Since the beginning of the Internet people have shared URLs with each other. Often the vehicle for sharing URLs was an email or a personal web page with favorite links. Today there are bookmarking websites where users share URLs, comment on them and rate them. [1] As the popularity of Twitter increases, more and more people are using Twitter to share URLs with each other. [2] The 140 character limit on communication with Twitter combined with the reality that many URLs are easily longer than 140 characters has given rise to more and more URL shortening services. While these services do a simple mapping, exchanging one short URL for a longer one, there are risks involved with trusting a third party to redirect you to a web page.
The basic idea for a URL shortening service is to exchange one URL that is short to another that is long. Typically the long URL is the desired destination. A person might send the short URL to a friend. When the short URL is clicked, the website looks up the longer URL and redirects the user to the longer URL. For example, suppose I just got an Amazon Kindle 2 and I wanted to share with my friends more information about it. Amazon typically has very long URLs. The URL for the Amazon Kindle 2 is as follows:
That's 215 characters! I'll use this URL as the original URL with the following services to give you an ideas how they work:
bit.ly - http://bit.ly/
http://bit.ly/Z6eYE 19 characters
budURL - http://budurl.com/
http://budurl.com/bsfs 22 characters
eweri - http://eweri.com/
http://eweri.com/8rC 20 characters
hex.io - http://hex.io/
http://hex.io/ajz 17 characters
idek.net - http://idek.net/
http://idek.net/3kH 19 characters
is.gd - http://is.gd/
http://is.gd/lg7L 17 characters
lin.cr - http://lin.cr/
http://lin.cr/fvc 17 characters
POPrl - http://poprl.com/
http://poprl.com/Lm3 20 characters
snipurl - http://snipurl.com/
http://snipurl.com/cucc2 24 characters
tinyurl - http://tinyurl.com/
http://tinyurl.com/bngrky 25 characters
twurl - http://tweetburner.com/
http://twurl.nl/no316s 22 characters
urlBorg - http://urlborg.com/a/
http://ub0.cc/60/3G 19 characters
zi.ma - http://zi.ma/
http://zi.ma/65226b 19 characters
As you can see the original URL was 215 characters long, while the longest of the shortened URLs was only 25 characters long. I could post this shortened URL on Twitter and still have an expansive 115 characters left to comment on this URL. Perfect.
There are over 90 URL shortening services available online. A more complete list of URL shortening services is located at http://mashable.com/2008/01/08/url-shortening-services/.
Trusted or Untrusted
The most obvious risk associated with URL shortening is that it's difficult to know where the URL will take you, until you click it. The true destination of the URL is opaque. Often when I receive a dubious link via email, I hover my mouse over the URL, or view the HTML source to discover the real URL destination address and evaluate if I trust it enough to click. With a shortened URL, it's hard to know where it will take me, until I click it. Email Phishing scams are using URL shortening service for this very reason. [7]
Another problem with URL shortening is how it interacts with filters. A spam filter could use the URL in the past as one more hint that the email could be nefarious, but with a URL shortening service as the broker of URLs, the filter can't make any judgment about the URL. Many URL shortening services take spam complaints and will disable URLs if they are discovered to point to spam websites. [3] Some also proactively search their URLs for blacklisted websites and remove or disable these shortened URLs. [4]
Not just spam filters can be bypassed. Both Firefox and Google Chrome web browsers use Google Safe Browsing [5] a feature with warns users of malware or phishing sites. In the past using a shortened URL, instead of getting a warning message, users are sent directly to the dangerous web page. [6]
Less serious, but still problematic is using URL shortening services to hide the motive for an online review or recommendation. A seemingly objective review is tainted when readers discover that the author gets a monetary kick back for sending people to the reviewed product's site. Since shortened URLs hide the real URL they can be used to hide affiliate URLs and surreptitiously link to online stores. Most affiliate URLs are easy to spot, but when wrapped in a shortened URL, detection is more difficult. [8]
Another more remote, but still plausible problem with URL shortening is that should a URL shortening service become compromised, hacking one site would allow for redirecting popular shortened URLs to phishing or malware sites.
Getting More Transparent
Many URL shortening services have added some level of "see before you click" functionality. For example, any tinyurl can be prepended with the text "preview" in the URL and it will not redirect, but show the destination URL for inspection at tinyurl.com. Take the tinyurl above
and modify it as follows:
http://preview.tinyurl.com/bngrky
While this adds characters to the URL, it allows the user to evaluate the URL before redirecting to the site. BudURL has an even more compact preview function. Just adding a '?' to the end of the URL will turn it into a preview URL.
http://budurl.com/bsfs will auto redirect to the original URL
http://budurl.com/bsfs? will preview the link first
Some of the services provide a little popup window that displays a picture of the webpage when you hover over the URL link.
Conclusion
A hacker or spammer is empowered by using a "benign" URL shortening service that everyone uses and everyone trusts. Once the click is made, a homographic attack may follow and will make it very difficult for a normal user to detect that they are being redirected to a phishing site. The real danger is that people have become habituated to trusting unknown links from their friends. This is dangerous because if their friend's account is compromised, it might not be their friend sending a link and the shortened URL will be clicked without concern.
An example of this propensity to click occurred 12 Feb 2009. One of my friends tweeted, "Don't Click: (link)". I was curious, but I didn't click the link. Next another posted the same thing, than another! It seemed fishy to me, and I later found out that the link presented a web page with another button that said, "Don't Click!" Naturally curious people, and trusting in their friend's recommendation, clicked the button and all of the sudden they noticed that they had in fact tweeted the same link though they never consented to doing so! It was the first socially engineered twitter virus. [9] While this virus was started as a joke, it spread extremely fast. [10] Luckily this social virus was harmless, but it reinforces how effective a socially engineered virus can be.
There are always trade off decisions to be made. In this case, the trade off is between the convenience of a short URL and the need for disclosure of a URL's destination.
References
[1] Tony Hammond, Timo Hannay, Ben Lund and Joanna Scott. - Social Bookmarking Tools (I): A General Review In: D-Lib Magazine 11, Nr. 4, 2005 http://www.dlib.org/dlib/april05/hammond/04hammond.html
[2] State of the Twittersphere - Q4 2008 Report - http://blog.hubspot.com/blog/tabid/6307/bid/4439/State-of-the-Twittersphere-Q4-2008-Report.aspx
[3] is.gd - Technical Information - http://is.gd/tech.php
[4] SURBL http://www.surbl.org/
[5] Google Safe Browsing for Firefox BETA http://www.google.com/tools/firefox/safebrowsing/
[6] Finjan's Malicious Code Research Center, Evasive URL techniques, 25 Jan 2009. http://www.finjan.com/MCRCblog.aspx?EntryId=2153
[7] McGrath, D. Kevin, Gupta, Minaxi. Behind Phishing: An Examination of Phisher Modi Operandi. https://www.usenix.org/events/leet08/tech/full_papers/mcgrath/mcgrath_html/mcgrath_gupta.html
[8] Parker, Ryan J. Shortening (Affiliate) Links For Prettier Linking. 20 Feb 2007. http://www.ryanjparker.net/shortening-affiliate-links-for-prettier-linking/
[9] Korben. Petit cours de Twitt Jacking :-). 30 Jan 2009. http://www.korben.info/petit-cours-de-twitt-jacking.html
[10] Johnson, Clay. What is this Don't Click business? 12 Feb 2009. http://sunlightlabs.com/blog/2009/02/12/what-dont-click-business/
Joshua Schachter posted about this very same subject earlier today! It's not a new problem by any means, but I think he makes some good points and there are some great comments as well. Check it out: on url shorteners
I've created a Wordpress plugin that side-steps some of the issues you describe, namely one of context: It allows the user to run shortened URLs on their own blog. The URL http://unweary.com/2009/04/the-security-implications-of-url-shortening-services.html could become http://unweary.com/fjirs for example. Obviously the savings are dependent on your domain name, but I think it solves the most pressing of issues with URL shortening.
You can check it out here http://philnelson.name/projects/le-petite-url/
An equivalent URL, for my purposes, to your example URL is http://www.amazon.com/dp/B00154JDAI which is only 35 characters long. But this requires some knowledge of the service, and is completely beside your other points.
You couldn't have picked a worse example URL. None of that referrer-tracking garbage is necessary.
http://www.amazon.com/Kindle-Amazons-Wireless-Reading-Generation/dp/B00154JDAI/ref=amb_link_83624371_1?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-1&pf_rd_r=0YPC2AH8155PQV3FWRPN&pf_rd_t=101&pf_rd_p=469942651&pf_rd_i=507846 dereferences the same as: http://amazon.com/dp/B00154JDAI/ — 215 characters becomes 32
hint: very interesting read, up to the point where it said "view the HTML source to discover the real URL destination", and that's where I stopped reading. This article is of less use to techies, and if you want me, John Doe, to read it in full, there are ideas I don't want to see in there..
Regarding Google's Safe Browsing: Since the URL shortening services send a redirect with the real URL, couldn't browsers just check Google's service with the redirect URL and the eliminate that problem? Short URLs would still bypass "human filters," but the Safe Browsing filter would still work.
Amazon URLs aren't quite as long as you say - everything after the ASIN is not necessary. That makes the Kindle's URL only this:
http://www.amazon.com/Kindle-Amazons-Wireless-Reading-Generation/dp/B00154JDAI/
Still too long for a tweet, but worth noting here that part of the problem comes from url cruft that's not actually necessary to navigate to the page or resource.
Fred, you are right that the Amazon URL can be shortened, but this article wasn't about Amazon's URL scheme. I'd wager that many if not most people don't know how to properly shorten these long URLs and even more don't even think about it. The assumption most often made is that the full URL is necessary so that is what is copied and shared.
Georgi, I'm sorry you found my habit of checking URL links in email offensive. I suppose it may not clear that I'm sort of a technical guy. I think most users don't check URLs before they click, and wouldn't know what to look for even if they did. I think this is one of the main reasons phishing attacks are so successful. URL shortening services make verification of the URL destination even harder and therefore less likely.
If you have a wordpress blog, install your own url shortening service (That way at least you have control over your own links):
http://wordpress.org/extend/plugins/short-url-plugin/
Since posting this I've discovered more interesting information about URL shortening. Here they are:
Danny Sullivan's analysis and comparison of URL shortening services. http://searchengineland.com/analysis-which-url-shortening-service-should-you-use-17204
From: http://theprogressbar.com/archives/2009/04/joshua-schachter-on-url-shortener-services/
SPAM: More proof that shortened links are used for SPAM: http://news.ycombinator.com/item?id=503465
Longevity: If the URL shortener service loses data (like http://ma.gnolia.com/) or disappears (see http://6uold.blogspot.com/2008/06/long-list-of-url-shorteners.html) ALL those links will simply disappear.
While Jason Kottke suggests that if Twitter used their own URL shortening service all would be well: http://www.kottke.org/09/04/url-shorteners-suck The problem with this suggestion is that while Twitter is one instance (and a large one!) that exposes problems, they are just one instance, and all are vulnerable to the problems mentioned above.
While the internet has nearly numbed me to people using "loose" for "lose", that previous comment marks a first for "loosed" replacing "loses/lost". : )
let's attack the problem at its source: long url's.
we don't need 'em. they're nothing but a hassle.
google was a big cause of the problem, early on --
when they started giving juice based on the u.r.l. --
because people put more and more terms into it...
heck, an example is your own u.r.l. for this very post!
we do _not_ need the whole darn subject in the u.r.l.
(reminds me of that name cory gave to his daughter.)
but as long as it gets google-juice, people will do it...
so, to correct this, google should start penalizing sites
with long url's -- anything longer than 50 characters.
-bowerbird
Sorry about that error Rob. I fixed it.
with the increasing popularity of twitter and with spammers and phising sites cottoning onto its potential link transparency is a huge issue.
A few of the shortening services have started to address this with a preview feature, however obviously will only expand their own links.
A website I have found http://www.expandmyurl.com inspects short urls from over 30 different shortening services, lengthening the url so that you can safely see where you link takes you before you get there.
Seems like there is a need for some kind of standard. How about some kind of meta tag in each page which will specify which shortening service to be used for that page? If the site wants to host its own shortening service then it would specify the url for that or it can point to the preferred external shortening service.
Did you see LongURL.NET (http://my.longurl.net)?
It is web service for URL shortening but you can put your own ad at the top. You can put ad link for your site or some affiliate link code. You can also buy cheap target traffic (ad showing by keywords)
http://my.longurl.net have some features which is unique and is not suported in other url shortening services. You can put your own ads at the top of the redirected page. You can also put your ads on URLs of other users. You can install longurl plugin at
your blog or forum and get money for advertising on their network.
i like is.gd more
David, the point was that while techies won't find anything intimidating about checking html source (I do this very often too), you might be losing the non-technical reader, for whom this articles matters much more, as they're often less informed about the issues.
Got it. Yup, this is kind of a technical article. I suppose I could have targeted a less tech savvy user. Thanks for the feedback.
This article makes some very good points regarding internet security and the opacity of most URL shortening services. However, there are other options.
In contrast to what the URL shortening services you mentioned, http://twi.bz maintains the original site address so you still have a good idea of where you're going. Your Amazon.com Kindle example looks like this: http://amazon.twi.bz/G
Just a thought.
We recently launched a new website that provides a URL shortening service for "multiple" websites:
http://www.viewista.com
Viewista creates a short URL for “multiple” websites. Plus, you can view the multiple sites all at once. We think it can be a real time-saver. You can also post comments on the sites and share with your friends, making it a social URL sharing service. Viewista can be particularly useful on Twitter because a user can create a short URL for multiple sites on a topic without having to use multiple tweets.
For me it has to be http://PonyURL.com ive been using them for Twitter and so far so great for me.
I completely agree with the concerns David Weiss has expressed about url shortening as it's currently being applied.
This is why my partner and I built a new url shortener, SafeUrl.To, designed to be the most secure url shortener available.
We're taking it beyond preview screens to include user reporting and reviews, so you'll know it a link is malicious or otherwise not worthwhile before you take the risk of landing there yourself. We're here to bring greater transparency and security to the scene.
Would love comments - we're still adding features, and want to be useful. Please email Elissa at SilvaTechMedia dot com or find me on Twitter at ElissaBeth.
David Weiss - Thank you for including your references. Excellent reading material, looking forward to it and will share with my staff.
The default behaviour of all URL shortening services should be to display the full URL and ask if the user is sure they want to be redirected there - not as neat and I know that most services already offer this as an option but to make this the default makes sense I think.
That would help provide a simple place for ads, but slow the process. While it's a good solution, it doesn't help the problem of dead links once a URL shortener goes under.
But there is a one problem with short URL services, they usually are not trust full, If you are using them in your sites it might bring you a problems, solution is to create your own short URL within your domain Like this:
mydomain.com/url/4et8
and its easy to create a short url script, but if you are not familiar with programmin you can downloaf it :)
Good post mate!! Keep 'em flowing!