URL shorteners are becoming extraordinarily popular, thanks mostly to Twitter. The need to cram a full URL into 140 characters has spawned services like bit.ly, is.gd, and Twitter’s new t.co. URL shorteners convert the real URL to one that takes up fewer characters. So http://www.zdnet.com/blog/bott/office-starter-2010-drops-the-crapware-adds-ads/2220 becomes http://is.gd/cQkSS. (Both links lead to the same page.) And there are lots of shortening services, which means my original link could also be (and certainly is) translated into links from bit.ly and tinyurl.com and goo.gl and even ZDNet’s official domain, zd.net.
The problem is, the shortening process is also destructive, removing some key data points that you need to make an informed trust decision about whether to click that link. What domain is it from? Is it one I am confident will not be compromised? Does the name of the link provide any clues about its content?
With short URLs, you lose those data points. My original very long URL gives me all sorts of clues that allow me to set my expectations with confidence. I know it’s at a domain I trust, zdnet.com, and I can even divine the title of the article. The shortened URL tells me nothing.
The consequences of following a bad link can be unfortunate. After I got a couple of very suspicious links from a couple of unrecognized Twitter accounts yesterday, I passed them along to Chris Boyd (@paperghost on Twitter) who wrote about the phenomenon on The Sunbelt Blog (see "PDF exploit spam run on Twitter") and also pointed to a technical article at the Trend Micro blog: "New malicious Twitter spam."
Here’s how it works: A hostile Twitter account churns out messages that say, “Wow, a marvelous product” or "I Just Cant Believe This," accompanied by a handful of user names to make sure they get seen.
Click the link, and you might be redirected to some sort of paid movie service. […]
If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await.
So how do you protect yourself? One way is to be suspicious of short URL services and check the link before you visit the page. One feature I like about TweetDeck is it shows a preview of the URL when you click a shortened URL.
I like the fact that Bit.ly has an API that allows third parties to customize their domain for short links. When I see a short URL from the zd.net domain, I am very confident that it is safe to click on and in fact I know that I am going to go to the ZDNet site.
If you’re suspicious about a short link, you can often preview its contents by pasting the link into a browser and then tacking a suffix onto it. For a link from is.gd, for example, you can add a minus sign (hyphen) to the end of the URL to visit a preview page hosted on the is.gd servers. You can preview a bit.ly link by tacking a plus sign onto the end. If you’re suspicious of a link, copy it to the Clipboard, paste it into the address bar, and add the appropriate suffix.
The URL shortening services are also reacting to complaints fairly swiftly. The hostile links I saw yesterday were disabled within 24 hours. Here’s what I saw when I visited one of those links a few minutes ago:
Bit.ly has an excellent statement of how it handles security:
bit.ly uses data from a number of independent sources in addition to its own internal classifiers to determine whether or not destination sites propogate [sic] spam, viruses, or other malware. The third party sources include Sophos, Websense, VeriSign, PhishTank, and Google Safe Browsing. For Firefox and Chrome browser users, we also have a Preview Plugin that allows you to view link details before clicking. If you are a Twitter user, similar preview features are available from Tweetdeck (see a write-up of how it works here)
The goal of the bad guys is to get you to click on their link, and they’re good enough at it to warrant some respect. Ultimately, there are a lot of links I simply don’t click, especially those that ostensibly lead to shocking or amusing videos and articles. The reward isn’t worth the risk. Links from strangers are always suspicious, but a link that appears to be from a friend might actually be from a hacked Facebook or Twitter account. And you have no idea of where it really goes.
So, seriously: Be careful what you click.
If you’re interested in this topic, it’s worth reading DeWitt Clinton’s recent "More thoughts on URL shorteners," which covers this topic in much more depth than I can do here. Highly recommended reading.
Ed Bott 
I think we’ll start seeing moderately longer urls that actually give some info about what they are linking to.
The next trend is towards sites using their own domain specific short urls.
When my mother-in-law forwards me news stories from USA Today, the links are in the form http://usat.me?38738442 (If I was USA Today, I would make that even shorter by using letters.)
In your example, zdnet.com could provide a url like zdnet.com/2200 that redirects to the article or even just displays the article without the redirection. At least then you’d know the site you were headed to when you see the link.
YouTube did this with youtu.be, but I haven’t seen anyone use it. These new domain specific short urls are fighting an uphill battle because they depend on the person sharing the link to know about them and use them. General url shortening services like bit.ly or is.gd are easier to use because they work for any link.
Dennis, ZDNet.com already uses short URLs, using theBit.ly API to shorten to zd.net. I mention them a little later in the post. I’ll update because it’s worth calling attention to. Thanks!
I’d like to see them build into IIS and/or other Web servers the ability for the web site to do it’s own short URLs. Like USA Today did from Dennis’ post, but available for any site. Leave the normal domain, which I think is so much safer anyway, just shorten the destination by doing a simple code after the ?, instead of all the folders and such.
Ed, this is an excellent article. The digital age has many benefits, but personal security problems seem to be steadily waxing. Thanks for the info.
Ed, I use a Firefox extension called “Long URL Please” (http://www.longurlplease.com/) to lengthen the shortened URLs. It doesn’t work for all shortening services, but it does for a lot of them. The ones that it doesn’t work for, I just don’t click on that link. I find it very handy, especially in Twitter (although our local newspaper here in Fairbanks, AK, often uses shar.es, which is not supported).
Cheers,
-Jock