A few tips on keeping short URLs from spelling big trouble
What you can't see could hurt you, so it pays to take a peek before clicking
- By William Jackson
- Oct 14, 2009
It is an ill wind that blows no one to good, and it is a rare technology that cannot be used for evil as wll as good. A case in point is URL-shortening services. These redirection or forwarding services are convenient for short-form communications such as tweets and texting, but when you are clicking on a link, what you can’t see could hurt you.
The point of shortening a URL is to replace a traditional one that can contain dozens of characters with a short, snappy address that is easy to fit into a short message. In its original form, a URL can give you information about the location and hierarchy of the site. Much of this information is simply noise to most readers, but it can provide valuable information that is lost when the address is shortened to an arbitrary alphanumeric code.
In short, as Symantec’s Ben Nahorney put it in a recent blog, “clicking on any link like this is entirely a security leap of faith.”
URL shortening began well before the advent of Twitter and the 140-character microblog. One of the earliest and best-known services, TinyURL, was launched in 2002. But the popularity of Twitter has undoubtedly spurred growth in this niche service sector, and there now are hundreds of providers, although TinyURL remains one of the most popular. In a recent informal survey of Twitter users by Search Engine Land, TinyURL had a 31 percent user share, followed by bit.ly with 25 percent and is.gd with about 10 percent. But those rankings could shift some. Earlier this year, Twitter reportedly replaced TinyURL with bit.ly as its default service for shortening URLs in tweets.
The shortening services work in basically the same way. A user enters the shortened URL into the provider’s domain, and a short alphanumeric code then directs it to the proper URL. A six-character code using numerals and upper and lower case letters can provide billions of different six-character addresses.
There are ways to get a peek at the real URL behind the shortened version. TinyURL now has the option of presenting a link to the full URL rather than automatically redirecting when someone clicks on the shortened one, and plug-ins also are available for Web browsers that will preview the original URL.
There are a number of such products for Mozilla’s Firefox, including Interclue and Long URL Please. A Websnapr add-on for Internet Explorer generates a thumbnail of the target Web site when a users selects the URL or hovers over it with the mouse. It has been updated to detect shortened URLs and expand it for preview.
And you can call up a preview manually by typing “Preview.” in the shortened URL between “http://” and the domain.
Being able to see a URL does not guarantee that the address has not been spoofed in some way or that the site you are being directed to is safe. Increasingly, legitimate Web sites are being compromised and used to deliver malicious code to browsers. In a sense, clicking on any URL is a leap of faith, but if you can at least see it, it does not have to be blind faith.
William Jackson is freelance writer and the author of the CyberEye blog.