
Show HN: UrlRoulette – Pass a URL to the next visitor - mmathias
https://urlroulette.net/
======
MattBlissett
I submitted three URLs from GBIF.org (my employer), and two of the people who
got them are still browsing _20 minutes later_.

Pretty sea slugs:
[https://demo.gbif.org/occurrence/gallery?taxon_key=2292251](https://demo.gbif.org/occurrence/gallery?taxon_key=2292251)

Bugs:
[https://demo.gbif.org/occurrence/gallery?taxon_key=797](https://demo.gbif.org/occurrence/gallery?taxon_key=797)

Hummingbirds:
[https://demo.gbif.org/occurrence/gallery?taxon_key=5289](https://demo.gbif.org/occurrence/gallery?taxon_key=5289)

I got three blogs in return, one of which was about catching Pokémon. Fair
swap...

~~~
pierrec
Let me get this straight, you're using a monitoring tool for the website you
work on, to check out how long individual people spend on it after you sent it
to them via UrlRoulette? That's kinda neat (in a slightly disturbing way).

~~~
MattBlissett
I wanted to see the user agent and request headers, since there's another
comment about other sites being blocked.

I simply looked at basic web server logs. It's a beta site with hardly any
traffic, so the only log entries were myself and those from the three users
from Urlroulette. I was surprised to see the same IPs were still making
requests when I went to close the terminal a while later.

~~~
pierrec
Yeah, log diving is bread and butter, but reading your original comment it
sounded like UrlRoulette had some kind of magical feature, where one submits a
URL, then gets to see how long the stranger spends on the submitted website.
Hence the clarification.

It would be an interesting feature actually, though it would probably require
some annoying iframe tomfoolery.

~~~
eat_veggies
If the site doesn't block cross origin requests, calling window.open() gives
access to an event that fires when the tab/window closes.

------
throwaway5752
Is this some sort of infosec performance art? This seems extremely inadvisable
for users or the person running the site. What if someone posts something
illegal in the jurisdiction of the viewer or a link to a site with an embedded
exploit?

~~~
tyingq
Is it worse than clicking random links on Reddit, other than maybe you can't
see the url first?

~~~
mod
Not seeing the URL is an incredibly huge difference, on average.

Also you have zero context and no hive-mind to check the link for you ahead of
time.

~~~
tyingq
I dunno...you have plenty of context from my point of view. It's a site with
the word "roulette" in it that tells you what it's going to do: _" Submit to
be redirected to the previous visitor's URL!"_

I knew it was likely to throw me to the wolves.

~~~
johnfn
Well in GP you asked if there was any difference than clicking links on
Reddit. I think you've found one: outside of /new (and even then rarely),
posts on Reddit will not throw you to the wolves.

~~~
tyingq
Generalizing about Reddit is hard.

There are plenty of subreddits where outbound links are dangerous or
offensive.

Even one where they are almost guaranteed to have a 50/50 chance of being so.

[https://www.reddit.com/r/FiftyFifty/](https://www.reddit.com/r/FiftyFifty/)

~~~
johnfn
I feel like every time I leave a comment on HN that is 98% true, someone comes
a long to helpfully inform me of the remaining 2%.

Sorry man, but that sort of thing just drives me nuts! Maybe I should paste a
signature onto my posts. Something like "I estimate this comment to be 93 +/\-
5% accurate. Please inform me of inaccuracies only if they fall out of those
bounds." :)

~~~
tyingq
Heh. I see what you mean, but that wasn't the intention. I'm not a reddit
regular, but I know it's got plenty of dark places. I just don't get the
uproar of OMG, something called "xyzroulette" that says it will send me to
random places is dangerous. It doesn't seem deceptive or unexpected, that's
the comparison I was trying to make.

Maybe I should have compared to outbound links on 4chan.

------
ptr_void
Tried it a few times, submitted some general interest links from my bookmarks,
only to be redirected to scam sites :( Interesting idea, but it's unrealistic
to expect good behavior from internet as a whole.

It could be useful to have a delay before redirect to be able to read the url
and choose whether or not to go in it.

~~~
Trundle
Yep. Just traded a link to a live stream of golden retriever puppies for
someones kickstarter project and instantly thought "well I definitely should
have expected that".

~~~
ollyfg
Would you care to share the link to that live stream? Sounds fun ;)

~~~
Trundle
Enjoy!

[https://www.youtube.com/watch?v=lp1rHka_BkA](https://www.youtube.com/watch?v=lp1rHka_BkA)

------
SaintGhurka
Put in something innocuous but interesting to me. Got porn in return.

And I'm at my in-law's home on their network.

I can't believe I'm still making rookie mistakes at my age.

~~~
MichaelApproved
You think they're keeping logs of what sites people visit on their network?

~~~
SaintGhurka
No, but I still want to respect their rules. And they're in the room with me.

~~~
MichaelApproved
Honest question, did you all have a conversation about no porn on their
network or are you making an assumption that they wouldn't like it?

I'm curious what the "no porn" conversation would be like.

~~~
SaintGhurka
We've never discussed it and I don't really have to ask. Yes I'm just making
the assumption but it's with a high degree of confidence.

------
Retr0spectrum
It probably goes without saying, but you should definitely use some kind of
sandboxed browser/session if you want to try this. One annoying URL someone
could submit is superlogout.com, which uses logout CSRF to log you out of a
whole ton of websites at once.

However, I couldn't get it to work in a private tab, because apparently the
invisible captcha fails.

~~~
bigbugbag
Ah! this is a fun one, thanks for sharing.

Luckily I'm immune to this as I don't have an account on any of these websites
but one and I only log there once every 2 years for about 5 minutes.

------
DonHopkins
There was a remote dial-up modem service in the 80's called PC Pursuit [1]
that let you make local phone calls with modems in other cities through
Telenet's packet switching network.

You could play a fun game called "PC Roulette" by connecting to a modem and
typing the Hayes modem command "A/" to dial the last number somebody called.

[1]
[https://en.wikipedia.org/wiki/Telenet#PC_Pursuit](https://en.wikipedia.org/wiki/Telenet#PC_Pursuit)

------
peterkshultz
Reminds me of the game Lose Lose. When you defeat an alien, a random file is
deleted from your computer.

Please don't play it.

[https://www.engadget.com/2009/09/30/lose-lose-game-
deletes-f...](https://www.engadget.com/2009/09/30/lose-lose-game-deletes-
files-as-you-play/)

------
dabber
I was hesitant to use this for the obvious reasons but in the end decided to
roll the dice...

Of course, the first link I get starts an immediate download of the ubuntu
17.04 iso. Vindication on the first role.

------
kuschku
I used it a few times in a row, posting different ones of my bookmarks (for
example, Isaac Asimov's Last Question and Last Answer stories), and at one
point got my own link back.

Due to the low-quality links I always got before that I had first assumed it
was just... garbage, but it seems it's just the users.

UPDATE: I've now tried about a dozen times (each time providing a link that
isn't porn and contains informational content), and got 9 porn links, 1 racist
site, and 2 actually interesting links, one of which seemed to have been added
by an HNer: contentful.com

~~~
mmathias
Yes, UrlRoulette tries its best not to redirect you to the links that you
submitted - that would be boring.

All the low-quality stuff: yes, that's the other users! :)

------
amorphid
I submitted the video where I first learned about musician Maggie Rogers. I
love it!

[https://youtu.be/G0u7lXy7pDg?t=18m13s](https://youtu.be/G0u7lXy7pDg?t=18m13s)

------
egfx
Says my URL [https://www.qkast.com](https://www.qkast.com) is invalid.

~~~
mmathias
That's odd. UrlRoulette does some sanity checking on the content of the URL.
Thank you for this bug report!

~~~
artursapek
[https://cryptowat.ch](https://cryptowat.ch) fails too. seems to fail at very
basic URL parsing.

~~~
bigbugbag
it fails at a lot of other basic things: I was unable to post anything because
my firefox 52 is not supported to get a recaptcha challenge.

    
    
      Please upgrade to a supported browser to get a reCAPTCHA challenge.
    
      Alternatively if you think you are getting this page in   
      error, please check your internet connection and reload.
    
    

I could reload to infinity, this would not fix this broken website or change
the useless error message.

------
jffry

      Submitting UrlRoulette.net? Not funny! Try again! :)
    
    

Aww man, foiled!

~~~
api_or_ipa
Link shortener to the rescue!

[http://bit.ly/2oCL927](http://bit.ly/2oCL927)

~~~
progval
or prefix the domain with www.

------
soneca
Just sharing what I got because it was funny:
[http://eelslap.com](http://eelslap.com)

~~~
ballenf
And I got news.ycombinator.com. Thought I had mis-clicked at first. Maybe I
should post a link to this comment now.

------
andersonmvd
It would be cool to somehow be able to send a feedback to the previous user
who shared the link. I can see a few things being derivative from this idea.
Nice idea, but yeah, horrifying when it comes to security. We really have to
trust the previous user or simply leave the website. It would be great if you
could perform some scan to check for pornographic content, scripts (js) in the
page, malware and so on. That's a nice page to exploit CSRF as you don't need
to persuade the user to click in a link, you just redirect him.

------
bigly
Interesting idea, but it seems like it has the potential to get you into a lot
of trouble. You don't know what kind of messed up stuff you are going to be
redirected to.

------
mmathias
Wow, HN front page! About one visit every two seconds! Crazy! :)

------
r721
A couple of tips:

1) There are URL expanders with API to battle URL shorteners, here are some I
found with quick googling:

[http://www.linkexpander.com/api](http://www.linkexpander.com/api)

[https://unshorten.me/api](https://unshorten.me/api) (The API is limited to 10
requests per hour for new short URLs - too slow for you, probably)

[http://pro.urlex.org](http://pro.urlex.org) (paid)

2) You could disallow URLs which are detected with 2 or more engines by
VirusTotal:

[https://www.virustotal.com/en/documentation/public-
api/](https://www.virustotal.com/en/documentation/public-api/)

------
chromagnon
Potential for XSS attacks is fairly large. Be careful out there.

~~~
ptr_void
Having uMatrix and NoScript addons on firefox may reduce some risks, also in
general web browsing

~~~
bigbugbag
With noscript urlroulette is useless because it requires cloudflare,
ajax.googleapis, google, gstatic and a few others for no valid reason apart
supporting google surveillance and helping google for free with what their
algorithm cant do (yet).

Once you've enabled cloudflare, anything can happen.

------
evinr
Adding in a query param to bust the cache make it possible to submit the same
site multiple times, i.e. example.com, example.com?1, example.com?a,
example.com?123

~~~
mmathias
Yes, it does, but I think there is almost no way around that. Many sites still
use query parameters to show a specific blog entry for example... :/

~~~
warent
Their server could trivially query the url and store the result hash. This
would also give a chance to scan for malicious content

~~~
will_hughes
> Their server could trivially query the url and store the result hash.

I'm not sure what you mean here? I've not seen a site tell you "We don't use
this query parameter" if you stick an additional param on there.

~~~
antsar
I think the idea is to detect when different URLs contain the same content.
That defends against duplicate entries like example.com/?foo and
example.com/?bar (which are the same page).

------
shurcooL
I tried submitting my personal site,
[https://dmitri.shuralyov.com](https://dmitri.shuralyov.com), and got:

    
    
        URL seems to be invalid, please try again!
    

I tried with and without scheme, no luck. Is it a bug? My site redirects from
http to https for all queries.

~~~
tyingq
It's because your site responds to HEAD requests with a 405.

They are doing a HEAD request to see if the url is valid, and if it returns
anything other than 200 OK, they reject the url.

    
    
      $ curl -IX HEAD https://dmitri.shuralyov.com/
      HTTP/1.1 405 Method Not Allowed

~~~
shurcooL
Thanks. Do you have a recommendation on how I should handle HEAD requests?

Edit: I went with something like this [1] for now. It worked to solve this
problem. I can adjust later as needed.

[1]
[https://github.com/shurcooL/home/commit/b4a601ff7a3752feb291...](https://github.com/shurcooL/home/commit/b4a601ff7a3752feb291535875646c984c3f5634)

~~~
tyingq
The general idea is to return all the same headers as a get, without the body,
so that's likely correct.

Unless there's code farther down that sends content length, etags, etc. You
would want to send those too. Though I don't know that it really matters much.

~~~
shurcooL
Makes sense, thanks.

Good point about Content-Length and ETag headers. So it sounds like one needs
to do exactly the same amount of work to respond to a HEAD request as a GET
request. Meaning the body still needs to be rendered (to calculate its length
and hash). Just not include it in the response.

------
buzz27
I really struggled with your captcha. I had to solve 10 screens of images, it
was very time-consuming and tedious.

~~~
bigbugbag
Agreed this is a very annoying feature and IMHO unnecessary. But the good news
is that the captcha didn't work and told me to get supported browser because
firefox 52 apparently is not. I suppose urlroulette is trying to be smart and
fails, because recaptcha works on every other site in the same browser, though
I still hate it with a passion.

------
5_minutes
Nice idea. I love randomness and serendipity.

There must be something more you can do with this concept though.

------
bigbugbag
Put something in burn after reading mode to a zerobin instance[1] and share it
to urlroulette.

[1]:
[https://github.com/sebsauvage/ZeroBin](https://github.com/sebsauvage/ZeroBin)

------
zelah
I like this idea but there is a lot of porn. Can you block the porn?

~~~
mmathias
Well, I'm not exactly sure about how to do that. I could implement a list of
all the major porn sites, but then people could still post porn URL using URL
shorteners...

~~~
primitivesuave
This is actually a good point, but I'd imagine people put down a porn website
out of pure impulse when trying this service, so having their URL rejected
with a friendly warning would certainly reduce the amount of porn spam. You
could also block common URL shorteners.

This is a really cool app though!

------
jamt9000
I made something similar for Youtube videos:
[http://youtubeswap.com](http://youtubeswap.com) . Lots of trolls, but it can
be fun.

------
ruleabidinguser
I wish I could see people's reactions to my links. There should be some kind
of rseponse form that lets you send a note back to the original sharer.

------
pawy
Empty links to big services like "Google.fr", "Facebook.com", bootstrap;

Proposed a funny video, some simple stuff like Cluster Hat & Gitea github

------
AdamJacobMuller
Just did this, and got redirected to this post. Clever.

~~~
neogodless
Hmm 15 hours ago. Could have been me! But clearly several people had this
idea, too :)

------
mzzter
This could probably go under nsfw.

------
partycoder
It's not safe to visit random URLs, especially URLs with parameters in them.

~~~
averagewall
Why? Drive by exploits get stomped out by browser makers. What could go wrong?
A 0-day being wasted on a stranger?

~~~
partycoder
More like tricking you into interacting with a website in an unintended way,
not only through GET parameters but through clickjacking and other tricks.

[https://en.wikipedia.org/wiki/Clickjacking](https://en.wikipedia.org/wiki/Clickjacking)

~~~
laumars
There's no such thing as "GET parameters". I assume you are referring to the
query string but that's not necessary for encoding resource specific content.
You could use the path structure (which is the common way these days), the
domain name itself (eg different sub domains for different content), the user
agent string, referrer, IP location (eg GeoIP). This is only just scratching
the surface too as I've not even began to cover the client side rules one can
apply to create a targeted page. Essentially anything that runs like an
application can be dynamically generated to be specific to the visitor and
since websites can be executed both at the server side and client side (eg
Javascript) you're blindly placing you're trust on any URL.

Frankly, these days you can't even trust the domain name itself since punycode
and data inlining create easy vectors for spoofing, and DNS poisoning attacks
are still widely possible.

------
my_ghola
Do links get removed after a visitor gets one or they stay in the pool?

~~~
mmathias
They get removed.

~~~
gnarfish
No, you put them in a database. Don't lie to us.

~~~
mmathias
Yes, but they are no longer distributed to users. I thought that was the
original question. I'm keeping them in the database to check for SPAM/multiple
submissions mainly.

~~~
shocks
It's fine. Op is being unreasonable.

------
kwhitefoot
The captcha makes it extremely tedious, too slow, no fun at all.

------
sklivvz1971
I tried to put my own website but it says url invalid... something must be
broken (for repro: [http://sklivvz.com/](http://sklivvz.com/))

~~~
detaro
See comments below, discussing other non-working sites: you don't implement
HEAD requests correctly.

------
emanreus
I just got urlceptioned back to this page :)

~~~
red2awn
I got yours :D

------
cyorir
Sounds interesting, but I don't want to try it out myself because I know that
the internet is dark and full of terrors. Also, I don't want to get Rick-
rolled.

~~~
peterwwillis
[https://www.youtube.com/watch?v=dQw4w9WgXcQ](https://www.youtube.com/watch?v=dQw4w9WgXcQ)

------
c8g
Submitting Google? Not funny! Try again! :)

------
Jotra7
Thanks for the ransomware delivery service!

------
jrz53
I got meatspinned!

~~~
RGS1811
Ugh, same here. That killed it for me.

------
teen
i got google.com. woo

