Hacker News new | comments | show | ask | jobs | submit login
Turn any link into a suspicious-looking one (verylegit.link)
330 points by defaultnamehere on June 25, 2017 | hide | past | web | favorite | 90 comments



A similar site has been around for a long time: http://www.shadyurl.com/

example: google.com -> http://www.5z8.info/dogs-being-eaten_x2r3rq_5waystokillwitha...


I made shadyurl! The subdomain feature in this is great. Also cool it has an API. Though with the amount shadyurl was abused by phishers, I'd be interested to see how long an API stays viable.


It's kind of wild that "SHADY URL" is something phishers want to use. But, in the end I guess it's all about finding a domain that isn't tied to them?


Similar to 419 scams, shady links/propositions are a good way to select the people who are easy to trick.


Yeah that's my best guess. I was shocked how much it was used for scams. Might also be possible the link is so suspicious looking it's actually more intriguing to click.


Funny you should mention that. The author actually attributes ShadyURL at the bottom of the project README: https://github.com/defaultnamehere/verylegit.link


If I were trying to send someone to my nefarious website, I'd definitely now wrap the link in this, so that the savvy viewer would think it's a harmless verylegit.link...


You already have that same deal with bit.ly and friends.

http://bit.ly/2saifoB http://bit.ly/2t5xNhB

Which is safe and wonderful and which is dangerous?


For the uninitiated: just add a + to the end of any bitly URL to expose metrics and preview the destination.

http://bit.ly/2saifoB+ http://bit.ly/2t5xNhB+


This is neat, I hadn't seen it before.


[flagged]


This feature's audience is the marketing crowd.


If your research suggests there's a market for a url shortener which uses no JS for analytics etc., you're quite empowered to start one.


RequestPolicy Continued in FireFox, and perhaps other plugins that control/restrict cross-site requests, asks for permission before redirecting to superdodgysite.com and safeandwonderfulsite.com. It's not a feasible solution for the masses, but I really like the control over browsing that it gives.


Yes, absolutely. And on Twitter with its damn t.co hrefs even though the text is a truncated version of the real thing.


Is there any way to get SSL error messages in Firefox?

https://irc.verylegit.link/0x8c*download()194mobiads(windows... is supposed to redirect to Facebook, and it does if you use HTTP. However, over HTTPS Firefox just gives me a very generic "Secure Connection Failed" message. (Chrome is rather more helpful, giving me "ERR_CONNECTION_CLOSED".)


Where did you get that link? Was it one of the sample links? I don't think those are real links. But if you type in https://facebook.com and click "Make it look dodgy" it will give you a real link.

http://hey.look.a.verylegit.link/malware-425iphone)ip-steale...(.docx.html.rar

Edit: Although it appears Hacker News decided to mangle this link that I posted. Apparently it's not happy about mismatched parenthesis in links. Why HN wants to try to match parenthesis in links... that's a good question.


Markdown uses parenthesis? HN software parses markdown in comments to format them?


HN doesn't use Markdown, it has its own eccentric and much more limited markup system.


I get this in Firefox 55:

http://megg.ml/i/771715c9c2445b972e07fa529c6fdb4a.PNG

Note the second line, "The connection to irc.verylegit.link was interrupted while the page was loading." Does that show up for you?


Click the (i) icon to the left of the URL in the address bar, the the `>` button, then “More information” at the bottom. The technical details say the connection is not encrypted.


Yes, I found that, but that's not even an inadequate error message -- it's just wrong. Firefox has no way to tell if the connection is encrypted or not because the connection is being dropped while the encryption is being established.


So a connection that doesn't exist cam hardly be encrypted now can it? Scnr

But yeah I noticed this trend too in browsers, it's getting harder to get to the technical bits every time they try to make these warnings more user friendly. I usually switch to openssl s_client in a terminal at this point.


A general trend.

I've been aware of it since Linus Torvalds pointed out that so called "ux-improvements" were actually ux problems back in gnome 2.

UX-ers here (hopefully there must be a few ones from Google and Mozilla here): please help stop this long trend of dumbification. I'm not asking you to make it like bash and vim just to stop hiding menus, removing settings etc etc.


Complain about how hard it is to get to the details of a bad cert if you want, but this instance does not exemplify the trend you're referring to.

This is one of only HTTPS errors that you aren't required to click through to uncover the details of the error—the connection is being shut down.


Show that it decreases conversions and then maybe people will stop doing it


The suffixes should be exe, com, js, hta, vbs, and so on, for extra evilness.


pdf and dmg are already pretty scary.


Dmg isn't scary. It's just a disk-image that mounts upon download. You have to manually start any executable on it.

And yes, there are users who click on executables carelessly, but those aren't scared by url-parts.


Safari’s DMG behaviour has been problematic in the past: https://www.cnet.com/news/mac-os-xsafari-dmg-vulnerability-r...


Uhh... It mounts after downloading? Aside from that I doubt (or don't want to believe) that's what's happening... Doesn't that sound inherently dangerous to you? We've seen files that could infect Windows machines just from having the file browser look directly at them.


Considering most people in the world use Windows, dmg is pretty much irrelevant. They can only be opened/unpacked on Macs, so even if it contains a evil payload you won't ever got to it on Windows or Linux.

Exe-files has much bigger impact and can be run through emulation on non-Windows systems.

I'd say exe is a much better choice.


My mental pronunciation mechanism cannot stop reading "dmg" as "damage"


Same for me. I guess that's what decades of playing with and reading about video games do to your brain ^^


You must be a Richard Herring fan.


As an OSX user, it is fairly amusing when some sketchy ad auto-downloads some "setup.exe" file.


As a Windows user, it's amusing when shady websites try to emulate macOS system dialogs, or Android ones.


But what if you do the same on Linux, with Wine installed? are you vulnerable the same way Windows users are ? I mean: Wine lets you just double-click exe file to run it.


No idea, however I doubt any Linux user with Wine installed would double click some random setup.exe that was auto downloaded.


You are dangerously underestimating stupid...


*Considering most people in the world use Android.


Good point. Doesn't invalidate mine though :)


Well, most people use both.


That can't be true can it?


  How does it work?

  Due to rapid advancement in dark ritual technology, 
  the programming community has streamlined the
  Development and deployment of unspeakable 
  eldritch horrors. 

  Using robust open-source libraries like a sack of 
  live geese, websites like this one can be
  developed with far more efficient sacrificial
  rituals than ever before.

  We're still stuck on the version with 
  really inefficient sacrifical rituals 
  though, due to comp͆aͭatib̊i̼͕l̈̿i̮̜t̚y̅ ͊i͋s̾s̢͈͠u̶e̛̊s̼̃. 
Not that I'm in need for an URL shortener, but I really like the style it's "advertised" in :-)


Unable to open in Edge: http://imgur.com/a/nBAne


This could potentially be useful to scammers, to pre-filter out the kind of people who click on shady links.


This is neat. I'll make sure to use it whenever I post something here or on Reddit. Great work


I built this years ago when I made it up during an IM conversation with a friend and we realized it wasn't taken: http://shadydownloads.com/


redirect to about:config -> http://hey.look.a.verylegit.link/765ip-stealer_.json.zip

and get a Corrupted Content Error (edit: under Firefox)


I get “Secure Connection Failed”in Firefox Nightly when clicking on the demo link.


That's a feature!


That "feature" does not appear to work for me. It probably should be a feature though.


I'd like a way to get some statistics, e.g. how many people clicked the link, etc.

That might even be useful when posting links to HN.


I've DNS blackholed the entire .link TLD, along with .science, .country, .click, and .rocks.

So, there's that.

(DNSMasq, router-based blocklist.)


Do you care to share the reasons you've taken this decision?


Direct personal realisation, an increasingly take-no-prisoners approach to online abuse, and a considerable amount of evidence from elsewhere that such TLDs are almost entirely void of value.

My router doesn't have sufficient resources to list individual hosts, particularly where widespread abuse is found. Plus it's just too much fucking work.

BlueCoat Security (now part of Symantec) have been publishing a "Shady TLD series".

https://www.symantec.com/connect/blogs/floating-down-stream-...

Basically: to 2-3 nines, these TLDs are nothing but trouble. If they can't clean up their own acts, fuck 'em.

And let that be warning to other TLD registrars.


As an aside, BlueCoat is not a very reputable company. They are responsible for the government-sponsored censorship of Burma's and Syria's internet[1]. Which means that Symantec is currently the (American) company responsible for the censorship blacklist of Syria and Burma.

[1]: http://surveillance.rsf.org/en/blue-coat-2/


Two points here, about both the advice and the people giving it.

Regarding the advice, personally I think the advice is bogus. A lot of Mastodon instances have started legitimately using unconventional newTLDs. And I seem to see more URI shorteners, .com and .ru in spam than all the newTLDs put together (zero, from a hacked site, costs less than free). Country K-lining, while attractive to the lazy network operator, only works as an extreme temporary measure in a crisis - spammers adapt, but blocklists tend to only grow. And perhaps Symantec, given their business dealings with Verisign, might not be a 100% neutral party in making recommendations seemingly targeted primarily at severely disrupting the present and future business of cheaply-available TLDs?

Regarding Blue Coat, research shows Blue Coat devices are also used in the censorship/mass surveillance programmes of: Russia, UAE, Bahrain, Iran, and even China. Please also remember Blue Coat devices intercept, log and parse near-everything that goes through them. That puts them at a significantly elevated security risk above a network which didn't have them at all. I know I would find it unethical to report any vulnerabilities to that vendor, and I know I am not the only one who thinks so. And middleboxes like that are incredibly frustrating to the interoperability of the internet and present probably the single biggest hurdle to progress in internet protocols - ask someone in the IETF TLS Working Group currently working on TLS 1.3 just exactly what they think of them!


I'm active on Mastodon.

The federated structure of Mastodon means that, so long as I'm accessing toots via my host instances, the source of the toots doesn't matter. That plumbing is managed by the instances, not my local network gateway.

(If I were locally hosting, the situation would be different.)

Punching holes as needed would be another alternative.

I'm aware of the various arguments in favour, and opposed to, various forms of security blocking or not. I've participated in those discussions for most of the past 30 years. There are times when the onslaught simply becomes sufficiently excessive that measures need to be taken.

DNS namespace is large. I'm not going to independently add every last damned host, or domain, by hand. And even with blocklist subscriptions, the overhead is substantial.

I suspect this is a situation which may come to a head in the not-too-distant future, though timing such matters is difficult. The consolidation of much Web activity to a relatively small number of sites already reflects this in part.


Taken into consideration. Though this doesn't speak to the specific analysis of TLDs referenced here.


These lists, it should be pointed out, are quickly becoming outdated as more folks sign up for new domain names. For example, there’s this on .xyz https://www.symantec.com/connect/blogs/exploring-xyz-another... and then there’s actual usage of it: https://abc.xyz (completely not mentioned...) If you want to know the most popular/relevant sites on a TLD, search google for `site:xyz` to see a small list... E.g. .link often is used by websites with very long domains looki for a shorter one, like http://gcr.link/ Amazon has http://aws.science/ .country is mostly crap, but there is http://cma.country/ .click is indeed only slightly less spammy, but does have http://bbc.click/ And .rocks doesn’t deserve the ban. It’s used by fan sites, people promoting tech or events, and fun stuff like kqed.rocks for kqed.org ... I’ll admit though, it can be hard to tell with all the third party domains which sites are legitimate and which aren’t...


Given the risk/reward of, oh, say, finding my systems hosed or users scammed and/or bank accounts drained, vs. missing out on someone's link shortener, I think I'll err on the side of caution.

This being an assessment based on local awareness of circumstances.


In what way are you more secure then when someone uses a .com domain? In both cases it is easy to register a url and turn into a malicious site. It really seems you are blackholing parts of the web for no good reason except to exempt yourself from actually performing a security check on the sites on the assumption all other tld's are safe.


Wrong question.

Risk. Reward. Administrative cost.

The first of these I blocked when I looked at the domain and realised that the TLD were registering any old line noise. I'm not going to bother sorting that. Search for other experience turned up Blue Coat.

I subscribe to blocklists, and they update periodically. There are other levels of protection.

When a TLD is 99.9% malware or scams, it's far easier to block it outright. Registrars should take responsibility for what they're registering. Not my problem.


My experiance with symantec web protection (which I assume will use the same blocklists they are talking about) is that it has a ridiculous false positive rate and when I was still in High School they had blue-coat installed and it had a worse false positive rate. I would be very careful about running blacklists from those companies aside from anti-ad blocklists.


I use .rocks for my personal website because it's slightly playful

https://chuckdries.rocks

Of course I also have a .com but it's not linked up to the .rocks because I'm lazy


Another .rocks one:

https://react.rocks/


Should also consider .top. It's along with .science as the biggest offenders for me.


That's on Bluecoat's list.

My set (dnsmasq format):

     # Shady TLDs (see BlueCoat)
     address=/.accountant/0.0.0.0
     address=/.christmas/0.0.0.0
     address=/.click/0.0.0.0
     address=/.country/0.0.0.0
     address=/.cricket/0.0.0.0
     address=/.date/0.0.0.0
     address=/.download/0.0.0.0
     address=/.faith/0.0.0.0
     address=/.gdn/0.0.0.0
     address=/.gq/0.0.0.0
     address=/.kim/0.0.0.0
     address=/.link/0.0.0.0
     address=/.loan/0.0.0.0
     address=/.mom/0.0.0.0
     address=/.ninja/0.0.0.0
     address=/.online/0.0.0.0
     address=/.racing/0.0.0.0
     address=/.rocks/0.0.0.0
     address=/.science/0.0.0.0
     address=/.space/0.0.0.0
     address=/.stream/0.0.0.0
     address=/.top/0.0.0.0
     address=/.win/0.0.0.0
     address=/.work/0.0.0.0
     address=/.xin/0.0.0.0
     address=/.xyz/0.0.0.0
     address=/.zip/0.0.0.0
Checking:

    $ host i.am.the.top
    i.am.the.top has address 0.0.0.0


.XYZ is used by Google's parent company Alphabet inc. I thought that gave .XYZ a bit more street cred, I guess not.

https://abc.xyz


How's your signal-to-noise ratio? Is this the first legit site you've wanted to access on one of those TLDs?


Yes.

Mind that if I want to access a site, I can do so by using one of several proxies. E.g., archive.is or the like.

The blocks are, in that sense, soft, but strongly advisory.

I'm also increasingly blocking just straight-up shit sites, as well as a large number of advertising and monitoring sites, via standard blocklists (mostly based off uBlock / uMatrix's lists).


Hi, would you please consider paramaterising the input in the URL so that I can use it with Chrome's Omnibar?


But what for? So that people don't click it?


Woz would love this, I hope he gets to see it


Doesn't work for any HTTPS site.


[flagged]


I think the purpose is just some good old harmless fun.


How is this top of hacker news???


People have a sense of humor, and this is a fantastic meta joke. Why so serious?


This site doesn't like jokey comments, so how are pointless jokey links tolerated? It's not like the linked to site is making a serious point in a light hearted way.


Because the joke is actually a utility, and I for one plan to share links to others with it to continue the fun (can't be done with a witty/funny comment).


> This site doesn't like jokey comments,

Agree

> so how are pointless jokey links tolerated?

This is a small technical project. It requires some minimal level of technical abilities. A variation of this may be useful. (But I can't think any useful variation now.)

So I think it's a good submission, perhaps to get 50-100 points, and a #20 in the front page. I think that 250 points and the #1 in the front page is too much, but whatever.

[not a quote] So a page with a funny domain with a static text that says "YES" or "NO" is a good submission?

Nah. This is has a very low level of technical content. But if the text is determined by the blockchain, or user votes, a sensor, or something it may be good enough. But it would be better to submit a blog post explaining the projects.


I think the site makes an important comment: I've had two very on-to-it people say in response to my share (legit.link pointing to itself), "I'm not clicking that".

My thoughts are, why should the the "obviously dodgy looking" link be any more risky than a bit.ly shortened one. Bit.ly is not coming out and saying "I'm shady", but other than that you have no idea what's on the other end (I'd argue most people don't know about the + on the end reveal).


No, 10-20 humorless users on HN don't like jokey comments.


Mods, thanks for changing the title. It was screwing with the layout on mobile.


This:

   secure.verylegit.link/warez737speedupurpc.gif.pdf
(example from site) doesn't look dodgy to me at all.

I'd have no qualms clicking on it, because my browser and I can handle suspicious websites. (Especially ones ending pdf.)

Something that would give pause would be:

https://tinyurl.com/2ea2mu4?command=127.0.0.1/activate

I would think...wait a minute... I probably wouldn't click this example.


Good for you. But this is a scary looking link for the average internet browser.


I disagree, because it literally says "secure.verylegit.link". Those are not negative words.

If this seemed suspicious to the people you're talking about, nobody would start a letter to them with the words, " Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. " (I found this example online.)

So, I simply disagree that the example produced looks suspicious. It looks fine.

Further, I wouldn't even think twice before clicking it. The example I quoted simply doesn't look suspicious. (Because pdf is a 'safe' filetype.) I don't think it would give the average Internet user pause, either.


The example I quoted simply doesn't look suspicious. (Because pdf is a 'safe' filetype.)

Safe?

https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...


Yes, safe. I open it safely in Chrome (I just click, Chrome opens it natively in the same view) and the chance someone is going to burn a PDF zero-day for chrome on a random link I come across is vanishingly small.

You can open PDF files in Chrome. Even malicious ones. It's okay.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: