If you haven’t heard of the worldwide computer security poostorm last week, you can read about some of it in this article titled, The Google-phish-that-was-also-a-worm – what happened and what to do. This is its URL.
https://nakedsecurity.sophos.com/2017/05/05/google-phish-thats-a-worm-what-happened-and-what-to-do/
At my university some high up executive types sent around a campus wide email which included that link. What blew my mind, given the topic, was that they used a URL shortener. Specifically, they referred to this URL.
https://goo.gl/2qgE7d
I used to be a big fan of URL shorteners. This was because I do everything in a text console and they really clean things up nicely. But after reading about phishing using shorteners and giving it a tiny bit of thought, I realized that setting people up with URLs that they don’t really know the target for was probably a bad idea. I now consider it mildly impolite. I have also now seen too many phishing emails to count that relied on shorteners to obfuscate the danger.
In the past I used goo.gl and even had a script to convert to a Google
shortened URL automatically. Now I am going to atone for using
shorteners in the past. Although I consider goo.gl
rotten and insecure, it probably is the most secure of any of the URL
shorteners. With goo.gl you can add a .info
or +
to the short URL
and get a full analytics page without an actual redirection to the
target link.
https://goo.gl/7fYAH.info
https://goo.gl/7fYAH+
The plus apparently works for bit.ly too. (Note that bit.ly is a Libyan domain; what could go wrong?)
For tinyurl.com (whose domain is 5 characters less
tiny than mine) you can give it a hostname of preview
like this.
https://preview.tinyurl.com/l9xq43x
This article has some more tips for previewing different shortening services.
All of that might help you but I don’t tend to do things the normal way and I wanted a more potent way to solve this problem. For example, I don’t want cookies set or Javascript run or ads displayed when I’m trying to figure out what some hidden URL really is. Here’s what I came up with.
function embiggen { wget --max-redirect=0 $1 2>&1|grep Location|cut -d' ' -f2;}
Put this in your .bashrc
or otherwise make it a part of your shell’s
environment and then you can do things like this.
$ embiggen https://goo.gl/7fYAH
http://xed.ch/
$ embiggen https://tinyurl.com/l9xq43x
http://xed.ch
It even works for Twitter’s insidious URLs which I have always avoided like the plague.
$ embiggen https://t.co/RCdtCUX9XJ
http://xed.ch
$ embiggen https://t.co/dTlbuzhAza
http://t.co
Note that these URLs aren’t even shorter. This is especially irritating in space constrained situations. Don’t use these services as thoughtlessly as Twitter forces you to.
LinkedIn does a smarter job of it by refusing to "shorten" http://xed.ch however, they do use a more baroque two step redirection.
$ embiggen https://lnkd.in/gURwXzP
https://www.linkedin.com/slink?code=gURwXzP
$ embiggen https://www.linkedin.com/slink?code=gURwXzP
http://xed.ch/blog/2017/0513.html
As a final tip, once you know the URL you’re about to visit, it can often be smart to check with reputable sources about its reputation. Here are some I use.
I’ll leave it as an exercise for the reader to have these URL checkers check each other.
UPDATE 2017-07-29: I have received an anonymous tip that http://urlte.am is a very serious resource related to this issue.