There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full-length counterparts, and here's why.
How URL Shorteners Work
The purpose of a URL shortener is to replace a long URL (e.g: https://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html
) with a shorter one (e.g: http://bit.ly/cikl0z
). Upon clicking on http://bit.ly/cikl0z
, a user is redirected to https://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html
via an HTTP 301 redirection:
GET /cikl0z HTTP/1.1
HTTP/1.1 301 Moved
GET /downloadwhitepaper_stateofweb-q4-2009.html HTTP/1.1
HTTP/1.1 200 OK
The browser made two requests: one to http://bit.ly/cikl0
and one to https://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html
Existing Defense Mechanisms
All the existing in-browser (Google Safe Browsing
in Firefox, Opera's Fraud Protection
, etc.) or external (IDS, proxy, etc.) URL scanners are applied on both the initial short and redirected long URL requests. If the long URL is a known malicious site, it will be stopped whether or not the the user clicks directly on the long URL or a shortened one.
Firefox Safe Google Browsing warning on a URL after a redirection
Also, content inspection (antivirus, deep packet inspection, etc.) is applied on both requests.
The use of URL shorteners and redirections does not require any new security inspection. All of the web browser security tools in place prior to the use of URL shorteners are still relevant.
Hiding the Real URL
The main argument against URL shortening services is that users don't know which domain they are being redirected to. In our previous example, users see the bit.ly host name in the link address, and do not know that they will be redirected to www.zscaler.com until after they click on the link. After the redirection, the ultimate destination URL can be seen in the web browser address bar.
The long URL is displayed in the browser address bar after redirection
How many people know the difference between a good URL and a bad URL? Even then, how can anyone be sure that a site won't serve malicious content? Many perfectly legitimate websites (Red Cross
, Indian government websites
, etc.) have been hacked and can contain an infamous hidden iframe
to spread malware. Well-known websites are no longer necessarily safer than unknown or new sites. Simply using the reputation of the hostname to decide whether a URL is safe is not a good idea.
In a post Michael wrote a year ago
, he checked 100,000 TinyURL
(URL shortener service) URLs. He found no links to malicious executable files, no phishing sites, and very few redirections to malicious content.
I believe the danger of URL shorteners has been overblown, mainly based on the idea that individuals are in a position to determine if a website is dangerous or not simply by looking at the final URL. Users are far better off relying on antivirus, URL denylists, and regular browser updates for security. And these tools work just fine for shortened URLs as well.