By: Julien Sobrier

Are URL Shorteners Really Dangerous?

Compromise

There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full length counterparts and here's why...

How URL shorteners work


The purpose of a URL shortener is to replace a log URL (e.g: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html) with a shorter one (e.g: http://bit.ly/cikl0z). When a user clicks on http://bit.ly/cikl0z, he is redirected to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html via an HTTP 301 redirection:
 
GET /cikl0z HTTP/1.1
Host: bit.ly

HTTP/1.1 301 Moved
Location: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html
----------------------------------------------------------
GET /downloadwhitepaper_stateofweb-q4-2009.html HTTP/1.1
Host: www.zscaler.com

HTTP/1.1 200 OK
The browser made two requests: one to http://bit.ly/cikl0 and one to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html


Existing defense mechanisms

All the existing in-browser (Google Safe Browsing in Firefox, Opera's Fraud Protection, etc.) or external (IDS, proxy, etc.) URL scanners are applied on both the initial short and redirected long URL requests. If the long URL is a known malicious site, it will be stopped whether or not the the user clicks directly on the long URL, or on a shortened URL.
 
Firefox Safe Google Browsing warning on a URL after a redirection

Also, content inspection (Antivirus, Deep Packet inspection, etc.) is applied on both requests.

The use of URL shorteners and redirections does not require any new security inspection. All of the web browser security tools in place prior to the use of URL shorteners are still relevant.

Hiding the real URL

The main argument against URL shortening services is that users don't know which domain they are being redirected to. In our previous example, users see the bit.ly host name in the link address, and do not know that they will be redirected to www.zscaler.com until after they click on the link. After the redirection, the ultimate destination URL can be seen in the web browser address bar.
 
The long URL is displayed in the browser address bar after redirection

How many people know the difference between a good URL and a bad URL? Even then, how can anyone be sure that a site won't serve malicious content. Many perfectly legitimate websites (Redcross, Indian Governmental websites, etc.) have been hacked and can contain an infamous hidden iframe to spread malware. Well-known websites are no longer necessarily safer than unknown or new sites. Simply using the reputation of the hostname for deciding whether a URL is safe or not is not a good idea.

In a post Michael wrote a year ago, he checked 100,000 TinyURL (URL shortener service) urls. He did not find any link to a malicious executable, no phishing sites, and really few redirections to malicious content.

I believe the danger of URL shorteners has been overblown, mainly based on the idea that individuals are in a position to determine if a website is dangerous or not simply by looking at the final URL. Users are far better off relying on antivirus, URL blacklists and regular browser updates for security. And these tools work just fine or shortened URLs as well.
 
- Julien

Learn more about Zscaler.