We've been having some discussion internally about shortened URLs, with specific reference to pointing to web resources on Twitter, where you can't actually avoid using shortened URLs, because an uncompressed URL is automatically shortened using bit.ly.

You may remember that I discussed these issues before here, The main problem, of course, is that it's all too easy to conceal a malicious site behind a shortened URL, as all too many blackhats have already discovered. So while I sincerely hope that ESET's web pages are as secure as they can be on the wild, wild internet, I think it's more responsible  to force  users to check the real URL before they open it, even though it's an extra click. As a security company, we should be trying to set a good example.

Now, bit.ly isn't a bad option: it offers a preview plugin for Firefox users, checks links agains some blacklists, and offers click ratio statistics. But it doesn't let me force a preview, and it isn't browser-agnostic.

The tr.im service seems to be good on statistics, but I can't find a preview mode or security information: perhaps there's something if you actually sign up for it, so I'll be looking further into that.

Recently I've been using tinyURL with the "preview.tinyurl.com" prefix, to force anyone who uses it to see the preview page that tells them what the full URL is. (is.gd also has an option to force a preview by appending a hyphen, and also uses SURBL.) If you really hate the preview option, and it seems that some people do dislike seeing the redirect, you can avoid it by pasting the link into your browser with the "preview." removed. But that's probably more hassle than just viewing the preview and clicking again.

Right now, though, I'm using sURL, which always shows a preview page, and has one or two features I like the look of and am testing out at the moment. (I particularly like the ability to generate a loooooonnnnnnggggggg URL, but I haven't thought of a legitimate use for it yet.)

However, I'd like to establish consistent practice across the blogging team.  And, indeed, to get your opinions. How would you prefer us to handle this, if you have any views at all? Do you use the Twitter notifications?

By the way, I'm probably going to come back to this topic in a paper Real Soon Now. In the meantime, if you're interested in looking at the issue in more detail, you might want to take a look at Rob Slade's blog here.

David Harley
Director of Malware Intelligence