Saturday, 13 April 2013

Short links and why they are bad


I find it funny that before twitter for example people would inspect a link to see the destination it would take them to and then make a decision as to whether or not to click on the link.  This meant that people became informed and the number of virus that successfully got installed dropped.  With the introduction of twitter and its 140 character limit we saw the increase in short link services and here in lies the problem a short link but definition is as short as we can possibly make it.   The information part of the url has been replaced with some random characters  meaning that people will once again click on links with out knowing where they are going.   I've started to see these short links being used in social media sites where there is no limit on the length of a post.  So lets take a look at how a URL shortening service works.

Ok so you have a URL to a site that you want to share for example  http://www.google.com  so what information do we need to store.  well the url of course and the short url that users will click on.  So lets create a pseudo code table to store this information

CREATE TABLE shortLinks {
        uid AUTO_INCREMENT PRIMARY_KEY,
        url  varchar(2000),
        link varchar(20)
}

Technically we don't need to have the link field as the shorten url is actually an encoded UID value.  Let me explain if we just make our link service supply the UID in the url  so that we use the following

http://shrt.in/12345

Then you can see that BASE_10 uses 5 characters to represent the number 12345 while BASE_2 would be 11000000111001 so not shorter at all so lets go the other way.  BASE_16  which is an of the following values (0-9,A-F) would change this to 3039, which is only saving us 1 character on our url.  So lets go even bigger lets use the following possible characters (0-9,a-z,A-Z) which would be BASE_62,  so for example the following UID's 

61 => Z  (saves 1 character) 
3843 => ZZ  (saves 2 characters) 
238327 => ZZZ  (saves 3 characters)  

so as you can see with base 62 we are approximately reducing the size of the characters used by half to represent the number so as we move up the base to 256 for example we will see even bigger benefits in the length of the url.

So now we understand how a short url is generated we need to understand the how the service works.

User clicks link =>  Short server auto redirects => Destination URL

As you can see there is as far as the user is concerned the short link takes them to the destination so in their minds they are associating that short link with a safe landing page say google.com.  But what happens if a hacker uses a short link to link to a vulnerability after all a lot of hacks require the user to click a link in an email.   The shortening service doesn't stop you before redirecting you and this is wrong it should stop and tell you that you are about to go to the following URL allowing you to choose if you click the link or not.

What should happen is the following


User clicks link =>  Short server shows information about the url with manual click to follow => Destination URL

Conclusion

This is why I will never click a short url generated by a short link service, I have no idea where it is going.