[Ipg-smz] The use of URL Shorteners violates security principles

Mon Oct 8 19:50:55 UTC 2018

>  Except that: it still encourages people to use opaque clicks.

Agreed.

On Mon, Oct 8, 2018 at 12:46 PM Tom Henderson <thenderson at extremelabs.com>
wrote:

> If you control a target in a domain of your own exclusive control, then
> it's your responsibility. Presumably, nothing can be altered in the
> delivery chain, nor are there any DNS listings outside of your
> administrative control
>
> In this case, it's likely safe.
>
> Except that: it still encourages people to use opaque clicks. If they
> mis-transcribe yours, then it's harmless, presumably. If they use another
> URL shortener, then it's a dice roll.
>
> Tom
>
> On 10/08/2018 02:15 PM, Ken Gagne wrote:
>
> Tom,
>
> If someone mistypes a YOURLS shortener, how is that going to infect them
> with malware? I'm the only person authorized to make shortcuts in the
> kgagne.com and gamebits.tv domains. If the site I'm linking them to (such
> as Computerworld.com or Moo.com) gets hacked, then the user is going to get
> infected with or without a URL shortener.
>
> If you're saying the YOURLS software itself could be hacked, how is that
> argument specific to URL shorteners? I wouldn't advise someone not to have
> a Twitter account or a WordPress website on the grounds it could be hacked
> and their brand stolen.
>
> -Ken
>
> On Mon, Oct 8, 2018, at 1:51 PM, Tom Henderson wrote:
>
> Convenience at the price of opaqueness.
>
> Ease of visual transcription for the plausible error of doling malware.
>
> Like most shortcuts, doesn't do the job if it infects someone. A simple
> mistaken keystroke sends someone to the unintended. No one mistypes stuff,
> right?
>
> The brand might not be what you intended.
>
> With all due respect,
>
> Tom
>
>
>
> On 10/08/2018 01:40 PM, Ken Gagne wrote:
>
> I use URL shorteners for a few reasons. A short link:
>
>
>    - is easier to remember and type, without having to look up the
>    original, long link.
>    - is easier for someone to use if seeing it in a presentation or a
>    hardcopy handout.
>    - takes up less space in print.
>    - is better branding.
>
>
> However, I create my short links with YOURLS <https://yourls.org/>, an
> open-source URL shortener that you install on your own domain — no
> integration with (or dependency on) bit.ly, ow.ly, or other third-party
> services. Some examples of links I've created in it:
>
>
>    - gamebits.tv/dox: my Computerworld article about removing your
>    profile from data brokers.
>    - kgagne.com/moo: my referral code for Moo.com.
>
>
> I also used YOURLS to create a2.click, a URL shortener with a frontend
> that anyone can use — but only if the submitted URLs match my domain
> whitelist.
>
> -Ken
>
> On Mon, Oct 8, 2018, at 12:43 PM, Esther Schindler wrote:
>
> Are they still a thing?
>
> I used to use them because they provided some level of tracking click
> throughs. That went away.
>
> I also used to use them back when Twitter counted all the characters in a
> URL as part of its 140. That went away too.
>
> I’m not sure when/why anyone wants to use these any more… even before the
> security vulnerabilites.
>
> On Oct 8, 2018, at 9:04 AM, Tom Henderson <thenderson at extremelabs.com>
> wrote:
>
> I can give you a long list of ow.ly shortened URLs that will give you a
> malware dose the size of Cincinnati.
>
> ONE SINGLE MISTYPED character will send a user into plain hell.
>
>
> --
> Ipg-smz mailing list
> Ipg-smz at netpress.org
> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>
>
>
>
>
> --
> Tom Henderson
> ExtremeLabs, Inc.
> +1 317 250 4646
> Twitter: @extremelabs
> Skype: extremelabsinc
>
> --
> Ipg-smz mailing list
> Ipg-smz at netpress.org
> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>
>
>
>
>
> --
> Tom Henderson
> ExtremeLabs, Inc.
> +1 317 250 4646
> Twitter: @extremelabs
> Skype: extremelabsinc
>
> --
> Ipg-smz mailing list
> Ipg-smz at netpress.org
> http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>

-- 

Patrick Corrigan
Email: phcorrigan at gmail.com
LinkedIn: https://www.linkedin.com/in/patrick-h-corrigan-61669422
Member, Internet Press Guild http://www.netpress.org

"For every difficult and complex question there is an answer that is
simple, easily understood and wrong."
      H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://netpress.org/pipermail/ipg-smz_netpress.org/attachments/20181008/4a29e5a9/attachment-0001.html>