How long is your rack?

David Miller dmiller at tiggee.com
Mon Aug 15 19:32:45 CDT 2011


On 8/15/2011 6:00 PM, Matthew Palmer wrote:
> On Mon, Aug 15, 2011 at 11:37:37AM -0400, Randy Bush wrote:
>>>> more likely a 'shortened' url.  how anyone can click those is beyond
>>>> me.
>>> I'm curious what your objection is.
>> i have no assurance that a shortened url does not lead to a malicious
>> site.  also your privacy issue, but that is secondary.
> Given the rate of publicised defacements of all manner of sites (and that
> injecting malware into a page is the exact same thing as a clear defacement,
> from an execution point of view), a long URL gives you no greater assurance
> of protection from malice.

True.  A long URL does not guarantee protection from malice.

However, you would likely *not* visit a link to 
obviousmalwaresite.example.com.  In fact, I would guess that even a 
reasonable percentage of the clueless would not click a link to 
obviousmalwaresite.example.com.

Camouflaging obviousmalwaresite.example.com behind a URL shortener 
and/or several layers of redirection (which is all that a URL shortener 
is in the end) will increase the number of clicks.  This is obviously 
why spammers/scammers use them.

Your spam filtering may block emails with links to 
obviousmalwaresite.example.com, but does it also expand short URLs and 
then block on the final destination?  Or do you simply block all emails 
with short URLs in them?

Expanding a short URL merely raises the bar slightly by getting you to 
the long URL... which gets us back to - whether or not you would click 
on obviousmalwaresite.example.com.  A tool like longurl.org will give 
you the full redirection chain and things like Titles and Meta data for 
the final destination.  If you like, you can go directly to the 
destination bypassing potential redirection-redirection (i.e. 
redirecting a portion of visitors differently than others).

For example:
http://t.co/7wP9W2j == Good || Bad -> 
http://longurl.org/expand?url=http%3A%2F%2Ft.co%2F7wP9W2j

FYI: I lock the doors of my car despite the fact that a fair amount of 
the 'security' of the external surface of the car is provided by panels 
of glass.

-DMM
-- maintainer of longurl.org in my spare time (instead of building a 
data center in my house :-)
    use the web site, use the API, or download the code and run your own 
server (the code is opensource)





More information about the NANOG mailing list