UVM's Information Security Operations Team answers "Why?" Why?security

Using URL Shorteners

We’ve all seen URLs shortened by bit.ly and its cousins: Unwieldy juggernauts like http://www.megaconference.us/register.qxv?event=megacon%20xxviii&wonderment=true%20enough%20for%20mom&prepop=1&campaign=225817558&api_key=3e7a67b1f9c00d601dbe reduced to tidy morsels like http://blag.foo/5Vf2.

Who doesn’t enjoy that? It’s cleaner! Efficient! More user-friendly!

Information security pros, that’s who. Why? Because it’s opaque.

How did you know that clicking http://go.uvm.edu/9utlr (if that’s how you got here) was going to bring you someplace that’s safe to visit?

In our efforts to improve users’ online safety through education, we often preach “Know Where You’re Going” β€” in other words, find out where that link’s going to take you before clicking it. Use of these URL shorteners necessarily defeats this simple technique. Because of this, it’s hard to know whether http://blag.foo/5Vf2 points to the conference registration link you wanted or some scammer site claiming that you can log into the conference reg site with your UVM Webmail credentials. And even if the user is savvy enough to spot the fraud based upon the Address bar contents when their browser finally comes to rest (“Hey — that says megaconference.premline.ru…”), how many drive-by malware sites did they visit to get there?

It’s impossible to know from http://blag.foo/5Vf2.

Still: Cleaner! Efficient! More user-friendly!

Fortunately, the fantastic folks of ETS SAA have come up with an answer that reduces the risks somewhat: http://go.uvm.edu will happily shorten your links for you, and your users can breathe easier (especially once the information security people have made them hyperventilate over URL shorteners) because every http://go.uvm.edu URL can be traced back to a UVM NetID.

(Astute readers will, no doubt, point out that this doesn’t prevent a UVMmer from defrauding Internet users through a http://go.uvm.edu URL. And that’s a fair assessment. But information security is a game of reducing exposure to risks rather than eliminating them altogether. Sad, but true.)

THIS JUST IN (2 October, 2013): Adding a tilde (~) to the end of your shortened URL will cause the user to make a quick stop by a small page on go.uvm.edu which explains where they’ll be taken. This nicely addresses the apparent hypocrisy inherent in this article. Try it for yourself by visiting UVM’s IT security site using these two links:

So please feel free to Shorten the Internet! Just use http://go.uvm.edu when you do it! And if you have questions, please let us know.


Sam Hooker, for the Information Security Operations Team

Skip to toolbar