[HN Gopher] Link shorteners: the long and short of why you shoul...
___________________________________________________________________
Link shorteners: the long and short of why you shouldn't use them
Author : edent
Score : 187 points
Date : 2021-06-10 16:02 UTC (6 hours ago)
(HTM) web link (gcs.civilservice.gov.uk)
(TXT) w3m dump (gcs.civilservice.gov.uk)
| HPsquared wrote:
| Perhaps a use for blockchain technology - persistent storage of
| shortened URLs.
| pc86 wrote:
| This is a joke, right?
| Aachen wrote:
| Definitely, but some people are deep enough into the PoW AI
| that the Cloud is too thick to C# through and many of the
| rest has knee-jerk reactions in the opposite direction.
| kybernetikos wrote:
| https://ens.domains/
| hrishi wrote:
| Feels like a bad idea. Shortened links often don't need the
| level of longevity blockchains provide, nor will they be able
| to afford the cost if decentralized storage with high
| availability.
| dheera wrote:
| It's probably a bad idea, but it might moon anyway and you
| might get rich creating a coin for it. The reality of money
| today I suppose
| Wowfunhappy wrote:
| A massively over-engineered solution for the completely made-up
| problem of not being able to use the original URL. Yes, that's
| _perfect_ for blockchain technology!
| ludamad wrote:
| Hey, we might just not fully trust our friends at archive.org
| to run an uncompromised database, and wish to trust 51% of a
| network instead. From that point of view we can point to a
| real problem and merely have it massively over-engineered!
| [deleted]
| croes wrote:
| Another point that's missing. If the link shortener goes out of
| business, your link is unreachable or you have to change them
| all.
| kwonkicker wrote:
| As someone used to shorten his links a lot, that was my biggest
| concern. As an avid blog reader tho i tried avoid short links
| as much as i could, although very often to no avail.
| comprev wrote:
| This was a talking point when Libya descended into civil war.
| What happens to .ly TLD?
|
| https://www.outsidethebeltway.com/libya-the-internet-and-bit...
| _jal wrote:
| They deliberately hide payloads; they are not trustworthy.
|
| Now that I'm thinking about it, I should add bitly and related to
| my DNS blackhole...
| 3np wrote:
| I appreciate the core message, but it's quite disappointing to
| see a government message exclusively talking about how Google
| Analytics (coupled with Twitter/FB Analytics) is the one
| solution. Especially as they problematize user privacy.
|
| Given that this is a mainly message for those communicating on
| behalf of gov.uk, I think the best they could do is host a URL
| shortener for use by government communicators. It's also good
| advice for businesses.
| zinekeller wrote:
| Your concern is actually (partially) adressed:
|
| > If you're adding campaign URLs to offline materials - like
| posters or leaflets - and don't want to feature a long web
| link, I've got good news for you too. GDS provides the option
| to you to request a shortened version of a full GOV.UK URL.
|
| I'm disappointed that they mentioned Google Analytics. People
| willingly using Twitter (or Instagram) is a thing, involuntary
| Google tracking is another.
| cabbagehead wrote:
| When the org _pays_ for Google Analytics, Google does not
| share the tracking data with the rest of its business, so
| users ' privacy is not harmed. GDS and many other UK
| government orgs do pay, for this reason.
| zackkatz wrote:
| I run my own using [YOURLS](https://yourls.org). It addresses the
| issues brought up in the article:
|
| Control your links, override slug names so they are readable,
| maintain private analytics, keep branded by running on your own
| domain.
|
| It's easy to set up and maintained by many of the people working
| on WordPress core. I recommend it.
| chias wrote:
| I worked with an org that ran their own link shortener... and
| used it for confirmation links! I'm not even kidding, you'd go to
| reset you password and as expected the link would be something
| like: ourapp.example.com/auth/reset?user=blah&t
| oken=1af17e73721dbe0c40011b82ed4bb1a7dbe3ce29eae4997c84600287f886
| 6673d05fdaa1aa841a5a
|
| and they they figured, oh man, those links are unsightly for
| email, we'd best turn that into something like:
| ourapp.example.com/s/xO8pR
|
| That looks _way_ cleaner in an email.
| sonograph wrote:
| > ourapp.example.com/s/xO8pR
|
| Wow. And makes it easier to brute-force (Which I think you're
| insinuating). If the links have an auto-expire of 10 minutes,
| is the risk sufficiently mitigated? Or am I missing something
| else?
| fullstop wrote:
| Require the user to enter their user id again.
| nneonneo wrote:
| ...and make sure that the original URL doesn't include the
| user ID anywhere - it did in OP's original example, which
| means that any attacker could scrape the ID just by
| watching what the redirect went to (assuming a normal link
| shortening service was used)
| fullstop wrote:
| Right, that was implied.
|
| You'd need to rate-limit the shortened URL endpoint as
| well or increase the number of characters. Without it,
| you could reset a user's password and brute force all
| shortened possibilities while entering their username.
| There'd be enough red flags to identify and stop this
| type of behavior, I think.
| mewpmewp2 wrote:
| Assuming any of it is being actively monitored.
| dheera wrote:
| Also, I never click on links in e-mails directly. For something
| like this I'd cut and paste the address it seems Google puts
| another layer of redirection in Gmail to spy on you ("data-
| saferedirecturl", whatever that does in their JS)
| sneak wrote:
| It's a valve they can shut off when the targets are detected
| to be phishing or malware, so the link breaks.
|
| And, of course, tracking.
| dheera wrote:
| Since they control the rendering, they can shut it off by
| not hyperlinking the link or displaying a warning next to
| it, they don't need to put an always-on tracking mechanism
| in place that sends them click data even when the link is
| not determined to be malware.
| Telemakhos wrote:
| I imagine that many organizations would like to know
| which of their employees did click a link that turns out
| to be malicious, so that the company can check those
| employees' computers for malware. Tracking could be
| useful for determining the severity of the damage done by
| a successful phishing attack.
| gowld wrote:
| Gmail can track when you cut the URL...
| eeegnu wrote:
| ah yes, let me instead manually type the url into a new
| chrome tab, google will have no idea I went there.
| mediumdeviation wrote:
| I hope you've managed to fix this, because this is an obvious
| security issue. A long token is used precisely because it is
| long and unguessable. The shortened URL is subject to
| enumeration attacks which can be used to hijack accounts.
| ______- wrote:
| > A long token is used precisely because it is long and
| unguessable
|
| This. So much fun can be had by enumerating link shortener
| URLs. I've experimented with enumerating some services' URL
| schema. Most of the time the link pointed to innocuous things
| like Amazon affiliate links or whatnot. Sometimes you would
| find interesting content that made you go 'wow!', but that
| was very rare.
| chias wrote:
| Yeah. When I stumbled across this I had some conversations,
| with the net result that URLs containing authenticator tokens
| are no longer shortened :)
| jedberg wrote:
| > because this is an obvious security issue
|
| Not really. Usually password reset tokens are only valid for
| 10 or 15 minutes. With some basic rate limiting, you can stop
| a single actor from accessing more than one of those links in
| 15 minutes.
|
| And even if they work around that, you just ask the user to
| verify their email address when they click on the link. Being
| able to enumerate the reset tokens _and_ guess the right
| email address at the same time is highly unlikely.
| robertlagrant wrote:
| > you can stop a single actor
|
| It's not just unattached performers who are the threat.
| People of every relations hip status and profession could
| be attacking.
| mewpmewp2 wrote:
| Verifying their e-mail address would be useless as attacker
| would already know the e-mail.
|
| Attacker knowing some existing user email will go to
| "forgot password" view and type in the e-mail for the user
| they plan to attack. Then after will start bruteforcing the
| token.
|
| It is highly unlikely they had rate limiting because they
| had long tokens there for a reason and most frameworks like
| Laravel for example which provide similar forgot password
| feature won't by default rate limit those tokens or at
| least haven't in the past. I am not up to date with current
| version of Laravel and I think it may be using signed urls
| instead. Which would also be obviously terrible if
| shortened.
|
| So the original team who built forgot pw didn't expect
| someone in the future to start shortening those urls, so it
| is unlikely they figured rate limiting to be necessary in
| this case.
|
| It would require in most cases conscious decision making
| and effort to specifically rate limit token guesses, likely
| to be out of scope.
|
| Catch all rate limiting by IP wouldn't work either because
| it would be arbitrary to use botnet to bruteforce.
|
| But in the OP example the e-mail/user was already in the
| url so included with the shortened url. In this case hacker
| could just try random short urls until they hit something
| and due to redirection also immediately know the e-mail.
| jedberg wrote:
| > Verifying their e-mail address would be useless as
| attacker would already know the e-mail.
|
| How?
|
| Everything you said is true for the implementation that
| was listed, but my point was short URLs for password
| reset aren't always bad, if other mitigations are in
| place, which should be in place anyway (rate limiting
| requests for password reset URLs and requiring
| verification of the email address).
| jonny_eh wrote:
| I doubt they implemented rate limiting though.
| read_if_gay_ wrote:
| Here's some more baseless guesswork: I am absolutely
| certain they did.
| jonny_eh wrote:
| I said "I doubt", you said "I am absolutely certain". Can
| you tell the difference?
| urbandw311er wrote:
| I doubt he can
| fullstop wrote:
| I'm not sure if this is still the case but there was a period
| of time when email clients would not transform the entire URL
| into a clickable link if it was too long. These were generally
| email clients which supported plain text only.
|
| Anyway, I think that I'd be okay with a shortener like your
| example as long as it:
|
| 1. Required me to enter my user id again 2. Was only valid for
| 30 minutes
| mattowen_uk wrote:
| Outlook desktop client still has problems with really long
| links in that although they remain clickable, they don't
| actually go anywhere.
| kbelder wrote:
| Yeah, we do that. It's simple and easy, allows us to tweak the
| destination of a published link if the site shuffles, lets us
| print simple short links that are quick to type but still are
| obviously our own domain.
|
| You can't do it for everything... for one thing, you don't gain
| search engine karma from the links. But it's often very useful.
| andruby wrote:
| Do you also do that for links with secret tokens like the
| reset password link the op mentioned? Because -spoiler- that
| makes those links very easy to guess/brute force
| kbelder wrote:
| No, I should have made that clear. Don't do it for links
| including tokens, user accounts, or anything like that.
| (Obviously.) Only on links you'd put out for mass
| consumption.
|
| Still, it can eliminate lots of unsightly cruft in a link.
| It can replace this: https://thisonecompany.com/productinfo
| /specs/?sku=sdfdf432&f...
|
| with: https://this.co/proddeets
| zzyzxd wrote:
| There are many valid use cases for URL shortener, I am not sure
| if this is one of them.
|
| IMHO, this is a display layer issue that only affects human
| eyes, and should be handled on display layer (html, email
| rendering...etc) -- just don't display the whole URL somehow.
| Machines won't have any problem processing that long link.
| jkaptur wrote:
| Some platforms do this. My understanding is that they're
| especially motivated by the fact that many people don't
| really distinguish between mybank.com/changepassword and
| mybank.attacker.com/changepassword.
|
| However, it really infuriates some vocal technical folks
| (e.g. https://www.androidpolice.com/2020/08/13/google-
| resumes-its-...). I think the compromise is good: hide the
| full URL by default, but have a setting or some affordance to
| show the full thing to people who do enjoy looking at it.
| natdempk wrote:
| The first link is a hex encoded token, 80 chars, 4 bits per
| char = 320 bits of information. The second shortened link key
| is likely base 64 encoded, 5 chars, 64 bits per char = 320 bits
| of information. These should be basically the same from a
| security perspective. Is there something I'm missing here that
| you're suggesting?
|
| Edit: This is wrong and should be 30 bits of information not
| 320 bits for the shortened form. 64 values = 6 bits not 64
| bits.
| niklasbuschmann wrote:
| base64 -> 64 possibilities -> 6 bits I guess?
| wizzwizz4 wrote:
| > The second shortened link key is likely base 64 encoded, 5
| chars, 64 bits per char
|
| No, 64 _values_ - or 6 bits. 6x5=30, not 320.
| natdempk wrote:
| Ah, RIP, my math is incorrect. Thanks.
| [deleted]
| joombaga wrote:
| I think it's usually base62.
| natdempk wrote:
| You can also use an alternate alphabet like this one
| https://base64.guru/standards/base64url which replaces +/
| with -_ which are URL safe characters.
| ______- wrote:
| https://www.kerstner.at/2012/07/shortening-strings-using-
| bas...
| rascul wrote:
| Probably is. Base64 includes + and / which I believe need
| to be URL encoded, plus the = padding can mean an extra
| step if you want to remove them to make the URL pretty.
|
| https://en.wikipedia.org/wiki/Base64#Base64_table
| treve wrote:
| We also don't know if the shortened urls are random.
| underdeserver wrote:
| I'm impressed by the level of involvement in this kind of stuff
| by the UK government.
| OJFord wrote:
| The 'Government Digital Service' (GDS, sort of 'tech company
| for the civil service') continually impresses me.
|
| I've no idea who (even which party) initiated it, but it was
| just sort of suddenly awesome. Or maybe it just evolved rapidly
| under great (civil) leadership and was 'always' there just not
| so great.
|
| Blog has lots of good stuff too, especially articles on
| accessibility often do well on HN, since that's something they
| 'obviously' need to worry about, and actually do & do it well.
|
| Often in comments here too (Robin something is a username I
| recall) - not the sort of crusty 'what's an HN?', 'you can't do
| that because the Oracle database on our IBM mainframe doesn't
| support it' department I might've formerly imagined at all.
| NikolaNovak wrote:
| >> 'you can't do that because the Oracle database on our IBM
| mainframe doesn't support it'
|
| Oh gawd that's literally my day job... :O
| adwww wrote:
| Yeah I'm a long time admirer.
|
| Sadly they are encountering resistance though. Some
| departments would rather spend PSX bn contracts with HP,
| Fujitsu etc. so they can retain more control.
|
| Also they used to publish amazing service status dashboards,
| showing how many transactions were published, error / success
| rates, etc. for every digital service.
|
| Apparently these were all killed off recently with no
| replacement, and no good reason given.
| bern4444 wrote:
| If that's the US Dept of Digital Services you're talking
| about, I think it was created by the Obama administration to
| resolve the rollout of the Affordable Care Act site where
| people can sign up for various plans. They see to do some
| cool stuff
| Dachande663 wrote:
| The GDS is the model the US dept was modeled after [0].
|
| [0]
| https://en.wikipedia.org/wiki/Government_Digital_Service
| GavinMcG wrote:
| The comment is referring to the predecessor in the UK, the
| GDS.
| [deleted]
| OJFord wrote:
| No, like more people than you might think, I am a non-
| American with internet access.
|
| (And commenting on an article hosted at civilservice.gov.uk
| no less.)
| pimlottc wrote:
| Sort of; the actual founding of USDS happened after the
| healthcare.gov recovery, but was directly inspired by that
| and included many of the same people, including the first
| administrator, Mikey Dickerson.
| p_l wrote:
| Fortunately I rarely see Oracle on IBM z.
|
| DB2 on IBM z is quite well capable, I'd just like for there
| to be less artificial barriers between teams involved in the
| places I encountered it :/
|
| (Funnily enough some of it could be blamed at bright-eyed
| "modernizers")
| vincebowdren wrote:
| credit where credit's due, it was the tories in 2011.
| Cameron's own initiative, rumour has it.
| ChrisKnott wrote:
| To the extent you can credit a single person, it's probably
| Martha Lane Fox, but yes David Cameron gave it a lot of
| political support.
|
| Directgov 2010 and Beyond: Revolution not Evolution - https
| ://www.gov.uk/government/publications/directgov-2010-an...
| jfengel wrote:
| I encouraged Quora to ban link shorteners. They were heavily used
| for spam and malware, avoiding whatever (meager) anti-spam
| mechanisms they were using. By "heavily" I mean "exclusively",
| though it's conceivable that somebody some time was using it
| legitimately.
|
| They never did implement that, but it sounds like it might be a
| good general rule for many web sites that accept and display
| content from users. If you're concerned about the way long links
| appear you can abbreviate them on the screen (the way HN does).
| ______- wrote:
| > My link shortening tool provides me with analytics
|
| I run a link shortener site, and use it privately and don't
| publicly expose the API.
|
| One thing I noticed regarding analytics, is that the click count
| is always skewed. When I post a shortened URL on Twitter, within
| seconds the click count is always `>10` views. After further
| investigation, it seems there are automated bots that scoop up
| URLs the very second they are posted.
|
| Also Twitter runs little microbrowsers that scan the page for
| metadata which helps them create a 'preview' of the link.
|
| After looking at the useragents of some requests I'm seeing
| generic Firefox UAs which I can only assume are random
| surveillants (not bots) who habitually scan Twitter for
| interesting or anomalous content. We truly do live in a world
| where nothing is left `unseen` (by bots or actual humans).
| CyberRabbi wrote:
| These days I never click shortened links without first verifying
| where it will take me. There is so much malware out there and
| browsers are nightmarishly insecure that a single link click
| could result in a getting completely pwned.
|
| Pro-tip: append the "+" character to any bitly link to show the
| target link without first visiting it.
|
| Pro-tip2: consider browsing with JavaScript disabled by default.
| Enable it on a per-domain basis.
| anderspitman wrote:
| I didn't know about the bitly + trick, thanks.
| Aachen wrote:
| Works on TinyURL and others too.
| k12sosse wrote:
| I still wouldn't trust the plus character to not fail or
| whatever one day. I manually expand each short URL I get using
| various webservices. I'm sure there's an extension for that. I
| would still just walk to the expander website and paste it in
| though.
|
| You're right. Short URLs are Shite urls.
| CyberRabbi wrote:
| Another more technical option is to make the request using
| curl and printing out the "location" header. Can browser
| extensions make non-redirecting requests and inspect the
| return headers?
| Thrymr wrote:
| There are some browser extensions that do similar things,
| I'd be interested if there is one that is particularly
| effective and security focused.
| XzetaU8 wrote:
| Additionally you can add [1]"Actually Legitimate URL Shortener
| Tool" filter list on uBlock Origin, which is recommended by
| [2]gorhill
|
| [1] https://github.com/DandelionSprout/adfilt/discussions/163
|
| [2]
| https://old.reddit.com/r/uBlockOrigin/comments/m5iecq/how_do...
|
| Description: In a world dominated by bit.ly, ad.fly, and
| several thousand other malware cover-up tools, this list
| reduces the length of URLs in a much more legitimate and
| transparent manner. Essentially, it automatically removes
| unnecessary $/& values from the URLs, making them easier to
| copy from the URL bar and pasting elsewhere as links. Enjoy.
| II2II wrote:
| As the article notes, we don't want to socialize people to
| click on just any link.
|
| I never click on links unless I know where it is going to lead
| me. Shortened links are one example. Even with an accompanying
| description, it raises red flags. Links to reputable image or
| video sharing sites without an accompanying description, is
| another example since you never know what is going to be on the
| other end.
| joshgree88 wrote:
| Why does the in-house URL shortener require 2 weeks notice and
| masses of paper work... Just throw together a gov.uk shortener
| tool...
| tfsh wrote:
| I assume the shorturl would be named (hypothetically
| gov.uk/ucas -> gov.uk/university-clearing-through-ucas). Fully
| established tech companies has a similar process for requesting
| short links, for instance Google has an internal form to
| request g.co/ short links.
| joshgree88 wrote:
| I do not believe that it takes 2 weeks to get one at Google?
| wizzwizz4 wrote:
| UK Government URLs are (practically) forever.
| ben0x539 wrote:
| Probably because they want to be in the loop.
| zinekeller wrote:
| I think that there's should be an automatic tool for anything
| under .gov.uk and .nhs.uk, and then manual process for other
| links.
| ben0x539 wrote:
| I get the impression that they want to ensure people choose
| meaningful short(ish) URLs, rather than getting random
| alphanumeric suffixes, because they are invested in the
| trust placed in the gov.uk domain and it not looking like
| phishing bullshit. So it makes sense to me that they want
| to curate the namespace rather than making it either self-
| service or fully automated.
| joshgree88 wrote:
| Yeah absolutely but you can write a tool that does that
| and doesn't require 2 weeks wait time... Its just a crazy
| example of gov bureaucracy!
| robinoh wrote:
| I guess this is what they refer to as red tape?
|
| > ` _How to request a short URL*
|
| > Submit a new feature request using the support form.
|
| > You'll need to tell us:
|
| > - the reason you need a short URL
|
| > - the content or page the short URL will link to
|
| > - how your short URL will be used in marketing and
| promotion
|
| > - the channels you will be using, the number of users who
| will be targeted
|
| > - what the main message will be in your marketing and
| communications
|
| > - how many government departments or organisations will
| promote the short URL_
| dredmorbius wrote:
| If you're _faced_ with shortened URLs and want to see where they
| lead before you click on them, URL expanders can be useful.
|
| DDG "url expander" returns a number of these. I've been relying
| on the first result, https://urlex.org/ , for some months now,
| particularly as my router/firewall blocks most actual shorteners
| as spam vectors.
|
| Note that if the shortened URL contains any specific private
| information, or would identify _you_ specifically, you 're still
| facing a risk. For shortened URLs found "in the wild", they're a
| useful tool.
| robertlagrant wrote:
| The article's a bit odd. Half of the advice contradicts the other
| half.
|
| You don't need to link shorten, because social media does this
| already. But also, shortened links are bad and unprofessional.
|
| Don't worry - GA will do analytics. But also, watch out for
| privacy.
| ItalyPaleAle wrote:
| > Combining the information you get safely and securely from
| things like Twitter Analytics or Instagram Insights with your
| Google Analytics helps tell you even more about how your content
| is performing.
|
| Google Analytics and similar are blocked by a large (and
| increasing) number of visitors. To my estimates, about 40-80% of
| a website's visitor will not be counted in Google Analytics
| (depending on website and audience). Some browsers now block
| those platforms without the need for any add-on too (like Edge in
| "Strict" privacy mode).
|
| In short, GA is useless or soon will be.
| drdavid wrote:
| I have a new project site that's largely viewed by technically
| competent people. All my other logs indicate that I get a mere
| 50 to 75 unique visitors per day - not heavily trafficked.
| Google Analytics often counts about 10% of the visitors, which
| is easily confirmed by checking all the other metrics that are
| available to me.
|
| So, yeah, I'm not sure how much longer they'll be a viable
| source of data.
| gadders wrote:
| Ironically, the BBC (effectively part of the British civil
| service, not matter what they claim) uses a link shortener for
| their 7 Days News Quiz.
| 1_player wrote:
| Ironically, I got a letter from the NHS about getting my COVID-19
| vaccination, and it included a bit.ly link to some official NHS
| guidelines document.
| Aachen wrote:
| A letter can actually benefit from easier to type links,
| though. There's at least a point to it there. Too bad that
| bitly links contain more entropy than the password of the
| person typing it and doesn't avoid similar characters..... they
| could have chosen a service that actually optimizes for copying
| from paper instead of highest entropy per character.
| [deleted]
| jedberg wrote:
| The title of this should really be "why you shouldn't use 3rd
| party link shorteners". There are lots of good reasons to use
| internal shorteners (and this article even ends by telling their
| own users to use their internal gov.uk link shortener).
|
| At reddit we had a link shortener (redd.it) that was automatic
| for every post, which was useful for posting on social media,
| especially twitter, when the limit was 140 charters. There are
| lots of other uses for internal link shorteners too, like just
| having nicer URLs for publishing or saying out loud.
|
| But yes, the article is totally right about 3rd party link
| shorteners.
| bin_bash wrote:
| lol but look what they have to go through for their own
| shortener:
|
| > You can request a short URL if you're the GOV.UK lead or a
| managing editor in your organisation.
|
| > Submit a request for a short URL at least 2 weeks before you
| need it. GDS might not be able to meet your deadline if we do
| not get the full 2 weeks notice.
| jedberg wrote:
| Heh it's still the government. :)
| MinorTom wrote:
| Do note that this isn't just a short link like with, say,
| bit.ly, but a vanity link like https://www.gov.uk/brexit-
| eucitizens , which means you actually need to check them for
| validity before assigning them.
| [deleted]
| elicash wrote:
| I use them with mass SMS, where we do have a character limit in
| our messaging tool. We can go above it, but then we get charged
| for multiple messages.
|
| Custom domain, of course, or the carriers wouldn't like it.
| LennyHenrysNuts wrote:
| I don't think I'll be taking any advice from that surveillance
| state, thank you. It's like Darth Vader giving skincare tips.
| pityJuke wrote:
| As odd as this comparison is, it isn't even advice meant for
| you. It's meant for other Government agencies.
| zamadatix wrote:
| Ironically I think he'd have some great advice, as does this
| article.
| paulcarroty wrote:
| Is there a tool for anonymously getting https://goo.gl forwarding
| url? Will be very useful, 'cause this service is popular.
|
| P.S. Service discontinued, but a lot of links are available.
| Bitly and Ow.ly support will be cool too.
| sodality2 wrote:
| I believe API's exist. You can follow redirects in most
| webclients pretty easily, or there's "redirect detectives"
| online: https://www.redirecttracker.com/
| rootusrootus wrote:
| I've really grown to hate link shorteners. They get used to
| obfuscate the real URL, so of course my pihole and other
| adblocking software blocks them. But even the local gov't insists
| on using shorteners in the links they put in e-mail. Instead of
| just making the URL of the website sane. So I have to jump
| through hoops just to get to the site they link to.
| joshu wrote:
| i wrote a thing about this 12 years ago:
| http://joshua.schachter.org/2009/04/on-url-shorteners (hn
| discussion here: https://news.ycombinator.com/item?id=545565 )
| elondaits wrote:
| In my company we created our own link shortener using AWS S3.
|
| ... just create an S3 bucket with a short domain, configure it
| for static web hosting, and upload empty files which have the
| "Redirect" metadata property set to the destination URL. Voila!
|
| You won't have analytics (maybe this can be configured via AWS,
| but I can't say) but you don't need a server either.
|
| I want to eventually create a friendly control panel to create
| and delete shortcuts using React, AWS Lambda and Cognito... but I
| still haven't had time... and we only need to add a handful of
| short links per year. This can also be scripted and done quickly
| through the CLI.
| tyingq wrote:
| Cloudflare's Workers/KV is pretty ideal for a link shortener.
| There's a small bit of js to write, but the KV database is just
| short->long and it's cached at the edge. And it's either free
| (< 100,000 requests/day) or $5 for 10 million requests.
|
| And the admin panel provides a simple way to edit the KV
| database, so you don't have to write a db editor.
| kevincox wrote:
| Note that Cloudflare Workers run _before_ the cache unless
| you get creative (you basically need a second Cloudflare
| domain configured in front of your workers). For something as
| simple as a URL shortener it may not be critical but it does
| mean that you are paying for every request which can add up
| for a popular link.
| tyingq wrote:
| Ah, I was talking about the other cache...the KV cache.
| Meaning that the short->long mapping is cached for
| performance reasons, so it's an eventually consistent,
| distributed, link shortener.
|
| But, yes, not free if you exceed 100k requests/day. $5 per
| 10 million requests beyond that.
|
| The idea of fronting it with the actually free regular
| cache is interesting. There is an API to control that
| "regular cache", so you could probably control that from
| the side rather than chaining the proxies/domains.
| brtkdotse wrote:
| > ... just create an S3 bucket with a short domain, configure
| it for static web hosting, and upload empty files which have
| the "Redirect" metadata property set to the destination URL.
| Voila!
|
| Heavy "Dropbox is just cvs mounted over ssh, easy!" vibes over
| here.
| madjam002 wrote:
| I went to generate a QR code the other day for a URL, just went
| onto some random website from a quick Google search.
|
| The generated QR code had the URL rewritten to a short URL, and
| buried in some small print was a limit to how many times the URL
| could be "scanned" before you have to pay.
|
| I guess these sorts of sites _really_ count on people missing
| this and spending thousands on print before realising.
| techbio wrote:
| There are good uses, but with the exception of doi (and
| apparently gov.uk's own), official documents are not one of them.
| edent wrote:
| We are also looking at DOI for UK gov docs & data to make them
| easier to cite.
|
| You can give us feedback at https://github.com/alphagov/open-
| standards/issues/75
| enriquto wrote:
| you should specify to what country the "government" refers
| to. Do you propose a generic thing for governments around the
| world, or is it specific to a particular one?
| edent wrote:
| Thanks - I've updated it.
| Abishek_Muthian wrote:
| The article ironically links to LinkedIn explainer which states
| if the URL is > 26 characters it will be replaced with their URL,
| Not a hyperlink like Twitter of many other platforms which tells
| the reader where the link points after redirecting through the
| tracking URL.
|
| IMO, This defeats the context of the article.
| josefresco wrote:
| Meanwhile, domain registrars are still emailing customers asking
| them to "click this link" to verify their contact information. No
| URL shortening there, just a wildly irresponsible process.
|
| Edit: I know it's required by ICANN (I read the emails) it's the
| "click here" action that bothers me and perpetuates dangerous
| behavior.
| jayess wrote:
| It's mandated by ICANN.
| dylan604 wrote:
| Does ICANN actually mandate that a 'click this link' be
| included in the email, or that an email is sent asking the
| user to verify data so that a 'please login to your account
| to verify' would suffice?
| duskwuff wrote:
| > Does ICANN actually mandate that a 'click this link' be
| included in the email
|
| Probably. It's been a while since I worked in that
| industry, but ICANN has always been pretty picky about the
| exact contents of emails.
|
| Changing the user workflow in the way you're describing is
| out of the question. The entire purpose of clicking a link
| in the email is to confirm that the email was received at
| the domain's WHOIS contact address. Allowing a user to log
| in and click "confirm" without clicking a link in the email
| wouldn't confirm that.
| josefresco wrote:
| > Does ICANN actually mandate that a 'click this link' be
| included in the emai
|
| This is my issue. I've spent years telling clients to not
| click any links in an email from your bank/insurance etc.
| but yet Network Solutions and others are still putting a
| big fat "Click here" button in the email.
| asdff wrote:
| What about link largeners? How secure is urldefense really when
| everyone runs on it?
| jsjohnst wrote:
| Another problem with long lived short URLs is that the account
| used to generate it can be hijacked later and the short URL be
| pointed at a different destination with malware or other
| malicious intent at the end. I've seen this happen a lot in my
| time.
| fizwhiz wrote:
| Turns out having your short URLs _too short_ can also be
| problematic: https://arxiv.org/pdf/1604.02734v1.pdf
|
| An example in this paper cites the shortener used by Google Maps.
| The researchers were able to enumerate all the short links by
| brute force and join destinations from specific residential
| addresses. This is scary because now you've essentially created
| all points of interest that 1 person visits (originating from
| their home address).
|
| Google's response was to _expand_ their URL tokens from 5
| characters to 12. The sparseness makes it uneconomical for
| someone to brute-force their way through. Microsoft OneDrive 's
| response was... interesting.
| dredmorbius wrote:
| This is giving me pause to think on when you want short and
| dense pattern spaces, and when you want sparse spaces.
|
| Published articles meant to be accessed publicly seem like a
| case for the former. The _idea_ is for those references to be
| found, and a search space which is both _predictable_ and
| _small_ is preferred. Here I tend to like schemes such as:
| example.com/yyyy/mm/dd/nnnn.../<optional descriptive>
|
| That is, for temporal data, explicitly code in the year, month,
| and day (and finer gradations of time if appropriate), then an
| item number (possibly sequenctial). The optional descriptive
| text might incluce author(s) and title(s).
|
| Dates aren't always required. Some well-known cases
| (comparatively) are Amazon's reliance on SCU, iBiblio's
| reliance on ISBN, and Worldcat's reliance on OCLC. (You can
| omit all other index elements on the URL to obtain the desired
| result.)
|
| _Sparse_ spaces tend to be for _non-published_ / _non-public_
| entities and docucments. Google+ in particular had a 20--21
| digit numeric userid (apparently used within Google as the
| account UUID). Even with some 3--4 _billion_ registered
| profiles (the vast majority auto-created through Android device
| registrations), the space was sparse to a ration of _trillions_
| (and higher when interest was focused on the only the 100--300
| million or so active accounts). This had a huge impact on the
| ability to crawl the space efficiently, as a brute-force search
| would have taken some time. Fortunately, Google provided
| sitemaps....
|
| A related concept is James C. Scott's notion of _legibility_
| (from _Seeing Like a State_ ), and where it is and is not
| advantageous, and for whom.
| grayhatwarfare wrote:
| https://grayhatwarfare.medium.com/how-to-search-urls-exposed...
___________________________________________________________________
(page generated 2021-06-10 23:01 UTC)