[Ipg-smz] The use of URL Shorteners violates security principles
Tom Henderson
thenderson at extremelabs.com
Mon Oct 8 19:45:56 UTC 2018
If you control a target in a domain of your own exclusive control, then
it's your responsibility. Presumably, nothing can be altered in the
delivery chain, nor are there any DNS listings outside of your
administrative control
In this case, it's likely safe.
Except that: it still encourages people to use opaque clicks. If they
mis-transcribe yours, then it's harmless, presumably. If they use
another URL shortener, then it's a dice roll.
Tom
On 10/08/2018 02:15 PM, Ken Gagne wrote:
> Tom,
>
> If someone mistypes a YOURLS shortener, how is that going to infect
> them with malware? I'm the only person authorized to make shortcuts in
> the kgagne.com and gamebits.tv domains. If the site I'm linking them
> to (such as Computerworld.com or Moo.com) gets hacked, then the user
> is going to get infected with or without a URL shortener.
>
> If you're saying the YOURLS software itself could be hacked, how is
> that argument specific to URL shorteners? I wouldn't advise someone
> not to have a Twitter account or a WordPress website on the grounds it
> could be hacked and their brand stolen.
>
> -Ken
>
> On Mon, Oct 8, 2018, at 1:51 PM, Tom Henderson wrote:
>>
>> Convenience at the price of opaqueness.
>>
>> Ease of visual transcription for the plausible error of doling malware.
>>
>> Like most shortcuts, doesn't do the job if it infects someone. A
>> simple mistaken keystroke sends someone to the unintended. No one
>> mistypes stuff, right?
>>
>> The brand might not be what you intended.
>>
>> With all due respect,
>>
>> Tom
>>
>>
>>
>> On 10/08/2018 01:40 PM, Ken Gagne wrote:
>>> I use URL shorteners for a few reasons. A short link:
>>>
>>> * is easier to remember and type, without having to look up the
>>> original, long link.
>>> * is easier for someone to use if seeing it in a presentation or a
>>> hardcopy handout.
>>> * takes up less space in print.
>>> * is better branding.
>>>
>>>
>>> However, I create my short links with YOURLS <https://yourls.org/>,
>>> an open-source URL shortener that you install on your own domain —
>>> no integration with (or dependency on) bit.ly, ow.ly, or other
>>> third-party services. Some examples of links I've created in it:
>>>
>>> * gamebits.tv/dox <https://gamebits.tv/dox>: my Computerworld
>>> article about removing your profile from data brokers.
>>> * kgagne.com/moo <http://kgagne.com/moo>: my referral code for
>>> Moo.com.
>>>
>>>
>>> I also used YOURLS to create a2.click <https://a2.click>, a URL
>>> shortener with a frontend that anyone can use — but only if the
>>> submitted URLs match my domain whitelist.
>>>
>>> -Ken
>>>
>>> On Mon, Oct 8, 2018, at 12:43 PM, Esther Schindler wrote:
>>>> Are they still a thing?
>>>>
>>>> I used to use them because they provided some level of tracking
>>>> click throughs. That went away.
>>>>
>>>> I also used to use them back when Twitter counted all the
>>>> characters in a URL as part of its 140. That went away too.
>>>>
>>>> I’m not sure when/why anyone wants to use these any more… even
>>>> before the security vulnerabilites.
>>>>
>>>>> On Oct 8, 2018, at 9:04 AM, Tom Henderson
>>>>> <thenderson at extremelabs.com <mailto:thenderson at extremelabs.com>>
>>>>> wrote:
>>>>>
>>>>> I can give you a long list ofow.ly <http://ow.ly/>shortened URLs
>>>>> that will give you a malware dose the size of Cincinnati.
>>>>>
>>>>> ONE SINGLE MISTYPED character will send a user into plain hell.
>>>>
>>>> --
>>>> Ipg-smz mailing list
>>>> Ipg-smz at netpress.org <mailto:Ipg-smz at netpress.org>
>>>> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>>>
>>>
>>>
>>
>> --
>> Tom Henderson
>> ExtremeLabs, Inc.
>> +1 317 250 4646
>> Twitter: @extremelabs
>> Skype: extremelabsinc
>> --
>> Ipg-smz mailing list
>> Ipg-smz at netpress.org <mailto:Ipg-smz at netpress.org>
>> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>
>
>
--
Tom Henderson
ExtremeLabs, Inc.
+1 317 250 4646
Twitter: @extremelabs
Skype: extremelabsinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://netpress.org/pipermail/ipg-smz_netpress.org/attachments/20181008/0cabd194/attachment.html>
More information about the Ipg-smz
mailing list