Bit.ly, a URL shortening service popular among Twitter users, is partnering with VeriSign, Websense and Sophos to add a new level of security. The move addresses the growing abuse of shortened URLs, which conceal the full addresses of Websites, by attackers and spammers.
Bit.ly, a URL shortening service popular among Twitter users, announced
partnerships Nov. 30 with security companies VeriSign, Websense and Sophos.
The alliance is designed to bring a new level of security to URL shortening,
which has increasingly been abused by spammers
Services like Bit.ly shorten URLs so that they fit the
character limits of microblogging services like Twitter, or just for the sake
of convenience. As a result, users can click the shortened links without
knowing what site they will be directed to.
Each partnership is meant to add a new
layer of protection.
One is VeriSign's iDefense IP reputation service. "The
iDefense blacklist includes URLs, domains and IP addresses [that] host
exploits, malicious code, command and control servers, drop sites and other
nefarious activity," said a Nov. 30 post on the Bit.ly
According to the blog post, Websense's ThreatSeeker Cloud service will
be used to "analyze the Web content behind Bit.ly links in real time,
using heuristic tools and reputation data to flag spammy URLs, malicious
content and phishing sites." Finally, Bit.ly is employing Sophos for its
The integration of the services is expected to happen during the next few
"Bit.ly is one of the largest sharing services on the Web, with
millions of shortened
created every day," Andrew Cohen, Bit.ly's general manager, said
in a statement. "A large part of our success is due to the trust users
have in our service and we work hard to earn that trust by warning our users
about spam and malicious content."
According to Websense, users will be able to report spam to abuse@Bit.ly
and have their feedback become part
of the classification and threat protection for all Websense subscribers.
"I like the approach Bit.ly is taking to check existing links in case
they've become compromised, rather than simply just scanning new links added to
the database," Rich Mogull, an analyst with Securosis, said in a
statement. "This will reduce the chances of the bad guys gaming the system
by adding a clean version of their site for an initial scan, then adding
malware after the fact for future visits. This solution is a lot better than
the anti-phishing built into browsers and some search engines, since those rely
only on databases of previously discovered, known bad sites."