

URL shortening services: not secure at all - backslash
http://www.stopthehacker.com/2010/02/19/analyzing-url-shorteners/

======
pierrefar
I built (and sold) cli.gs, one of the 13 final complaint services. The system
that evolved was effectively strict border controls along with frequent police
checks:

1\. When a new URL shortening request is received, the requester is checked
and the destination is also checked. If both pass, the new short URL is
returned.

2\. When a short URL forwarding request was received (i.e. the bulk of the
traffic), the destination is checked again at a configurable probability. If
the destination is now deemed malicious, it is disabled on the spot and a
message is shown. In times of spam attacks, the checking probability would be
set to 100%.

I blogged about this when it launched and started evolving:

[http://blog.cli.gs/news/new-anti-spam-and-anti-malware-
featu...](http://blog.cli.gs/news/new-anti-spam-and-anti-malware-features)

[http://blog.cli.gs/news/more-anti-spam-and-anti-malware-
prot...](http://blog.cli.gs/news/more-anti-spam-and-anti-malware-protection)

------
kmod
Interesting article, but I find the author's use of statistics to be quite
bizarre...

[quote] Approximately 68% of URL shortening services were Stage 1 Compliant.

Approximately 56% of URL shortening services were exclusively Stage 2
Compliant. [/quote]

It seems from his numbers that he just meant to not include the word
"exclusively", even though it was italicized. Also, I'm not sure what prompted
the venn diagram with three sections "A", "B", and "A and B". Most of the
regions (such as "A"-and-"A and B"-not-"B") are empty, for good reason.

------
jcromartie
Were they supposed to be safe? How can they be classified as "safe" or
"unsafe?" It's like calling tar or zip utilities insecure because the archives
produced might contain malware.

~~~
jusob
<http://safe.mn/>, for example, is doing checks on both the URL and the
content. If the content cannot be scanned (too big, server too slow, local
URL), visitors are warned that the link was not checked.

------
ihumanable
Am I missing something or is the Venn Diagram horrible. There are "Stage 1
Compliant" and "Stage 2 Compliant" areas, the overlap of which would logically
be "Stage 1 and Stage 2 Compliant" Instead there is a third area for "Stage 1
and Stage 2 Compliant" with the count in the label instead of the area.

That whole chart is either ridiculous or I am a moron and can't parse it with
my brain.

~~~
natrius
You aren't missing anything. It's a nonsensical diagram.

------
ryandvm
Hmmm. I'm not sure URL shorteners should be "secure". The service I want from
them is very well defined: take this long URL and make it very short.

I am certainly not asking them to make a judgment on whether my request was
well conceived.

What's next? Blocking NSFW URLs? Pornographic URLs? Politically offensive
articles?

~~~
martey
The issue is that by making your long URLs short, they also obscure them,
making it harder for you to determine whether it is a good idea to visit.

In my ideal world, the URL shortener would not block you from visiting the
site, but would display an interstitial page warning you of the possible
problems if you did - much like Google Safe Browsing.

~~~
jusob
That is exactly the path I took with <http://safe.mn/> If the destination is
deemed unsafe, you get a warning explaining what is possible wrong (malware,
virus, adult content., etc.) + a screen shot (hidden by default) + a link to
continue to the site anyway.

------
joshu
This seems dumb. The site's function, as defined, is to do a redirect. Not
redirect plus a bunch of mysterious stuff.

