[Ipg-smz] The use of URL Shorteners violates security principles

Ken Gagne kgagne at gamebits.net
Mon Oct 8 18:15:54 UTC 2018 

Tom,

If someone mistypes a YOURLS shortener, how is that going to infect them
with malware? I'm the only person authorized to make shortcuts in the
kgagne.com and gamebits.tv domains. If the site I'm linking them to
(such as Computerworld.com or Moo.com) gets hacked, then the user is
going to get infected with or without a URL shortener.
If you're saying the YOURLS software itself could be hacked,  how is
that argument specific to URL shorteners? I wouldn't advise someone not
to have a Twitter account or a WordPress website on the grounds it could
be hacked and their brand stolen.
-Ken

On Mon, Oct 8, 2018, at 1:51 PM, Tom Henderson wrote:
> Convenience at the price of opaqueness. 


> Ease of visual transcription for the plausible error of doling
> malware.> Like most shortcuts, doesn't do the job if it infects someone. A
> simple mistaken keystroke sends someone to the unintended. No one
> mistypes stuff, right?> The brand might not be what you intended.


> With all due respect,


> Tom


> 


> 
> On 10/08/2018 01:40 PM, Ken Gagne wrote:
>> I use URL shorteners for a few reasons. A short link:
>>
>>  * is easier to remember and type, without having to look up the
>>    original, long link.
>>  * is easier for someone to use if seeing it in a presentation or a
>>    hardcopy handout.
>>  * takes up less space in print.
>>  * is better branding.>> 
>> However, I create my short links with YOURLS[1], an open-source URL
>> shortener that you install on your own domain — no integration with
>> (or dependency on) bit.ly, ow.ly, or other third-party services. Some
>> examples of links I've created in it:>>
>>  * gamebits.tv/dox: my Computerworld article about removing your
>>    profile from data brokers.
>>  * kgagne.com/moo: my referral code for Moo.com.>> 
>> I also used YOURLS to create a2.click, a URL shortener with a
>> frontend that anyone can use — but only if the submitted URLs match
>> my domain whitelist.>> 
>> -Ken
>> 
>> On Mon, Oct 8, 2018, at 12:43 PM, Esther Schindler wrote:
>>> Are they still a thing? 
>>> 
>>> I used to use them because they provided some level of tracking
>>> click throughs. That went away.>>> 
>>> I also used to use them back when Twitter counted all the characters
>>> in a URL as part of its 140. That went away too.>>> 
>>> I’m not sure when/why anyone wants to use these any more… even
>>> before the security vulnerabilites.>>> 
>>>> On Oct 8, 2018, at 9:04 AM, Tom Henderson
>>>> <thenderson at extremelabs.com> wrote:>>>> 
>>>> I can give you a long list of ow.ly[2] shortened URLs that will
>>>> give you a malware dose the size of Cincinnati.>>>> 
>>>> ONE SINGLE MISTYPED character will send a user into plain hell.
>>> 
>>> --
>>> Ipg-smz mailing list
>>> Ipg-smz at netpress.org
>>> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>> 
>> 
>> 
>
> -- Tom Henderson ExtremeLabs, Inc. +1 317 250 4646 Twitter:
> @extremelabs Skype: extremelabsinc> --
> Ipg-smz mailing list
> Ipg-smz at netpress.org
> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org


Links:

  1. https://yourls.org/
  2. http://ow.ly/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://netpress.org/pipermail/ipg-smz_netpress.org/attachments/20181008/3f04710d/attachment.html>

More information about the Ipg-smz mailing list