[Cialug] TinyURL

Josh More MoreJ at alliancetechnologies.net
Fri Jul 16 19:59:51 CDT 2010


It's worth noting that noscript alone does not protect you against all attacks.  A lot of attacks hidden behind URL shortners are of the phishing variety, and will collect information directly and without relying on scripts.

RequestPolicy ( http://www.requestpolicy.com/ ) does a good job of protecting against request forgeries.  I use it in combination with NoScript, AdBlock, and WebOfTrust to form a nice secure base.  I am also experimenting with Interclue, though at the moment, this one seems to not be worth the pain.

-Josh More, CISSP, GIAC-GSLC, GIAC-GCIH, RHCE, NCLP
morej at alliancetechnologies.net<mailto:morej at alliancetechnologies.net>
515-245-7701
________________________________
From: cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf of Scott Prader [sprader at iastate.edu]
Sent: Friday, July 16, 2010 18:23
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] TinyURL

It does not.  The point of noscript being that, if you follow a tinyurl and you're not sure where it's going, the noscript will catch it if it's a clickjack or something that would otherwise lead to a headache of an afternoon.

-Scott

On Fri, Jul 16, 2010 at 9:57 AM, <j.bengtson at mchsi.com<mailto:j.bengtson at mchsi.com>> wrote:
Yeah, got it, use it...does it have a URL shortening feature that I'm not aware of?


----- Original Message -----
From: Scott Prader
To: Central Iowa Linux Users Group
Sent: Thu, 15 Jul 2010 17:09:15 -0500 (CDT)
Subject: Re: [Cialug] TinyURL

One word: noscript.

http://noscript.net

-Scott

On Thu, Jul 15, 2010 at 3:09 PM,  <j.bengtson at mchsi.com<mailto:j.bengtson at mchsi.com>> wrote:
You would want it to be reversible...the intent isn't to secure the URL, it's to shorten the URL.  You would want anyone to be able to "de-shorten" the URL to compare it against blacklists, etc.  And of course you want the browser to be able to de-shorten it.

The problem with the URL shortener is that it has to be something that anyone can use to decode any URL, anywhere.  Requiring access to a database prevents that.

How about something like Base64, but which converts the string into a 12-character encoded string?  For example, take the URL
http://www.ameslug.org/node/1

Using Base64 you get "aHR0cDovL3d3dy5hbWVzbHVnLm9yZy9ub2RlLzE=", which is not an improvement.  But if you got instead "aHR0cDovL3d3", that would be much more manageable (if only it would decode back to the original URL string).


----- Original Message -----
From: Josh More
To: Central Iowa Linux Users Group
Sent: Thu, 15 Jul 2010 14:42:43 -0500 (CDT)
Subject: Re: [Cialug] TinyURL

Making proper hashing algorithms is actually really hard to do.  You have to worry about collisions and reversing (in most cases).


For URL shorteners,  it's often more efficient to implement an incrementer and just keep a database around.

-Josh More, CISSP, GIAC-GSLC, GIAC-GCIH, RHCE, NCLP
morej at alliancetechnologies.net<mailto:morej at alliancetechnologies.net>

515-245-7701
________________________________
From:cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org> [cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org>] on behalf of j.bengtson at mchsi.com<mailto:j.bengtson at mchsi.com> [j.bengtson at mchsi.com<mailto:j.bengtson at mchsi.com>]
Sent: Thursday, July 15, 2010 14:41
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] TinyURL

I wonder why no one has made a way to take any URL and automatically shorten it.  Consider an MD5 hash...you can take virtually any text, no matter how long, and the MD5 algorithm will return a 32-digit hex number.  How hard is it to make something similar,


that can take a URL of any length and return an 8-character string that can then be decoded back to the original URL?  Make that algorithm public open-source, and you've got a tinyURL mechanism that isn't dependent upon any vendor, can be checked against a


blacklist, and yet is short enough for mere humans to handle.


----- Original Message -----

From: Adam Shannon

To: Central Iowa Linux Users Group

Sent: Fri, 18 Jun 2010 22:54:01 -0500 (CDT)

Subject: Re: [Cialug] TinyURL


Having a service (or services) to shorten a url that breaks in use

(email, webpages...) is perfectly fine, but that service should only

be giving the user the actual link, not directing them to the link

they wanted.


What happens when that short link provider goes out of business or is

hacked, then I lose the ability to control where I will end up

(negating anything on the link I'm trying to reach does) because I

can't see where I'm going.  If the service is hacked and spreads

malware than anyone with javascript or cookies allowed on that domain

will be infected or tracked.


In my view, short url providers should only be presenting a page for

the user as to what the short link represents, the short link is not

the same link and therefore shouldn't act the same.  It's a

representation for another url.


Thoughts?


On Fri, Jun 18, 2010 at 17:26, Scott Prader wrote:

> Sometimes a URL that takes up multiple lines can get cut off with a carriage

> return inserted by some program, at some point.  When I see a link, I like

> to think that I can click on it and not get a 404.  TinyURL fixed this.

> What they don't do is auto-forward a 404 to archive.org<http://archive.org>, which tends to

> cover what a downed URL can't, whether it's complete or not.



>

> -Scott

>

> On Fri, Jun 18, 2010 at 4:58 PM, Barry Von Ahsen wrote:

>>

>> 7 ff addons tagged 'unshort url', probably more under other tags

>>

>> https://addons.mozilla.org/en-US/firefox/tag/unshort%20url

>>

>> -barry

>>



>>

>>

>> Nathan C. Smith wrote:

>> > Seems to me there could be a whole industry for a technology for

>> > converting the various short-URLs back to long ones, particularly if the

>> > tools and technology provide a means to mitigate potential risks.

>> >

>> > Don't bit.ly<http://bit.ly> and others use a hash that stays the same for each

>> > shortening of a reference?  So that if you shorten cialug.org<http://cialug.org> and send it to

>> > me I will get the same shortened url if I do it?


>> >

>> > -Nate

>> >

>> >> -----Original Message-----

>> >> From: cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org>


>> >> [mailto:cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org>] On Behalf Of Ed Meacham (@work)

>> >> Sent: Friday, June 18, 2010 3:12 PM

>> >> To: 'Central Iowa Linux Users Group'

>> >> Subject: Re: [Cialug] TinyURL

>> >>

>> >> I love the idea of URL shortening services. Though, they

>> >> definitely have instances where the use of one is more

>> >> appropriate than others... I don't see the need to shorten a

>> >> URL in an email, unless you're spreading "infectious-love."

>> >>

>> >> Rather than write off TinyURL/Bit.ly, I would blame improper

>> >> organization and/or the sender not qualifying the details of

>> >> the URL in the message.

>> >>

>> >> I see there is a plug-in for Thunderbird for converting a URL

>> >> into a TinyURL... wonder if it has a reversal option? (I

>> >> don't have Thunderbird installed on this machine to check) If

>> >> not, a lookup plug-in might be a good project for someone. :P

>> >>

>> >> -emeacham (@work)

>> >>

>> >> -----Original Message-----

>> >> From: cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org>

>> >> [mailto:cialug-bounces at cialug.org<mailto:cialug-bounces at cialug.org>] On Behalf Of Todd Walton

>> >> Sent: Friday, June 18, 2010 6:27 AM

>> >> To: Central Iowa Linux Users Group

>> >> Subject: [Cialug] TinyURL

>> >>

>> >> And another reason I hate this tinyurl thing... I know

>>

>>

>> _______________________________________________

>> Cialug mailing list

>> Cialug at cialug.org<mailto:Cialug at cialug.org>

>> http://cialug.org/mailman/listinfo/cialug

>

>

> _______________________________________________

> Cialug mailing list

> Cialug at cialug.org<mailto:Cialug at cialug.org>

> http://cialug.org/mailman/listinfo/cialug

>

>




--

Adam Shannon

Web Developer

http://ashannon.us

_______________________________________________



Cialug mailing list

Cialug at cialug.org<mailto:Cialug at cialug.org>

http://cialug.org/mailman/listinfo/cialug




_______________________________________________

Cialug mailing list
Cialug at cialug.org<mailto:Cialug at cialug.org>
http://cialug.org/mailman/listinfo/cialug





_______________________________________________
Cialug mailing list
Cialug at cialug.org<mailto:Cialug at cialug.org>
http://cialug.org/mailman/listinfo/cialug


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20100717/ed74e100/attachment-0001.htm 


More information about the Cialug mailing list