[liberationtech] Bitly Safety (was Stanford Bitly Enterprise Account)
Griffin Boyce
griffinboyce at gmail.com
Fri Nov 16 14:41:00 PST 2012
All URL shorteners have the problem of not being transparent with
destination. The risk of this is amplified on places like Twitter,
where the shortened version can be copied and pasted numerous times.
A common trick for tracking who opens your links is to use a URL
shortener in conjunction with a tracking script on your own server.
The extra process is likely to go unnoticed by the person clicking it
(and even if, it's too late). That can launch virtually anything
before sending the visitor on to the destination.
eg: bit.ly/RZDLHg > domain.com/go/netflix.php >
netflix.com/my_affiliate_link
Some spammers also use multiple shorteners to try to hide the destination.
Less well-known is using base-64 to include code in the url itself:
http://www.sans.org/reading_room/whitepapers/auditing/base64-pwned_33759
, https://nealpoole.com/blog/2010/12/bit-ly-file-storage-cleverness-and-chutzpah/
So I would recommend using a site like unshorten.it (or bit.ly itself)
to actually see where a link leads.
Best,
Griffin Boyce
On Fri, Nov 16, 2012 at 4:09 PM, The Doctor <drwho at virtadpt.net> wrote:
>
>
> On 11/16/2012 09:17 AM, Alex Comninos wrote:
>
> > Bitly collects information about accesses (such as clicks) of
> > every shortened URL created through the Services. This information
> > includes,
>
> I'm sorry, but no chance. Given what some folks discuss on this
> mailing list, that's a risk that some folks might not want to take
> (but without a good option to not use shortened URLs, that number
> would likely be higher).
>
> > Surely it would be better to chose a service that retains as
> > little metrics and analytics as possible?
>
> Why not just post full URLs, so we have at least some idea of what
> might be on the other end of a link? Then we can click or not,
> depending on personal decision.
More information about the liberationtech
mailing list