[143719] in North American Network Operators' Group
Re: How long is your rack?
daemon@ATHENA.MIT.EDU (Greg Ihnen)
Mon Aug 15 21:54:42 2011
From: Greg Ihnen <os10rules@gmail.com>
Date: Mon, 15 Aug 2011 21:23:49 -0430
In-Reply-To: <4E49BAAD.3060609@tiggee.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 15, 2011, at 8:02 PM, David Miller wrote:
> On 8/15/2011 6:00 PM, Matthew Palmer wrote:
>> On Mon, Aug 15, 2011 at 11:37:37AM -0400, Randy Bush wrote:
>>>>> more likely a 'shortened' url. how anyone can click those is =
beyond
>>>>> me.
>>>> I'm curious what your objection is.
>>> i have no assurance that a shortened url does not lead to a =
malicious
>>> site. also your privacy issue, but that is secondary.
>> Given the rate of publicised defacements of all manner of sites (and =
that
>> injecting malware into a page is the exact same thing as a clear =
defacement,
>> from an execution point of view), a long URL gives you no greater =
assurance
>> of protection from malice.
>=20
> True. A long URL does not guarantee protection from malice.
>=20
> However, you would likely *not* visit a link to =
obviousmalwaresite.example.com. In fact, I would guess that even a =
reasonable percentage of the clueless would not click a link to =
obviousmalwaresite.example.com.
>=20
> Camouflaging obviousmalwaresite.example.com behind a URL shortener =
and/or several layers of redirection (which is all that a URL shortener =
is in the end) will increase the number of clicks. This is obviously =
why spammers/scammers use them.
>=20
> Your spam filtering may block emails with links to =
obviousmalwaresite.example.com, but does it also expand short URLs and =
then block on the final destination? Or do you simply block all emails =
with short URLs in them?
>=20
> Expanding a short URL merely raises the bar slightly by getting you to =
the long URL... which gets us back to - whether or not you would click =
on obviousmalwaresite.example.com. A tool like longurl.org will give =
you the full redirection chain and things like Titles and Meta data for =
the final destination. If you like, you can go directly to the =
destination bypassing potential redirection-redirection (i.e. =
redirecting a portion of visitors differently than others).
>=20
> For example:
> http://t.co/7wP9W2j =3D=3D Good || Bad -> =
http://longurl.org/expand?url=3Dhttp%3A%2F%2Ft.co%2F7wP9W2j
>=20
> FYI: I lock the doors of my car despite the fact that a fair amount of =
the 'security' of the external surface of the car is provided by panels =
of glass.
>=20
> -DMM
> -- maintainer of longurl.org in my spare time (instead of building a =
data center in my house :-)
> use the web site, use the API, or download the code and run your own =
server (the code is opensource)
>=20
>=20
There are browser extensions which resolve and display the actual =
address of shortened URLs.
http://www.google.com/search?&q=3Dbrowser+extension+display+shortened+urls=
And for fun there's always http://shadyurl.com to make shortened =
obscured URLs that are extra scary.=
