How long is your rack?
os10rules at gmail.com
Mon Aug 15 20:53:49 CDT 2011
On Aug 15, 2011, at 8:02 PM, David Miller wrote:
> On 8/15/2011 6:00 PM, Matthew Palmer wrote:
>> On Mon, Aug 15, 2011 at 11:37:37AM -0400, Randy Bush wrote:
>>>>> more likely a 'shortened' url. how anyone can click those is beyond
>>>> I'm curious what your objection is.
>>> i have no assurance that a shortened url does not lead to a malicious
>>> site. also your privacy issue, but that is secondary.
>> Given the rate of publicised defacements of all manner of sites (and that
>> injecting malware into a page is the exact same thing as a clear defacement,
>> from an execution point of view), a long URL gives you no greater assurance
>> of protection from malice.
> True. A long URL does not guarantee protection from malice.
> However, you would likely *not* visit a link to obviousmalwaresite.example.com. In fact, I would guess that even a reasonable percentage of the clueless would not click a link to obviousmalwaresite.example.com.
> Camouflaging obviousmalwaresite.example.com behind a URL shortener and/or several layers of redirection (which is all that a URL shortener is in the end) will increase the number of clicks. This is obviously why spammers/scammers use them.
> Your spam filtering may block emails with links to obviousmalwaresite.example.com, but does it also expand short URLs and then block on the final destination? Or do you simply block all emails with short URLs in them?
> Expanding a short URL merely raises the bar slightly by getting you to the long URL... which gets us back to - whether or not you would click on obviousmalwaresite.example.com. A tool like longurl.org will give you the full redirection chain and things like Titles and Meta data for the final destination. If you like, you can go directly to the destination bypassing potential redirection-redirection (i.e. redirecting a portion of visitors differently than others).
> For example:
> http://t.co/7wP9W2j == Good || Bad -> http://longurl.org/expand?url=http%3A%2F%2Ft.co%2F7wP9W2j
> FYI: I lock the doors of my car despite the fact that a fair amount of the 'security' of the external surface of the car is provided by panels of glass.
> -- maintainer of longurl.org in my spare time (instead of building a data center in my house :-)
> use the web site, use the API, or download the code and run your own server (the code is opensource)
There are browser extensions which resolve and display the actual address of shortened URLs.
And for fun there's always http://shadyurl.com to make shortened obscured URLs that are extra scary.
More information about the NANOG