URL Shorteners Should be Banished

In response to social networking sites like Twitter, URL shortening services have been springing up on the web like unsavory fungus on a cheese sandwich, without the prospect of slowing down any time soon. Services like Bit.ly were inspired by the need for compact links when sharing websites in character-limited status updates on Twitter and its Laconica-like counterparts.

While short URLs are extremely useful in these specific contexts, they also pose a serious security threat and are a bad omen of exploits to come. As Twitter-like social networks become more mainstream, regular folk will become (and presumably already are) conditioned to click on any link they come across, with the risk of landing on malicious websites that take advantage of web-based exploits like XSS (Cross-site Scripting).

In my opinion, links should be treated more like e-mail attachments. They are only to be opened when from a trusted domain. While everyone knows random link-clicking is bad web-behavior, it is being encouraged by the uprising of short-form social networks.

Unarguably, something has to change, as the bad guys have already taken the opportunity to start exploiting this phenomenon. Of course, who am I to suggest that services like Bit.ly and compatriots should be yanked from the interwebs if 140-character status updates gain traction on the net.

So, we can’t banish them. But there are things we can do to make URL shortening safer.

Site Specific Shortening URLs

Bit.ly in particular has proven its immense usefulness because of its way-advanced statistical capabilities. So it is in our own interest to keep such services alive. But..

A safer way to go about URL shortening would be to create a federated system. A possible architecture for this could be accomplished by means of a small web application (possibly coming from a third party like TinyURL or Bit.ly) installed onto the sites to which the short URLs will be linking, which in turn would do the redirecting.

For example:

http://arstechnica.com/Do5s would link to an article on Ars Technica.
http://aceontech.com/f5g would link to a post on this blog.

If the shortening app on the given site would only allow short URLs within its own domain, individual networks of short URLs would be created and doing so would allow the user to exactly know where he’s being led to, thus eliminating the risk of contracting WTDs entirely (Web Transmittable Disease :-P).

Increasingly, I’ve been seeing site which have started doing something similar, but I don’t think they’re actively limiting their URLs to their own domains only. Also, I’m of the opinion that there is a need for a standard in this space. Such a standard could consolidate the matter entirely, making it safer and more uniform in the process.

The technical side of this shouldn’t be too hard, either. It’s just a matter of realizing the danger of having hyperlinks to arbitrary sites and getting some shortening providers assembled to work together to create a standard process for issuing short URLs.

Current third-party URL shorteners could integrate with the federated system to provide a higher user-friendliness. One could still use a service like Bit.ly, but it would go out and check with the domain’s URL-shortener first and return that to the requesting user, first. If not supported or available it could go ahead and generate it anyway.

Click confirmation

Another thought would be to enforce confirmation upon the clicking of a shortened URL. The hyperlink would be intercepted by a page showing information about the domain buried below. It could surface the name, the full URL and other important identifying information. Maybe a database of certified domains could even be established.

Additionally, blacklists like those behind Phishing filters could be employed to heed visitors of suspicious sites. Naturally, these databases would need some kind of governing. Perhaps a web authority like VeriSign could take this responsibility on and possibly wire it to its current SSL-verification process/database…

It’s hard to imagine for me that we’ll all just keep on clicking on links left and right without considering the significant hazard it implies. The web browser is becoming the primary vector for exploits against Internet users. No longer does the the stress lie on the avoidance of e-mail attachments. The threat actually lies within the chrome around each web page you visit.

Security-conscious users [like me] would undoubtedly like to be more cautious with short URLs, but for the lacking of a secure alternative there is nothing else to do but go with the flow for now.

Help. Someone?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s