Security Awareness Blog

Secure Options for URL Shortening

One of the things I love about the OUCH! security awareness newsletter is the community feedback we get, such as questions on why we picked a certain topic, why we focused on the lessons we did or suggestions on how to improve the overall format. These interactions not only get me thinking, but in the long run they help us produce a better newsletter. One of the recent lessons I learned was on URL shortening. As most of you know, URL shortening is when you use a service such as bit.ly or tinyurl.com to take a very long URL and condense it into a very short URL. This is very useful for when you need a short URLs, such as for Twitter, when you have to read a URL over the phone, or for a .pdf document. Below is an example using the URL for this blog entry:

http://www.securingthehuman.org/blog/2011/02/16/secure-options-url-shortening

into this shortened URL:

http://tinyurl.com/4umda63

The security risk with a shortened URL is you cannot tell where you are going when you click the link, you have to trust the sender. As a result, some organizations teach their employees not to trust shortened URLs, or simply block them at their network gateway. This poses a problem for the OUCH! team, as we use URL shortening so long URL's can fit in our newsletters. At the same time we have to respect the security risks that come along with that (this is a security awareness newsletter after all). The solution we have adopted is preview mode. By prepending 'preview' to a TinyURL, the service does not send you directly to the destination website. Instead this takes you to a landing page that gives you preview of where you will ultimately go.

http://preview.tinyurl.com/4umda63

As long as you can trust the URL shortening service, preview mode eliminates many of the risks associated with URL shortening. The one thing that surprises me about Preview though is how many people, even in the security community, are unaware of this functionality, of how this can be a safe alternative. TinyURL is currently the only shortening service I know that offers this. I think it would be great to have others offer it also.

7 Comments

Posted February 23, 2011 at 7:43 AM | Permalink | Reply

ETerminator

Bit.ly also has a service that somewhat similar the preview. If you type a after a bit.ly URL (e.g. http://bit.ly/17ZQ3I ), you get a statistics page where you can see the full long URL.

Posted February 24, 2011 at 3:59 PM | Permalink | Reply

lspitzner

Very cool, I had no idea!

Posted February 28, 2011 at 6:36 PM | Permalink | Reply

Tim

Not exactly true. Here's bitly's comment: For Firefox and Chrome browser users, we also have a Preview Plugin that allows you to view link details before clicking. If you are a Twitter user, similar preview features are available from Tweetdeck
If you don't have the plugin or use another service.. it appears there is no way to preview the link except by another service that offers this feature.

Posted March 19, 2011 at 6:54 AM | Permalink | Reply

Jason

McAfee now has a secure URL shortner: http://mcaf.ee/

Posted December 13, 2012 at 9:18 PM | Permalink | Reply

Jon

What about the other side of security? Do you know of any
url shortening services that have safeguards in place to
try to prevent someone from guessing the shortened url?
The standard url shortener code seems to be 6chars which
would be easy to brute force to find pages sent.

Posted December 14, 2012 at 2:48 PM | Permalink | Reply

lspitzner

To be honest Jon, I'm afraid I really don't understand the question. If you mean are there any ways to expand the shortened URL, absolutely. http://www.longurl.org is one option for that.

Posted May 26, 2013 at 9:31 AM | Permalink | Reply

Purnesh Tripathi

I developed a secure link shortening service which provides protection from misuse of any shortened URL. You can password protect the links that you want to be secure and everytime someone wishes to go through the link that you've created, he'll have to enter the password set by you.
The url is http://ln0.in
(pronounced as Natural Log Zero . in, just for the sake of fun)