

Google Domain Name Exploit - salehhamadeh
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&sqi=2&ved=0CDEQFjAB&url=http%3A%2F%2Fshamadeh.com%2Fblog%2Fweb%2F2014%2F04%2F06%2FUnvalidated-Redirects.html&ei=_edJU8qiIM6F0QGB_IH4BQ&usg=AFQjCNGrqDwfWo0__InIrKUMXXCK3HrKMA

======
tshtf
From Google ([http://www.google.com/intl/US-
en/about/company/rewardprogram...](http://www.google.com/intl/US-
en/about/company/rewardprogram.html)):

URL redirection: Some members of the security community argue that open
redirectors are a security issue. The common argument in favor of this view is
that some users, when presented with a carefully crafted link, may be duped
into thinking that they will be taken to a trusted page - but will be not be
attentive enough to examine the contents of the address bar after the
redirection takes place.

On the other hand, we recognize that the address bar is the only reliable
security indicator in modern browsers; and consequently, we think that any
user who could be misled by a URL redirector can also be tricked in other
ways, without relying on any particular trusted website to act as a relying
party.

The reward panel will likely deem URL redirection reports as non-qualifying:
while we prefer to keep their numbers in check, we hold that the usability and
security benefits of a small number of well-implemented and carefully
monitored URL redirectors tend to outweigh the true risks

------
gk1
This _seems_ important and something I should look into implementing, but you
completely lost me here:

> "Keep a hash map of URLs. In other words, instead of having the URL in the
> query string, have a key that refers to that URL there. In this way, only
> the URLs for the keys that YOU define are redirectable."

Huh? I wish you would expand on this a little bit.

~~~
willscott
This is exactly what happened with the first era of URL shorteners, and has
the detrimental effect of scattering dead links around the web when your
service closes. (termed link rot)

ArchiveTeam has a project scraping URL shorterners to attempt to archive
exactly these things. Their tagline is "url shortening was a fucking awful
idea".

[http://archiveteam.org/index.php?title=URLTeam](http://archiveteam.org/index.php?title=URLTeam)

My takeaway from this is that having a whitelist is fine, but keep the
original URL visible so that if your service isn't available the original
content is still visible (although potentially requiring manual user effort)
is a good thing.

