Tuesday, September 04, 2007

TinyURLs are Evil!

Thanks to Linda and J, I got introduced to Twitter and after a couple months of hesitation I created my own account.

Shortly after I started tweeting, I noticed that Twitter uses the TinyURL.com service to cut down the length of their tweets (twitter messages) to minimum.

Seeing all these tinyurls all day long provoked me to post a list of problems that TinyURL and other similar centralized url hiding services bring:
  1. TinyURL doesn't have any semantics: Rails, wikis, REST and other new technologies are striving for human readable URL. When these urls are seen posted somewhere, one gets an idea of what to expect and can easily determine if he's interested in viewing the page behind the url based on the domain name, keywords in the url or file type (in case of downloadable files). Compare: http://en.wikipedia.org/wiki/TinyURL to http://tinyurl.com/dmsfm. Both point to the same page, but while the original url sets the expectation (almost everyone knows what can be found on wikipedia, and the keywords "TinyURL" offers even more specifics), the TinyURL (short url) has no meaning for anyone until it is opened in the browser.
  2. TinyURLs can be misused for XSS and XSRF attacks: Would you click on a link in an email from a friend that looks like http://mybank.com/sendmoney?amount=50000&to=badguy and how about http://tinyurl.com/2nwz9q ? This example is a bit exaggerated, but who knows, it might not be far from reality. :-/ The fact is that TinyURLs are being misused for obfuscating urls with exploits.
  3. TinyURL and user privacy concerns: Since every TinyURL request is handled via TinyURL infrastructure, all the information about who, when, from which site, and from which computer clicked on a TinyURL link.
  4. TinyURL messes up search engine logic: Many, if not all, top search engines rely on analyzing which site links to which and use this information to determine which site is popular. What happens when many urls point to other sites via TinyURLs? You can guess which site (hint) gets all the extra points and is considered to be popular.
  5. TinyURL messes up web site statistics: If you track activity on your website via services like Google Analytics or Omniture SiteCatalyst, you often want to know where your traffic is coming from. Well, if someone points to your site via a TinyURL, all you'll see is that the traffic is coming from a TinyURL.com site. The reason for this is that when coming to a site via a TinyURL, the referer is always set to TinyURL.com
Enough ramblings. What can you do to protect yourself from the threat of the dark side? Stop using TinyURL.com and other similar services. :)

Other than that, there is not much you can do about most of the problems mentioned above, except for the XSS & XSRF problem: If you get a TinyURL, you can preview it by modifying the url from http://tinyurl.com/dmsfm to http://preview.tinyurl.com/dmsfm. This will show you the destination URL before you are redirected there. If you want this to happen automatically every time you click on a TinyURL, you can save this preference as cookie that will trigger the preview behavior automatically.

Developers that want to cut down on the amount of rendered text should consider rendering urls as en.wikipedia.org/... or just as [url] instead of using the evil TinyURL service. This approach however doesn't work for e.g. printed media, sms.

Don't get me wrong, I'm not saying that the TinyURL service was created with evil intentions, I just think that it was an attempt to solve a common problem, that took a wrong route. Interestingly the Wikipedia page dedicated to TinyURL contains more content about issues related to TinyURL than anything else, I guess it proves my points. :)

Just to confuse everyone even more, there is a few cases when using TinyURL-like services is recommended, I'll come back to these in one of my future posts.

1 comment:

Anonymous said...

People are using tiny url for address spoofing like the one you mentioned about the bank accounts. I regularly receive spam emails like this.