Results 1 to 6 of 6

Thread: snip.ps and other url-shortening domains

  1. #1
    Join Date
    Jun 2012
    Beans
    301

    snip.ps and other url-shortening domains

    yuk

    do we have a preferred method of blocking all url-shortening domains?

    i see these as a serious security hazzard as they are most likely bypassing dns standards and all the effort that was put into securing the update process for our dns servers

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: snip.ps and other url-shortening domains

    They don't have anything to do with DNS. They just use an HTTP redirect.

    http://rield.com/faq/why-url-shorteners-are-bad

    You can block them on a site-by-site basis, but more and more sites are popping up.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jun 2012
    Beans
    301

    Re: snip.ps and other url-shortening domains

    Quote Originally Posted by CharlesA View Post
    They don't have anything to do with DNS. They just use an HTTP redirect.

    http://rield.com/faq/why-url-shorteners-are-bad

    You can block them on a site-by-site basis, but more and more sites are popping up.
    yep

    the Bad Part -- is -- the URL shortener is really another form of DNS service . as such it can direct a browser to a site ... that is a forgery

    as we know a fake site can be an exact replica of the legitimate site . the viewer cannot distinguish by inspection

    which is where HTTPS is supposed to help: if the site is using HTTPS ( which anything commercial should ) -- then -- the URL address bar shows the little padlock + the https:// type address ...

    if you click on the padlock Firefox will access the SSL security data and display it for you

    which is all well and good . so far:

    from the display i can get right down to the certificate and see the MD5 and SHA-1 fingerprints. i could check the fingerprints,-- if i had the info to check them with .

    but we are in the area where the computer should be covering this chore

    what is missing?

    I never signed Verisign's Certificate,-- although I use it a lot, -- one site -- 833 times so far .

    why is this a problem?

    the re-director ( URL shortener -- or DNS poison ) could have re-directed my browser to a fake site -- with a certificate authorized by some hacker (CA certificate are a major target and have already been hacked -- RSA was one victim, there have been others ) .

    the HTTPS and the padlock will all come on OK and look OK -- the problem being -- I don't have a legitimate authentication -- and there is no warning .

    the reason being: I never checked and signed for Verisign's certificate

    if i had the option to check and sign certificates then i could also have the option to red-flag any certificate not signed by a Certificate Authority (e.g. Verisign ) -- which I had not specifically checked and signed for

    this is the Essential Part of Public Key Encryption that has been skipped over by the SSL crowd in their mad dash to pass out Linus Blankets .


    Zimmerman documents this requirement in his original 1992 essay .

    and it seems to me most of the security problems we have today are cause by people trying to take short cuts . in our quest to make things easy we have facilitated hacking .

    ~~~
    Amendment 1
    Given that some CA have already been hacked I would prefer to sign the certificates for web-sites that I use DIRECTLY rather than relying on a CA's approval . I already do this for MSFT Security Bullitens

    how many sites do we actually use that require commercial security ? I have -- maybe 6 .
    Last edited by mike acker; February 3rd, 2013 at 02:43 PM. Reason: Amendment 1

  4. #4
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: snip.ps and other url-shortening domains

    A URL shortener that redirects to a phishing site will still, in the end, display a domain in the address bar that is not the site it's claiming to be. All that the URL shortener has done is provide a temporary layer of obfuscation. It's a separate concern from DNS, because if the problem were with DNS then the domain in the address bar might give the real domain name for a false page. 2 different things.

    There is an extension for Firefox called RequestPolicy that, among other things, stops 302 redirects on the fly, displays the address of the final target site, and will not load the page until the user clicks on an Allow button. That should work on all URL shorteners, even the ones we don't know about yet. It will also mess up a lot of other things that are perfectly fine, but that's the choice we all have to make for ourselves.

  5. #5
    Join Date
    Jun 2012
    Beans
    301

    Re: snip.ps and other url-shortening domains

    Quote Originally Posted by OpSecShellshock View Post
    A URL shortener that redirects to a phishing site will still, in the end, display a domain in the address bar that is not the site it's claiming to be. All that the URL shortener has done is provide a temporary layer of obfuscation. It's a separate concern from DNS, because if the problem were with DNS then the domain in the address bar might give the real domain name for a false page. 2 different things.

    There is an extension for Firefox called RequestPolicy that, among other things, stops 302 redirects on the fly, displays the address of the final target site, and will not load the page until the user clicks on an Allow button. That should work on all URL shorteners, even the ones we don't know about yet. It will also mess up a lot of other things that are perfectly fine, but that's the choice we all have to make for ourselves.
    thanks for the tip
    i installed RequestPolicy right after I read your note
    then i tried to reply.
    but with Request Policy running i can't reply on this forum .

    i see on their web page version 1.0 is now current while version 0.5 something is offered here .

    i think this is probably the best answer we will see for now . so when 1.0 become available i'll give it another try .
    Last edited by mike acker; February 3rd, 2013 at 03:13 PM.

  6. #6
    Join Date
    Sep 2011
    Beans
    1,531

    Re: snip.ps and other url-shortening domains

    You can see where the shortened url goes before clicking on it by using this:

    http://longurl.org/
    http://urlxray.com/

    It's not fool-proof but you can weed out the obvious bad redirects.
    Last edited by Ms. Daisy; February 4th, 2013 at 12:46 AM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •