Manage Learn to apply best practices and optimize your operations.

URL shortening security best practices

Expert Michael Cobb weighs in on risks you may not know about with shortened URLs from TinyURL or

With the influx of social networks, and more specifically URL shorteners such as, I’m concerned employees...

will click on infected links. What are some link-validation tools worth considering and could you also provide some tips on how to check if a link is legitimate or not?

The success of social networking sites like Twitter has dramatically increased the use of URL shortening services. By shortening a URL in a tweet, you can often use 100 characters or more for the rest of the message. However, they do represent a security risk, as it is impossible for the recipient to tell from the shortened URL where the link goes to. Hovering over a regular link enables you to see the full URL, allowing you to make a judgment call on whether to click it. Spam filters can't take decisions on shortened URLs either, and this lack of transparency has made shortened URLs a weapon of choice for hackers.

Thankfully, many URL shortening services have added some form of “see before you click” functionality to their services. For example, TinyURLs can be viewed via “preview,” so instead of redirecting you to the destination webpage, the full destination URL is shown at BudURL provides the same functionality, but adds a “?” to the end of the URL. It's good that URL shortening services have recognized the dangers their services introduce, but there are so many shortening services that nobody is going to remember how to use the security features of each one. This makes features such as a pop-up window displaying an image of the destination webpage when you hover over the shortened URL link a better safety mechanism. Increasingly, URL shortening services like check every URL against cloud-based blacklists of untrusted websites before generating a link for them.

Although these types of preventative measures provide some protection, you can't dictate which shortening service people use. This is where the Firefox browser plugin Long URL Please can prove useful. It automatically converts URLs shortened by over 80 different services so users instead see the full URL. They also provide an API or script that you can incorporate into your own programs for expanding short URLs. This can make it easier for regular Web filtering devices to control access to malicious sites.

But just because your employees can see the full URL doesn’t mean the website is safe and free of hostile content. The only way to check if a link is legitimate is to use link checking or site filtering technology, like OpenDNS for example, that weeds out known malware infested pages. They won’t ever be 100% accurate, but they provide a way to block undesirable content and prevent users on your network from loading known malicious websites. As part of your security awareness training, I would make sure you keep employees up to date with the latest tricks being used in social engineering-based attacks.

Finally, there is no character limit on email messages, so there's no compelling reason to use shortened URLs in emails. Where it is appropriate or useful, I would recommend all employees use a URL shortening service that provides security features for both senders and recipients. That way you will be helping to promote URL shortening best practices.

This was last published in August 2011

Dig Deeper on Security Awareness Training and Internal Threats-Information