URL shortening has taken a bit of a beating in the security community during the past two years, particularly as the popularity of Twitter has taken off.
But not everyone believes the real-world dangers of URL shortening are in line with the hype. Fears of shortened URLs are being overblown, said Zscaler researcher Julien Sobrier, and he brought some data with him to back himself up.
According to his analysis of roughly 1.3 million URLs posted in Twitter's public timeline, just 773, or approximately .06 percent, led to malicious sites. Compare that with Google. When Sobrier performed searches on some of the most popular topics listed on Google Trends March 24 and 25 and analyzed the results, he found that each had at least one malicious site in the first 10 pages (top 100 results).
What that proves, he contended, is that shortened URLs do not actually add the extra layer of danger some have claimed.
"A common trend with malicious attacks is to hide behind a 'good' site -- for example, zero-pixel IFRAMEs are commonly injected into legitimate pages redirecting a victim's browser to another domain," he told eWEEK. "In this case the initial link shows a 'good' domain name, but the user ultimately ends up on a different site. At least with URL shorteners, the user knows he is going somewhere else, and he should be suspicious by default ... however, I agree that you are less likely to go to a page that is a scam, shows adult material, etc., if you are able to first see the full domain name before clicking on the link."
Twitter itself recently implemented URL scanning defenses for direct messages, which is where the microblogging service said many of the malware threats reside. It is worth noting that Sobrier's research did not cover direct messages, only links in the public timeline. However last year, Bit.ly announced it was partnering with Sophos, VeriSign and Websense to analyze links to help provide additional security.
Over at Sophos, Richard Wang, manager of SophosLabs, agreed that Sobrier's points were valid. He noted however that while the proportion of malicious and spammy links on Twitter may be small, they represent a significant number due to the amount of tweets users send each day.
"Tweets are, for the most part, not malicious, but it is exactly that clean reputation that criminals can exploit to get unwary users to click on their links," Wang said. "Web filtering technologies such as the URL filters built into modern browsers or the content scanners built into endpoint and gateway security products provide the best technological defense against malicious links in tweets or elsewhere. Another great defense against this and many other computer security threats is simply to think twice before clicking. Just because there's a link doesn't mean you have to click it."
As I told Zscaler, I automatically throw shortened URLs in the suspicious category almost by reflex, perhaps because I don't use Twitter with any regularity and typically run into shortened URLs in regular e-mails and sites like Facebook, where they are not necessary. Maybe I am being unfair. But I still like to have some sense of what I am clicking on.
What do you think? Does URL shortening get a bad rap?