspost stuff I do here on the CISSPforum.  The community generates/creates/uses rather huge URLs, and they don't work well with the text-only, but safe and secure, mailer that I use.  Sometimes I use Twitter to fix this, by posting a link to my piece, originally on the "community," over there, which turns something like:

https://community.isc2.org/t5/Career/A-computer-virus-expert-looks-at-CoVID-19/td-p/34281

into a more manageable:

https://twitter.com/rslade/status/1245048351998926855.

 

At times I have deliberately chosen a short subject title, and I've even found that you can re-edit the subject title and get a new, shorter, URL, which I did with the "CISSP questions" topic, which originally had a longer title, with punctuation in it, but is now a "mailing manageable"

https://community.isc2.org/t5/Certifications/CISSP-questions/m-p/18626.

 

Which, this morning, reminded me of the Twitter fake identification issue.  I can take my earlier example tweet:

https://twitter.com/rslade/status/1245048351998926855

and make it appear so important that it seems Donald Trump retweeted it:

https://twitter.com/realDonaldTrump/status/1245048351998926855.

Twitter, you see, doesn't seem to use, or even care, about the account name that comes before the "status" part of the URL, it just looks at the numeric designator at the end of the URL.  I can make up any account I want, and get exactly the same tweet:

https://twitter.com/p1/status/1245048351998926855.

(There is no p1 account on Twitter, or, at least, it's been suspended.  I used that as an homage to Thomas Ryan's "The Adolescence of p1.")

 

So, I tried out the same type of thing with the "community."  I took the URL for this posting:

https://community.isc2.org/t5/Welcome/An-experiment-in-re-URLing/td-p/34471

and I shortened it, taking out some of the subject text, to:

https://community.isc2.org/t5/Welcome/An-experiment/td-p/34471.

Lo and behold, it works.  You get exactly the same page using either URL.  In fact, you can mess with the Board identifier (Welcome, in this case), and it still works!

https://community.isc2.org/t5/GarbageIn/GarbageOut/td-p/34471.

You have to maintain the numeric designator at the end of the URL, but the Board and Subject parts of the URL don't matter in the least.  Which could be very handy for posting.

 

Then I got ambitious.  I have long been annoyed that the URL for an archive or list of my own posts was so long:

https://community.isc2.org/t5/forums/recentpostspage/post-type/message/user-id/1324864413.

So I tried shortening it.  I couldn't do anything about the t5 or forums or recentpostspage, but I did, effectively and still functionally, get it down to:

https://community.isc2.org/t5/forums/recentpostspage/p/m/u/1324864413!

And then, even to:

https://community.isc2.org/t5/forums/recentpostspage/1324864413!

And it still worked, just fine!

 

Oh, [pr0n filter]! Checking this out I just realized that the short versions above give all posts, not just mine ...  Argh ...

 

OK, a little more experimentation, and I got:

https://community.isc2.org/t5/forums/recentpostspage/p/m/user-id/1324864413

which gives me a short version URL that gives only my posts.

 

And, from thence, I made it even shorter:

https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

 

(Which got me thinking, and so I tried out:

https://community.isc2.org/t5/td-p/34471 for this post, but that didn't work.  Oh, well.  Live (or experiment) and learn.)

 

By the way, partly in order to test some of this, and partly because it was taking a while, I have posted, and therefore saved, this posting, at various times along it's development, and then, using the little three dot drop down menu at the upper right of the posting, chosen to "Edit Message." This is another workaround to the "Authentication" bug/feature/issue,
https://community.isc2.org/t5/Member-Support/Authentication/m-p/34279
alongside William's suggested action.
https://community.isc2.org/t5/Member-Support/Authentication/m-p/34345/highlight/true#M7257.

(Which also works perfectly well as:

https://community.isc2.org/t5/M/A/m-p/34345/highlight/true#M7257)

For those of us who use "subscriptions," this "part-post and then edit" can be annoying, as we get all the versions as they are posted, but I suppose that will only be an issue if they ever get the subscription bug fixed.

https://community.isc2.org/t5/Member-Support/Subscriptions/m-p/33867.

(Or https://community.isc2.org/t5/M/S/m-p/33867.  Either will work ...)

 

OK, so, other than the fact that this is about how the "community" system does URLs, why did I post this?  There are three security related points to make.  (All of which are by way of saying the same thing in different ways.)

 

First: integrity.  Make the URL show what it is supposed to do.  Everybody uses URL shorteners, but those of us in security are, at least, a little embarrassed about doing it.

 

Second: complexity is the enemy of security.  Why have extraneous extra stuff in a URL that doesn't do anything?  There is always the chance that someone will come along and make them do something, and, very likely, something untoward.  For example, I can create a perfectly usable URL that says:

https://community.isc2.org/t5/WeWant/ToGiveYouMoney/td-p/34471

 

Third: stamp out and eliminate unnecesssary redundancy.  Basically the same idea: if there isn't any point in having it, somebody may come along and mess with it.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
0 Replies