One of the things I love about the OUCH! security awareness newsletter is the community feedback we get, such as questions on why we picked a certain topic, why we focused on the lessons we did or suggestions on how to improve the overall format. These interactions not only get me thinking, but in the long run they help us produce a better newsletter. One of the recent lessons I learned was on URL shortening. As most of you know, URL shortening is when you use a service such as bit.ly or tinyurl.com to take a very long URL and condense it into a very short URL. This is very useful for when you need a short URLs, such as for Twitter, when you have to read a URL over the phone, or for a .pdf document. Below is an example using the URL for this blog entry:
into this shortened URL:
The security risk with a shortened URL is you cannot tell where you are going when you click the link, you have to trust the sender. As a result, some organizations teach their employees not to trust shortened URLs, or simply block them at their network gateway. This poses a problem for the OUCH! team, as we use URL shortening so long URL's can fit in our newsletters. At the same time we have to respect the security risks that come along with that (this is a security awareness newsletter after all). The solution we have adopted is preview mode. By prepending 'preview' to a TinyURL, the service does not send you directly to the destination website. Instead this takes you to a landing page that gives you preview of where you will ultimately go.
As long as you can trust the URL shortening service, preview mode eliminates many of the risks associated with URL shortening. The one thing that surprises me about Preview though is how many people, even in the security community, are unaware of this functionality, of how this can be a safe alternative. TinyURL is currently the only shortening service I know that offers this. I think it would be great to have others offer it also.