Easy URLs - a good or bad system
Introduction
The URLs (Uniform Resource Locator) are one of the crucial items in using the Internet. It specifies where an Internet resource is available and how to get it.
The URL http://www.norman.com/technology/norman_sandbox/54570/en for example specifies that the particular Internet resource technology/norman_sandbox/54570/en resides on the computer www in the domain norman.com. To get that resource one has to use the http method (hypertext transfer protocol), which is commonly used for web browsing, and is the method most used on the Internet.
As the information available on the Internet has been continuously growing and publishing to some extent automated, such URLs may often be long, complex and obscure. They are cumbersome to write and the linking technology where one clicks on a URL to retrieve the resource, is thus quite useful.
Twitter - a boost for the short URL providers
Linking solves the problem with manually typing the URL on the keyboard. However, it does not solve the issue that somewhere behind the visual link there must be information about the URL itself. And that constitutes a problem when you have a small number of characters at your disposal. This is the issue with some social networks like Twitter, where only 140 characters are the maximum for each message. The URL above to information about Norman's SandBox technology uses more than one third of the characters at the posters disposal.
Enter short URL providers, which have experienced a boost in popularity corresponding to the growth of Twitter and similar social networks with limited message length.
Among several providers of URL shortening functionality are:
The functionality of short URLs
In brief the short URL providers offer a translation scheme between a short and easy URL to a longer and more complex URL destination. The translation between the short and the longer URL is performed by the provider of the short URL.
This functionality is obviously useful and tempting at a first glance. As we shall see, however, it also has its security issues.
Security issues - two different types
There are at least two completely different security issues involved in using the short URL functionality.
Vulnerabilities by the short URL providers
This is the most serious security issue.
If the system itself is somehow compromised, the consequences may be severe. An insider within the short URL provider or an external hacker may change the system in such a way that the short URLs do not "translate" to what the users intended. Instead the short URLs could transfer the innocent surfer who clicks on a short URL to web sites with malicious content (worst case).
And this scenario is not just theoretical:
15 June 2009 one of the URL shortening services - Cligs - was hacked according to a blog posting on the provider's web site. This affected around 2 million short URLs, which after the hacking linked to another destination than intended.
Security issues caused by malicious users of the system
This type of issues is possible if (as!) not all users of such a system may be benignant. Although the short URL providers may have some system in place to check the web pages that the short URLs refer to, such systems are never foolproof. The creators of a short URL may refer this to e.g. a malicious web site, or to a site where she receives some profit based on the number of visitors coming from a particular URL.
Shortcoming in the system itself
Normally when one sees a link it is possible to hover the mouse over it and it will display where the link leads to. One may then decide whether one feels comfortable with clicking the link or not.
That extra information is not available for the users who must decide what to do based on a short URL.
Summing up
The short URL functionality obviously has its merits. However, there are shortcomings and security issues that make the system in itself less secure than desired.
