URL shortening — a niche service that exploded into the mainstream along with Twitter — has suddenly become a hotly competitive market, with a handful of new offerings. Market leader Bit.ly, as well as TinyURL and scores of other smaller players, now have to contend with Google and Facebook.
The Google URL Shortener is currently available only in updated version of the Google Toolbar and FeedBurner.
Facebook reportedly is readying its own service for launch.
Bit.ly isn’t standing still; it just rolled out a new service called “Bit.ly Pro,” which allows publishers and bloggers to use their own short domain names to point to pages on their sites. As part of the initial beta program, Bit.ly is making custom URLs available to AOL, Associated Content, Bing, Clicker, The Daily Telegraph, foursquare, GDGT, Hot Potato, The Huffington Post, IGN, kickstarter, Meebo, MSN, /Message (Stowe Boyd), MTV Networks, The New York Times, OMGPOP, Oneforty.com, The Onion, Slideshare, Someecards, TechCrunch, The Wall Street Journal Digital Network — which includes WSJ.com and MarketWatch.com — and blogger Baratunde Thurston.
Facebook, Google and Bit.ly did not return calls from TechNewsWorld in time for publication.
Short and Safe?
Security and transparency are themes running through the Google and Bit.ly offerings. One of the attributes of the Google URL Shortener, for example is the fact that it is fast — and safe, claim Muthu Muthusrinivasan, Ben D’Angelo and Devin Mullins, software engineers at Google.
Google uses the same technology it employs for Web searches to automatically check for malicious sites that may be hidden by shortened URLs, and it issues warnings to users when they’re detected, according to a Google blog post by the three.
As for Bit.ly, the entire point of its new private label service is to provide transparency to readers. It’s easy to see that the short URL nyti.ms, for example, will point to the New York Times Web site.
There is a reason for this new focus on safety. URL shorteners have been identified an effective way for hackers to infiltrate social networking sites.
“Twitter’s 140-character limit and explosive growth put some rocket juice behind URL-shortening services and made these services an ideal breeding ground for hackers and cybercriminals,” Andrew Storms, director of security operations for nCircle, told TechNewsWorld.
“Twitter has proven to be an ideal tool for spreading a wide variety of spam and phishing scams, even though many Twitter users know that any shortened link can be malicious,” he said.
Hackers take advantage of the implicit trust users have in tweets, especially those coming from someone they know, according to Storms.
Sometimes it is a matter of curiosity overcoming common sense, he added. “Users, even though they know they shouldn’t, often click on the shortened links without checking to see where they are going.”
We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL, Robert Siciliano, CEO of IDTheftSecurity.com, told TechNewsWorld. “A short URL that appears harmless can lead to malware or a spoofed site, rather than the destination you were expecting. Links to a picture can easily point towards a virus.”
Using the new enhanced URL-shortening services may swap one set of problems for another, Wolfgang Kandek, CTO of Qualys, told TechNewsWorld.
Namely, the company that you use will know what your followers are clicking on. “This will allow companies to form a better picture of user behavior — no doubt part of the reason that Google and Facebook are working to launch their services in this area.”
Fears Overblown?
It may be that the security fears about shorteners are overblown — assuming the user has a security application in place, countered Michael Sutton, VP of security research at Zscaler.
“Shorteners all work the same way,” he told TechNewsWorld. “Essentially, they map between an abbreviated URL to the real URL.”
What happens is the user makes a request to the URL-shortening service. The service looks up the shortened URL to see which URL it points to, and then sends a redirect message to the user’s browser.
“That process is important to understand, because the user is still making a regular request just as if he or she had typed it into the URL bar,” Sutton explained.
“That is why I say there is a lot of hype circulating around URL shorteners. Yes, they can be used to obviate the final URL. But if there is a security application that is inspecting the traffic — including that final request sent — then it shouldn’t be a problem,” he explained.