Many people misunderstand the role of URL shortening tools. They see them as a security tool, which, they are not.
I am on a project team that uses shortened URLs. We do it for user convenience. The shortening tools do one thing – they allow a longer URL to be replaced with a short one. That’s it. They do not hide the URL in any way. Some shorteners have additional features such as counting clicks for tracking purposes.
URL shorteners work by generating a small, random-looking string and storing that string and the destination URL in a database. When a user views the site of the shortening provider and specifies the “page” of the shortened URL, the user’s browser is redirected to the destination page. There are sites that provide this service and software to create one’s own database and generate short URLs. Consider the shortened URL goo.gl/lbndbR. Its target is “blog.learningtree.com.” You can test it with a “URL lengthener” site such as unshorten.it. These lengthener sites will decode shortened URLs from the most common shortening sites. When you use a shortener, the target URL will still appear in the browser’s address window.
Let’s look at the shortened URL goo.gl/lbndbR. The first part is the shortening provider – Google in this case. The second part is the database key representing the target site. Some sites use shorter keys and some use longer ones. Some have digits in addition to uppercase letters and numbers. Whatever character set they use, there are a limited number of these keys. One side effect is that sequential keys can be tried (e.g. aaaaaaa to ZZZZZZZ) and real sites will be discovered. According to a recent article, lots of real sites will be discovered.
Bad guys have ways to make URLs look different. They call it “obfuscation.” It doesn’t actually hide the URL; it just makes them look unusual. Consider:
The numeric URLs won’t work for all sites, though. If there are multiple sites served by a given IP address, the web server software needs to know the actual name of the desired site.
Sometimes site owners need to obfuscate URLs. Consider http://some.site/user=23. The owner may not want that number exposed. Maybe she doesn’t want people to be able to guess user numbers. To hide this information securely, it can be encrypted in the URL and decrypted by the server before use.
Shortened URLs don’t provide secure hiding of their targets. They do make life easier in some cases. If you use them, use them wisely, know that the target site is disclosed to those with the short URL and can be discovered by those searching through all the provider’s short URLs.
To your safe computing,