Q

URL shortening security best practices

Expert Michael Cobb weighs in on risks you may not know about with shortened URLs from TinyURL or Bit.ly.

With the influx of social networks, and more specifically URL shorteners such as TinyURL.com, I’m concerned employees...

will click on infected links. What are some link-validation tools worth considering and could you also provide some tips on how to check if a link is legitimate or not?

The success of social networking sites like Twitter has dramatically increased the use of URL shortening services. By shortening a URL in a tweet, you can often use 100 characters or more for the rest of the message. However, they do represent a security risk, as it is impossible for the recipient to tell from the shortened URL where the link goes to. Hovering over a regular link enables you to see the full URL, allowing you to make a judgment call on whether to click it. Spam filters can't take decisions on shortened URLs either, and this lack of transparency has made shortened URLs a weapon of choice for hackers.

Thankfully, many URL shortening services have added some form of “see before you click” functionality to their services. For example, TinyURLs can be viewed via “preview,” so instead of redirecting you to the destination webpage, the full destination URL is shown at TinyURL.com. BudURL provides the same functionality, but adds a “?” to the end of the URL. It's good that URL shortening services have recognized the dangers their services introduce, but there are so many shortening services that nobody is going to remember how to use the security features of each one. This makes features such as a pop-up window displaying an image of the destination webpage when you hover over the shortened URL link a better safety mechanism. Increasingly, URL shortening services like Safe.mn check every URL against cloud-based blacklists of untrusted websites before generating a link for them.

Although these types of preventative measures provide some protection, you can't dictate which shortening service people use. This is where the Firefox browser plugin Long URL Please can prove useful. It automatically converts URLs shortened by over 80 different services so users instead see the full URL. They also provide an API or script that you can incorporate into your own programs for expanding short URLs. This can make it easier for regular Web filtering devices to control access to malicious sites.

But just because your employees can see the full URL doesn’t mean the website is safe and free of hostile content. The only way to check if a link is legitimate is to use link checking or site filtering technology, like OpenDNS for example, that weeds out known malware infested pages. They won’t ever be 100% accurate, but they provide a way to block undesirable content and prevent users on your network from loading known malicious websites. As part of your security awareness training, I would make sure you keep employees up to date with the latest tricks being used in social engineering-based attacks.

Finally, there is no character limit on email messages, so there's no compelling reason to use shortened URLs in emails. Where it is appropriate or useful, I would recommend all employees use a URL shortening service that provides security features for both senders and recipients. That way you will be helping to promote URL shortening best practices.

This was last published in August 2011

Dig Deeper on Security Awareness Training and Internal Threats-Information

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

admin plz update ur list here is new URL shortner : http://itiny.in
A URL shortener that's fast and easy to use. Our features include custom shortened URLs with real-time link trackingalso has features like facebook share, tweeter share and google + share also has QR code for url
Cancel
This is an older article, so I wonder, is the issue of short urls still the problem it was 3 years ago?  I don't doubt they still cause a problem, I wonder what has been done since then to increase security here.
Cancel
This seems to come back to my traditional approach to questionable areas... have a virtual device as a sandbox, set up snapshots, and when in doubt, run the URL through a browser in that environment. If things look questionable, or processes start appearing that are suspect, kill the machine and jump back in time. truthfully, I've had very little in the way of issues with shortened URL's.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close