Gojomo

2006-02-13
TinyURLs are evil URLs

TinyURLs are awful, for usability, for stability of reference, and for browsing safety. Please don't use them in wikis, email, or anywhere.

The problems:

  1. TinyURLs are opaque, hiding their ultimate destination from users and software. This might be a minor inconvenience, except...
  2. TinyURLs can and often are used to send people to spam or malware sites. One recent study found a significant number of webpages try to exploit browser flaws to compromise your computer's security. It's dangerous and rude to suggest someone visit an obfuscated TinyURL. And because of (1), above, even known problem sites can't be programmatically blacklisted against abusive linking by, for example, wiki software.
  3. TinyURLs introduce a dependency on a third-party service that could go away or be completely compromised in the future. Not only could that TinyURL you see today send you to a porn spam malware site -- but someday in the future, a takeover of the TinyURL domain could send every TinyURL ever used to porn spam malware sites.
Note that the policy of TinyURL to disable "spam" URLs does not remedy (2); in fact it introduces another problem, the potential for third parties to disable your TinyURLs by reusing them in spam -- triggering a takedown of your URL through no fault of your own.

(A TinyURL competitor, SnipURL, also lets the creator of a short URL modify it in the future -- making it possible to popularize a SnipURL, have it pass manual review, and then change to a problem URL at any arbitrary time in the future.)

There is very little information at the sites of TinyURL or its competitors to assess the long-term stability and trustworthiness of these services -- but even if the service were run by a large venerable institution with an impeccable reputation, most of these problems would remain. And other problems would arise, as venerable institutions are subject to social and political pressures that could make them more willing to, for example, censor or redirect certain short URLs. (If the Chinese Communist Party were to demand that a TinyURL to a dissident page get remapped to a state propaganda page, the same large stable institutions most likely to provide long-lived servers are also most likely to comply to authoritarian change requests.)

URLs should be naked, as endowed by their creators with the inalienable rights of meaningfulness, transparency, and stability. Friends don't let friends use TinyURLs.

Technorati Tags: , , , , , ,


Comments:
http://www.shmula.com/?p=68

[...]
a remedy for long and undescriptive url’s are services such as tinyurl and snipurl. opponents against these services claim that url’s then become opaque, masking the ultimate destination, and could and does lead the user to the wrong locations or even malware. this is true.
[...]
 
Spam for minorurl deleted. Has same problems as all other such services.

On the URL I tried, it made the URL longer.
 
Wow, what a whinge, dont use it then, simple. Your crusade is useless.
 
'the blogger' -


I don't use TinyURLs, but I am still occasionally put at risk by people who do use them. Hence, the explanation of the problems with TinyURLs.

This entry has helped spread the word to people who otherwise don't realize that using TinyURLs can be rude.

Do you find anything factually inaccurate about my criticism of TinyURLs?
 
Tinyurl offer a preview option which presents you with the final destination url - you can use this to decide to continue to the 'hidden' site or not:
http://tinyurl.com/preview.php
 
Ian said...

Tinyurl offer a preview option which presents you with the final destination url - you can use this to decide to continue to the 'hidden' site or not:
http://tinyurl.com/preview.php

You can set your preferences to stop at tinyURL's site via cookies.
But that doesn't take away from his main concerns, perpetuating a cloaked redirection service where there isn't a need, creates an unnecessary security risk, now and more importantly in the future !
 
Surely a valid reason for using tinyurl is to hide email addresses on web pages from spam harvesters?

I've looked into various methods; java, encoding etc. but if there is nothing at all a spam bot likes such at the '@' symbol or 'mailto:' then it won't harvest any email addresses from a page which helps combat spam. Or am I missing something?
 
Hey I have an idea, just don't click the damn link if it's from someone you don't trust.
 
I think one way to avoid the whole hassle is to use Firefox with NoScript.

Even if you end up at 'wrongful' site, noscript will handle the script issue.
 
@faith - That's not much of a solution. It means even if I trust the destination site (eg: Google), I can't click links from people who might relay bad links.

Even friends and family members, who I deeply "trust" in real life, don't necessarily know what might be a risky web site. So I couldn't even confidently click TinyURL links from them, under your idea.

And your 'judge the sender' idea also doesn't solve the problems with TinyURL's long-term reliability.

Faith, that's a damn bad idea!
 
@johnk: NoScript can help with some security risks.

But, it doesn't save wasted time at a spam site, or undo the fraudulent traffic benefits collected at the destination site. It can't solve the potential TinyURL service reliability issues. And even NoScript can leave one vulnerable to fresh vulnerabilities in browsers or helper apps.
 
non-tiny URLs can be redirected just as easily as ones from tinyurl.com. Unless you only ever click on links to recognized sites, I don't see how avoiding tinyurl makes you any safer.
 
xraybox wrote: "...cloaked redirection service where there isn't a need..." -- until every mailer will grab every long URL pasted into it and send it properly (without splitting into multiple lines, for example), and until URLs are intelligible enough that people can easily tell where they lead and short enough to fit into SMS messages (and have room for anything else), there will be a need.

There will be spammers, hackers, and malware writers. Don't punish the honest folk by removing the capability; instead, have them report the bad guys, warn people when they find a rogue URL, tiny or snipped or not, and suggest technological solutions that people will actually use.
 
The SEO advantages of omitting tiny urls is well documented. HOW does one stop Twitter from automatically truncating? My blog urls are too long for twitter and I lose any SEO benefit posting on twitter. Has anyone created a recipe for this?
If so, email me? Please. ritathejobcoach@gmail.com
 
I love TinyURL and SnipURL because they make URLs short enough to fit in SMS messages, and SnipURL even allows giving it a recognizable name. I've never been redirected to a spam or porn site, but then again, I neither feel a pathological need to click on every URL I see nor get bent out of shape if I end up somewhere I don't want to be. I also have a Mac, so I don't have to worry quite so much about Trojans, malware, etc. And as far as SnipURLs maybe going away, so do long ones -- the Web is not cast in bronze; live with it. In any case, the rant about TinyURL/SnipURL strikes me as FUD, grumpiness, or both. I have better things to worry about, and *much* better things to do than type or cut and paste 150-character URLs. (Does anyone wonder what URL someone ran through TinyURL that got *longer*, and think that whoever did so must be unclear on the concept...?)
 
Post a Comment