Can You Trust That Web Site? (URL Shortener edition)

Regarding URL shorteners such as Bit.ly, 2k38.net and goo.gl (Google’s URL shortener services), is.gd, ow.ly and tinyurl.com, services designed to redirect to a different, typically longer, URL.

  • They are nearly mandatory when posting a URL via Twitter (or other microblogging site).
  • They can get your email dropped by a SPAM filter, since URL redirection (URL forwarding, URL obfuscation) is how malicious sites get past SPAM filters.
  • A URL shortener service takes links out of your control; many of the free URL shortener services have already shut down.

You want to know if you can trust that web site, and a meaningless link doesn’t help. Note that you should always treat any link you may see in an email or web page as meaningless; there is no reason to trust that what the link connects to the text displayed.

For all URLs, there are two facets:

  1. the text they display and
  2. the resource they actually locate.

There is no requirement that they match. Should ISC SANS be clicked? Should http://www.stopthehacker.com/ be clicked? Displayed text was always untrustworthy, and link shortening services make that obvious.

Whether you can trust the resource they actually locate is a difficult problem. URL shortening services introduce an extra layer of obfuscation which makes that problem more difficult. Techniques which rely upon an organization’s reputation (such as Web Of Trust) are ineffective when confronted with a shortened URL that obfuscates the organization. This leads to a desire for de-obfuscation approaches, such as Redirect Detective or the (currently unavailable) shuurl.com.

There are problems with relying upon an organization’s reputation to determine if a resource is trustworthy. Problems such as PHP code insertion add untrustworthy code to a trustworthy organization. These problems exist independent of URL shortening services, and are neither more nor less obvious through the use of URL shortening services.

URL shortening services introduce new problems in terms of reliability and stability. There is a trust than the shortened URL will consistently refer to the same resource; that the reference cannot be hijacked and the service provider will remain in business (see shuurl.com). These problems are not within the control of the person using the URL shortening service.

In conclusion, shortened URLs make:

  1. the text they display neither more trustworthy nor less trustworthy,
  2. the resource they actually locate neither more nor less trustworthy, and
  3. introduce availability issues which are outside your control.

Use URL shortening services only if necessary.

Instead of HpHosts as your first step (my advice from Can You Trust That Web Site?), go to vURL. vURL reveals and expands the redirected web site. You can learn what the obfuscated URL will lead you to (and examine the code) without directly connecting to the web site. Then learn if the revealed web site is trustworthy at HpHosts.

Advertisements

Comments are closed.