

Google Warns: bit.ly Links Are Unsafe - antoniotajuelo
http://www.google.com/safebrowsing/diagnostic?site=bit.ly&hl=en

======
ChrisGranger
Any URL shortening site that doesn't have an active block list is likely
linking to _some_ unsafe sites. Singling out bit.ly in this instance is
frankly unfair.

Guess who else Google warns is linking to unsafe sites:

[https://www.google.com/safebrowsing/diagnostic?site=google.c...](https://www.google.com/safebrowsing/diagnostic?site=google.com)

~~~
rapcal
goo.gl too, with nearly 6,300 links to Trojans, way more than on the bit.ly
report:
[https://www.google.com/safebrowsing/diagnostic?site=goo.gl](https://www.google.com/safebrowsing/diagnostic?site=goo.gl)

~~~
abraham
Although for goo.gl "6292349 pages we tested on the site over the past 90
days, 826 page(s) resulted in malicious software" and for bit.ly "91856 pages
we tested on the site over the past 90 days, 721 page(s) resulted in malicious
software". The % of pages on goo.gl with malicious software is much lower.

------
Aoyagi
[http://unshort.me/](http://unshort.me/)

Never fear.Also could you do some enlightening of others? Some people use URL
shorteners by default when they are absolutely unnecessary. Not to mention
privacy policy of these services is often uncomfortable at best.

~~~
elwell
But what if we're dealing with a bitly within a bitly? A 'bitly-ception'? It's
bitly's all the way down... Does unshort.me recursively check? (Oh, and what
if the bitly goes to an unmarked, safe-looking site with a js redirect or
etc.?)

~~~
Aoyagi
I believe unshort.me "unshorts" it all the way. I have no tested it as I'm a
lazy useless individual, but feel free to try it out.

Edit: OK, I just did a quick test, "unshorting" t.co link that hides a bit.ly
link gives the final link.

~~~
unshort
Hey thanks for mentioning [http://unshort.me](http://unshort.me)

I created [http://unshort.me](http://unshort.me) and you are correct it
follows all the way until the shortened url is resolved unless it is a
circular link. It also stores the result in a database so it works faster once
someone resolves the URL.

I also created fuseurl.com. It used to be a bitly but for many URLs but I shut
it down because it started to contain a lot spams and viruses.

~~~
Aoyagi
Well, then let me thank you for making the service work and keeping it clean.

------
r721
longurl.org is awesome to check what is behind a shortened URL.

Has an API too: [http://longurl.org/api](http://longurl.org/api)

~~~
corobo
HTTP has an API for that too, just make a HEAD request to the shortened URL
and see where the Location header sends you

~~~
kuschku
Yeah, sadly doesn’t always work. Goo.gl and youtu.be sometimes send an http
page consisting of

<!DOCTYPE html> <meta http-equiv="refresh" content="0;
url=[https://www.youtube.com/watch?v=opoDBF_b-
fg&feature=youtu.be...](https://www.youtube.com/watch?v=opoDBF_b-
fg&feature=youtu.be">)

Which makes it far more complicated. Another occasion where it’s appropriate
to say “Fuck you, Google!” (also fuck you for disabling audio/video control on
chrome mobile from JS, EXCEPT for google.com/youtube.com etc)

~~~
userbinator
Perhaps this would be a good time to advocate link shorteners that use the
standard HTTP redirect mechanism (bit.ly is one of them), so they can be
HEAD'ed, and not some additional layer of obfuscation either via meta-redirect
or (even worse) bury the target in some minified and obfuscated JS.

~~~
asdfaoeu
They don't want that because they don't want them to be automatically resolved
so they can do metrics which is like 99% of the reason they are used in
electronic form.

~~~
justincormack
If they are temporary redirects, so not cached, they can do metrics from the
server logs perfectly well.

~~~
acquiHire2014
Not if the intermediary, say, Twitter, de-shortens the link once, and then
sends all the real traffic to the cached destination URLS. Not that they do
that at the moment.

------
eappleby
Bitly has confirmed that this issue is resolved:
[https://twitter.com/Bitly/status/526012694835757057](https://twitter.com/Bitly/status/526012694835757057)

------
rapcal
Every bit of technology provides benefits and threats. URL shorteners are no
exception: they definitely add value (and I don't mean just from the sender's
perspective, but also on the recipient's end, eg. by allowing you to customize
web addresses making it easier for people to remember them) but can also lead
to harm (obfuscating links to malware).

It's like saying a hammer is a useless tool because it can bust your thumb.

------
kefs
if you're curious about following a bit.ly link, simply append a + to the end
of the url and you'll be taken to that link's statistics page, which will also
display the full link you're being forwarded to. a lot of other shorteners
employ the same feature.

but obviously, just use an unshortener extension for peace of mind.

------
novium
Can't this just be bit.ly links to unsafe sites? That dosen't make bit.ly
unsafe as a whole.

~~~
justincormack
Yes it does, as you cannot sanely identify what the link is first.

~~~
mcintyre1994
Just FYI, you can append a + to a "bitlink" to preview it's url and see some
stats.
[http://support.bitly.com/knowledgebase/articles/136551-can-i...](http://support.bitly.com/knowledgebase/articles/136551-can-
i-preview-a-bitlink-before-clicking-on-it)

~~~
gpvos
Yeah, like that's obvious or well-known.

------
petercooper
Google is definitely not a fan. I send a _lot_ of email each month (it's my
business) and having bit.ly links in mail is a fast track to Gmail's spam
folder or, in some cases, being rejected entirely. (Note: I'm talking bulk
mail, not personal mail.)

~~~
PhasmaFelis
Why would you use bit.ly links in email?

~~~
petercooper
The sibling replies are mostly a load of bollocks. E-mail based publishers
track clicks anyway through much better means, such as Mailchimp's click
tracking - no reputable sender needs to use bit.ly to track stuff.

The reason bit.ly links can end up in mails is if third parties want to track
clicks separate from the sender and the sender isn't smart enough to catch it.
For example, people who want to include a job listing or some sort of
sponsorship or advert in your mail. They'll often use bit.ly, simply because
it works fine on Twitter, without realizing it's not a great idea in mail.

~~~
leephillips
Above you said that you didn't sent spam because your recipients opted in. OK.
Now you say that these email newsletters contain third-party advertising.
You're sending paid advertising in an email. I would consider that to be spam,
even if I opted in to your newsletter. I accept the fact that not everyone
would define it that way, but I hope you see my point.

~~~
petercooper
I see your point in so far as that it's fine to come up with and use one's own
definitions for words, although every widely accepted definition of e-mail
"spam" includes a criterion of being _unsolicited_. For example, in:

* law (e.g. CAN-SPAM or the Privacy and Electronic Communications Regulations 2003) - indeed CAN-SPAM even stands for _Controlling the Assault of Non-Solicited Pornography And Marketing Act_ and reflects the US government's position, the EU's regulations refer to 'unsolicited communications' \- [http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/m...](http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made)

* encyclopedia (say, Wikipedia - [http://en.wikipedia.org/wiki/Spamming](http://en.wikipedia.org/wiki/Spamming) \- or the Encyclopedia Britannica - [http://www.britannica.com/EBchecked/topic/941678/spam](http://www.britannica.com/EBchecked/topic/941678/spam))

* dictionaries (say, Websters - [http://www.merriam-webster.com/dictionary/spam](http://www.merriam-webster.com/dictionary/spam) \- or the Oxford - [http://www.oxforddictionaries.com/definition/english/spam](http://www.oxforddictionaries.com/definition/english/spam))

* technical standards (say, RFC2505 - [http://tools.ietf.org/html/rfc2505](http://tools.ietf.org/html/rfc2505))

* the viewpoint of people extremely against spam, such as Spamhaus - [http://www.spamhaus.org/consumer/definition/](http://www.spamhaus.org/consumer/definition/) or SpamCop - [http://www.spamcop.net/fom-serve/cache/14.html](http://www.spamcop.net/fom-serve/cache/14.html)

* the terms and conditions of e-mail service providers and senders - e.g. [http://mailchimp.com/legal/terms/](http://mailchimp.com/legal/terms/)

------
JacobEdelman
Eh, frankly it just seems like its google slipping up. If only a few hundred
bitly links have viruses I'm impressed (I'm sure there are more but the
percentage still doesn't seem that bad).

------
jehiah
All Bitly links are no longer blocked by Google Safebrowsing in Chrome or
Firefox.

------
sumnulu
Not using google but also safari warns about malware via google some how.

~~~
dewey
That's because Safari is using "Google Safe Browsing Service" \- You can
toggle that in Preferences/Security.

------
Urgo
bit.ly is working fine for me currently but fb.me is currently being blocked

------
praeivis
For now most shortener services give warnings. Internet is broken for next
half day.

------
paulhauggis
I feel like Google does this many times to hurt the competition.

~~~
ipsin
What is "this" in this context?

Scan websites for vulnerabilities?

Make the results of automated vulnerability scans available?

~~~
paulhauggis
makes it difficult for website operators to exist like bit.ly to exist by
warning users that there are potential risks, when the risks are almost the
same if not more with their own, similar services.

------
randunel
Microsoft could swoop in and solve this :D
[https://www.noip.com/blog/2014/06/30/ips-formal-statement-
mi...](https://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-
takedown/)

