Shortening URLs Doesn’t Provide Any Security

cloth-160183_640

Many people misunderstand the role of URL shortening tools. They see them as a security tool, which, they are not.

I am on a project team that uses shortened URLs. We do it for user convenience. The shortening tools do one thing – they allow a longer URL to be replaced with a short one. That’s it. They do not hide the URL in any way. Some shorteners have additional features such as counting clicks for tracking purposes.goo.gl/lbndbR

URL shorteners work by generating a small, random-looking string and storing that string and the destination URL in a database. When a user views the site of the shortening provider and specifies the “page” of the shortened URL, the user’s browser is redirected to the destination page. There are sites that provide this service and software to create one’s own database and generate short URLs. Consider the shortened URL goo.gl/lbndbR. Its target is “blog.learningtree.com.” You can test it with a “URL lengthener” site such as unshorten.it. These lengthener sites will decode shortened URLs from the most common shortening sites. When you use a shortener, the target URL will still appear in the browser’s address window.

Let’s look at the shortened URL goo.gl/lbndbR. The first part is the shortening provider – Google in this case. The second part is the database key representing the target site. Some sites use shorter keys and some use longer ones. Some have digits in addition to uppercase letters and numbers. Whatever character set they use, there are a limited number of these keys. One side effect is that sequential keys can be tried (e.g. aaaaaaa to ZZZZZZZ) and real sites will be discovered. According to a recent article, lots of real sites will be discovered.

Bad guys have ways to make URLs look different. They call it “obfuscation.” It doesn’t actually hide the URL; it just makes them look unusual. Consider:

  • http://anything-can-go-here@blog.learningtree.com takes advantage of a form of URL that looks like protocol://username:password@site. The colon and password are optional. I use this with ftp://user@site. Some browsers disallow this form when used with http while others warn the user there might be something suspicious.
  • http://3627735086 is a way to get to Google. I converted the IP address 216.58.216.46 to a 32-bit decimal number. URLs allow that method for specifying the address. This is only one of Google’s servers, of course. You could also use http://216.58.216.46.
  • Likewise, http://033016554056 and http://0xD83AD82E use the octal (base 8) and hexadecimal (base 16) representations of the IP address.

The numeric URLs won’t work for all sites, though. If there are multiple sites served by a given IP address, the web server software needs to know the actual name of the desired site.

Sometimes site owners need to obfuscate URLs. Consider http://some.site/user=23. The owner may not want that number exposed. Maybe she doesn’t want people to be able to guess user numbers. To hide this information securely, it can be encrypted in the URL and decrypted by the server before use.

Shortened URLs don’t provide secure hiding of their targets. They do make life easier in some cases. If you use them, use them wisely,  know that the target site is disclosed to those with the short URL and can be discovered by those searching through all the provider’s short URLs.

 

To your safe computing,
John McDermott

image sources

  • Short link: John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.