If you haven’t heard of the worldwide computer security poostorm last week, you can read about some of it in this article titled, The Google-phish-that-was-also-a-worm – what happened and what to do. This is its URL.


At my university some high up executive types sent around a campus wide email which included that link. What blew my mind, given the topic, was that they used a URL shortener. Specifically, they referred to this URL.


I used to be a big fan of URL shorteners. This was because I do everything in a text console and they really clean things up nicely. But after reading about phishing using shorteners and giving it a tiny bit of thought, I realized that setting people up with URLs that they don’t really know the target for was probably a bad idea. I now consider it mildly impolite. I have also now seen too many phishing emails to count that relied on shorteners to obfuscate the danger.

In the past I used goo.gl and even had a script to convert to a Google shortened URL automatically. Now I am going to atone for using shorteners in the past. Although I consider goo.gl rotten and insecure, it probably is the most secure of any of the URL shorteners. With goo.gl you can add a .info or + to the short URL and get a full analytics page without an actual redirection to the target link.


The plus apparently works for bit.ly too. (Note that bit.ly is a Libyan domain; what could go wrong?)

For tinyurl.com (whose domain is 5 characters less tiny than mine) you can give it a hostname of preview like this.


This article has some more tips for previewing different shortening services.

All of that might help you but I don’t tend to do things the normal way and I wanted a more potent way to solve this problem. For example, I don’t want cookies set or Javascript run or ads displayed when I’m trying to figure out what some hidden URL really is. Here’s what I came up with.

function embiggen { wget --max-redirect=0 $1 2>&1|grep Location|cut -d' ' -f2;}

Put this in your .bashrc or otherwise make it a part of your shell’s environment and then you can do things like this.

$ embiggen https://goo.gl/7fYAH
$ embiggen https://tinyurl.com/l9xq43x

It even works for Twitter’s insidious URLs which I have always avoided like the plague.

$ embiggen https://t.co/RCdtCUX9XJ
$ embiggen https://t.co/dTlbuzhAza

Note that these URLs aren’t even shorter. This is especially irritating in space constrained situations. Don’t use these services as thoughtlessly as Twitter forces you to.

LinkedIn does a smarter job of it by refusing to "shorten" http://xed.ch however, they do use a more baroque two step redirection.

$ embiggen https://lnkd.in/gURwXzP
$ embiggen https://www.linkedin.com/slink?code=gURwXzP

As a final tip, once you know the URL you’re about to visit, it can often be smart to check with reputable sources about its reputation. Here are some I use.

I’ll leave it as an exercise for the reader to have these URL checkers check each other.

UPDATE 2017-07-29: I have received an anonymous tip that http://urlte.am is a very serious resource related to this issue.