Why URL shorteners suck

Delicious founder Joshua Schachter says that URL shorteners like TinyURL are a bad idea, because they make the web more fragile, dependent on the shortener services as central points of failure. They also assist spammers, undermine googlejuice, and expose users to security vulnerabilities. I agree -- and I like Kottke's suggestion: "With respect to Twitter, I would like to see two things happen: 1) That they automatically unshorten all URLs except when the 140 character limit is necessary in SMS messages. 2) In cases where shortening is necessary, Twitter should automatically use a shortener of their own."
The transit's main problem with these systems is that a link that used to be transparent is now opaque and requires a lookup operation. From my past experience with Delicious, I know that a huge proportion of shortened links are just a disguise for spam, so examining the expanded URL is a necessary step. The transit has to hit every shortened link to get at the underlying link and hope that it doesn't get throttled. It also has to log and store every redirect it ever sees.

The publisher's problems are milder. It's possible that the redirection steps steals search juice -- I don't know how search engines handle these kinds of redirects. It certainly makes it harder to track down links to the published site if the publisher ever needs to reach their authors. And the publisher may lose information about the source of its traffic.

But the biggest burden falls on the clicker, the person who follows the links. The extra layer of indirection slows down browsing with additional DNS lookups and server hits. A new and potentially unreliable middleman now sits between the link and its destination. And the long-term archivability of the hyperlink now depends on the health of a third party. The shortener may decide a link is a Terms Of Service violation and delete it. If the shortener accidentally erases a database, forgets to renew its domain, or just disappears, the link will break. If a top-level domain changes its policy on commercial use, the link will break. If the shortener gets hacked, every link becomes a potential phishing attack.

on url shorteners (via Kottke)


  1. Poo poo.

    Saying tinyurl.com is “bad” for you is like saying chocolate is bad for you. Maybe true, but who gives a crap? I never use them for permanent-ish linking so I’ve never had a problem and they’ve always been a plus.

    As for spam hidden inside a small url, I’ve never had that problem either. If someone I don’t know sends me email of dubious content I never bother clicking. The likely contexts for spam are fairly obvious.

    Now this thing they call “The Internet” is REALLY bad for you…did you know they have porno on there and sometimes you will accidentally see NAKED HUMAN BODIES?

  2. I think the problem is that too many boards’/forums’/comments’ editors auto-parse URLs badly.

  3. I understand the argument that it hides the content of the link. But then, most spam links are disguised in some way, anyway. Shortened URLs aren’t only useful for services like Twitter, but for (legitimate) long and complicated addresses which are ‘not’ spam, but people won’t click on if they fear that it is. As a researcher, I use a service that generates a random URL that appears as a mess of letters and numbers. Whenever I sent the links out to gather responses, I never got any clicks. Shortening to a customized URL helped.

    Twitter ‘could’ automatically shorten URLs, but how does that stop a spam URL from getting auto-shortened?

    And, forgive me, but what ever happened to run-of-the-mill hyperlinks? Type your 140 characters, select a portion or all of the text, and click an add URL button?

  4. Is it too much to ask that we should be able to have ANY type of URL that we want without any problem whatsoever? Why are there complications at ALL ? It’s almost 2010 fer chrissakes , I mean, c’mon, this type of thing should be the least of our problems already!
    I suggest a complete overhaul and evolution of basic internet browsing programing that is efficient and quick and is aware and blocks out spam and other such annoyances. At this day and age I really don’t think that’s too much to ask for and I hope I’m not alone in thinking that this should already be in place and this argument should be moot by now.
    We have better things to worry about:)

  5. I put forward this proposition: the lifetime of the average shortened URL is not substantially different from the lifetime of the average URL.

    Turns out, link-rot is as popular as ever, site owners just don’t seem to care all that much about keeping URLs around for long periods into the future. The problems of shortened URLs are certainly real, but I think concentrating concern there is more than a little misplaced.

  6. There are some URL shortening services which let you access and redistribute a database dump of the lookup table, such as UR1, from Evan Prodromou:


    Perhaps making the database open makes it less likely that such services will be ‘central points of failure’ – as it remains possible to look up the URL, even if there’s a problem with the service.

  7. They certainly serve a purpose – especially for sending links via email.

    We can put “overhauling the URL shortening universe” on the big list of things to do, but I’m afraid it’s not going to get top billing.

  8. Maybe we need a 140-character limit for URLs. :) Seriously, I agree that the problem isn’t the shorteners. It’s the crazy, random big-ass URLs some sites use.

  9. Eh. Zonealarm blocks tinyurl links for me anyway. I could do something about it, but I honestly don’t care – chances are someone is going to use a shortened URL to rickroll me.

  10. Finally, somebody says it. I can’t stand shortened URLs. And I think the point here isn’t “OMG SPAM!” it’s “why depend on a middleman for your URLs?”

  11. #14, EscapingTheTrunk:

    why depend on a middleman for your URLs?

    Because without a middleman , you’ll have to remember URLs like this:

    #4, AbsoluteDestiny:

    or even use tinyurl’s preview.tinyurl address so you dont go directly to the site.

    I’m going to repeat this because it’s so useful:
    Turn on the preview at TinyURL’s preview page, and you can see each URL before you go to it.

  12. Fang Xianfu’s got it. If site operators spend five minutes thinking critically about their URL construction, then URL shorteners would not be needed. Take, for example, eBay. A typical eBay item URL used to look like:


    which is relatively short and works just fine. What they look like now:


    I cannot fathom why eBay thought that was a good idea. You email that to someone and it is *going* to break over a line. No question. If they were smart about the configuration, they could have made only the first 70 characters significant so the URL would still work if chopped up. But instead if you click on a cut-off URL, you get nothing.

    eBay is just one particular example – talking out of my ass, I would say that the majority of large companies just don’t get it when it comes to URL length and construction.

  13. @#14:

    From the standard:

    “The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs.”

    I work on a product that has an 8K limit for URLs. Some customers have had problems.

  14. I use tinyurl to send my mother links to things because I have to email them. If the link wraps and clicking in the email doesn’t get her where she needs to go, she calls me and fusses for sending her a link that doesn’t work. She can barely google as it is and FSM help us all when she gets on the net to buy plane tickets.

    So tinyurl fills a needed niche in my internet life by keeping my mother happy. Long live tinyurl!

  15. Totally missing the point here, really.

    The main usefulness of URL shorterners have nothing at all to do with hypertext or linking.

    Tinyurls do their stuff best when you – through print or orally – have to instruct someone to “go type this into your browser”.
    They’re not built to last because they’re not MENT to last, you silly.

    This is a bit like saying we should do away with screwdrivers because some people get bad results when they cut their bread with them.

  16. I do yahoo groups… I’m in sixty some groups… own three… and monitor for six…

    yahoo like to brake links… :( then they put a million “%20” in there that you have to work out…

    so tinyurl is a god send… just need to post both the tinyurl AND the original full link…

    the internet is dynamic… so you can only expect it to change over time… and being phished is just part of the game… that’s what filters are for…

  17. The problem is quite understandable but with the monster URL’s you don’t really have a choice. I use a shortener when the URL is long enough to be subject to line-break damage by wherever it’s going.

    In my years as a forum moderator I’ve shortened several URL’s that people have posted because they were too long and broke.

  18. First, here’s a great factual analysis of URL shorteners, http://bit.ly/ZuUw (shortened of course).
    Second, the issue of search engines “doing the right thing” with these URLs is already solved. The good services issue 301 Moved Permanently redirects, rather than 302 Moved Temporarily. Search engines will follow & keep the permanent link.
    Third, “fragility” is a canard. This is like saying “the internet is more fragile because we rely on BGP for routing or S3 for storage”. At some point, you must rely on a set of utility services, assist their providers to maintain the system when possible, and hold them accountable.

  19. Honestly by this same line of thought domain names suck too. We should only utilize static IP address to navigate the web.

  20. Why should it be Twitter’s responsibility to attend to url shortening requirements because some URL shortening websites have flaws? Anyone can type any URL they want on twitter provided it fits within size limits, and likewise, anyone can click on whatever they want. It’s the responsibility of the individual to defend themselves and think before they click, not the provider of the avenue in which the link was found. If people are trustworthy, they will continue to prosper, if people constantly abuse the URL shortening, they will be ousted as sleaze by the online community. It just seems like a survival of the fittest situation to me, and people who click links without paying attention to what they’re clicking deserve what they get. Alternately, download malwarebytes or get a mac.

  21. A general problem with obfuscated links that use a randomly-generated reference(youtube,tvtropes’ punctuated titles) is that there is no way to “probe” them – that is,hovering over the link to get a clue to their content from the URL name/structure. A YT link will tell you that it’s from YT,but not what it’s going to show you; hence,Rickrolls and such are possible. Spoofing is,unfortunately,still possible with meaningful URLs,but I’d rather have some meaning than none at all,even if it’s misleading. In some cases it makes it easier to spot.

    @ #16 dculberson: The ebay link is too long,true,but it also includes the auction name so that you know what the auction is about before you click.

  22. ya ya evil. whatever. its utility outweighs its drawbacks.
    There’s always giantURL if you really hate tinyURL.

    Besdes, TinyURL was written by a unicyclist. I unicycle Ergo so there.

    you can have a lot of fun plugging into tinyurl’s address space.
    http://tinyurl.com/boing (kinda funny)

  23. i cant believe “you people” have so much to say about this – im flabbergasted – im veritably vehement about ur various voluminous verbalizations – urls — veesh – the vindow viper needs to vash ur various vindows – said the vegan to the vetrinarian… PINEAPPLES (see i can make long posts about url’s too)

  24. Now, is he REALLY against URL shorteners or is this just a knock against Delicious competitor Digg, which just launched its own URL shortening service? (Yet is never mentioned in the article.)

    I’m not so sure that these links really make the web more fragile. Yeah, in theory if TinyURL closed up shop you’d have all these dead links, but as another commenter mentioned, proper URL’s don’t seem to stick around for long either when you’re talking about linking to an individual piece of content on a vast site. Sites are always being redesigned, causing old links and bookmarks to be invalidated.

    If it’s truly a problem, someone will come up with a better solution, but in the meantime there is clearly a necessity for these shortening services.

    In reality it’s not the shorteners themselves that suck, it’s the design of the web that makes them necessary that sucks.

  25. In terms of Twitter’s and tinyurls, I don’t have a problem when someone creates a tinyurl to use in a tweet. After all, twitter itself is just a form of microcommunication that doesn’t need to have a life span. What I can’t stand is twitter’s auto-shortening of urls. It makes no sense at all and often doesn’t work correctly, leaving broken links.

    If I tip a message that is under 140 including the proper url, why does twitter have it shortened? I’d like for people to see what they are clicking and for my links to work properly, is that too much to ask?

  26. It seemed clear from the article that Delicious had it in for TinyURL. After all the suggestion that Twitter do it instead of TinyURL doesn’t address any of their alleged complaints. But why would Delicious have a grudge against TinyURL? I think SKULLIVAN has cleared this up. The connection with the Digg shortener probably explains what’s really going on.

  27. i heard something about it on msnbc but i thought it was some kinda joke or catch-phrase (wasnt really paying attention)

  28. I’ve seen people deliberately use URL shorteners because they don’t want to give a website any google juice (if say they think the website has very wrong political opinions but want to point something out on it). This doesn’t strike me as an inherently unreasonable use especially if people aren’t familiar with how to add nofollow tags.

  29. I have to concur with those who don’t like short URLs and don’t recommend them. I think the downsides (both real and potential) are far more harmful than the alleged benefits (some of which people seem to be discussing as if they’re self-evident like how one “needs them for email”).

    Below I respond to a few of the points I’ve read in this thread:

    In response to using “preview” mode or some browser add-on: I think you’re just becoming more dependent on the service, not liberating yourself from it (and thus you’re not really addressing the shortcomings of these services). If the short URL can be decoded independently of the service, you’ve got a good point. But I doubt that’s the case because the whole point of the service is to make money by user lock-in. I think what’s really going on is that you’ve just found another interface for the same service.

    “I need short URLs for email”: no you don’t. Most modern email programs can make URLs clickable/selectable. If you’re writing markup (HTML, BBCode, any wiki code, etc.) you can use link text. It works even if the URL is long. More fundamentally, you’re making a very bad tradeoff: the unusual look of long URLs in the body of a message is not a big enough problem to warrant losing access to the site because the short URL service disappeared. People would rather be able to reach the website than have a brief useless URL, particularly if they keep their old emails and read them.

    “I need short URLs to type in”: you probably don’t because copy/paste works so well. I doubt most people most of the time type in URLs anymore because most URL traffic is itself electronic, people use search engines a lot, and people can use browsers like Firefox which have some degree of search built-in to help you find URLs you’ve been to before (see the so-called “awesomebar” which helps Firefox users recall URLs based on page title, URL text, and some other things).

    “You’re already using a middleman if you’re using DNS”: no, this is not the same. DNS is distributed and there are multiple DNS servers available to you if yours is broken (for any definition of “broken”). If you don’t know how to switch to another DNS server (a somewhat technical task) you can get help with this: ask a technical friend, a neighbor, use another computer to get help online, some public DNS servers offer clear instructions with pictures. Shortened URLs, on the other hand, present a single point of failure: There’s (typically) only one copy of the database that can translate the short URL to a website’s URL.

    “This URL shortening service publishes its translation table”: yes, but this doesn’t address how unnecessary such services are in the first place. URL shorteners that publish their translation table are essentially a better buggy whip; even if everyone used one particular shortener (with published translation table) and that service died with no replacement service at the same host, you’d have to keep the table and manually look stuff up (like a phonebook) or get some browser add-on to do this for you (which helps lock you into that browser).

    “Shorteners are a necessary evil”: No, they’re completely unnecessary and a potential source of censorship and elitist control. Perhaps you are letting your stylistic sensibilities trump what’s wise. Commercial short URL intermediaries exist to slow you down enough to put ads in front of you which is annoying and unnecessary. At worst, the owners of these services gain the opportunity to control someone’s access to a website. This is unnecessary and far worse than annoying. Don’t put your users in a position where they have more gatekeepers to go through, particularly gatekeepers we don’t legitimately need. Keeping this in mind says it is wiser to reproduce even obnoxiously long URLs in the interest of maintaining as direct a contact as possible with the intended resource.

    “Short URLs aren’t meant to last”: There’s no way to know for certain that that is so. But we do know that people want URLs to last; they bookmark them and miss their bookmarks/browser-history when they have to change machines or find out (all too late) that they don’t have backups of their bookmarks and browser history. Something similar is true of their electronic address books. So long as we’re interested in reading old eBay auctions, links to interesting blog posts and essays, and so on, we will expect the pointers that get us there to work. We like this so much that we’d prefer website migration to preserve old URLs as much as possible (this almost never happens when a website switches from one backend to another). If you want to continue to insist that short URLs aren’t meant to last then I have to insist that that is even more reason to never use short URLs.

  30. I often use tinyURL on usenet when referencing things at work . There is, in fact, something to be said for hiding links from googie. just sayin.

    The pious curatorial neepery about LINK ROT for utilitarian timewasting bullshit like usenet, lolcheezborgers.org or checkthisout and the like is silly. I know i don’t use tinyrul for anything whose lifetime i care about.

    HOWABOUT THIS FOR A CONCEPT: The limitations and consequences of a tinyurl should be inherently obvious to a user of average intelligence.

    Thus, complaining about tinyurl is a symptom of the stupidemic.

    Finally, applying Sturgeon’s law to the tubes, we must eventually conclude that link rot is a good thing.

    tweetiebirds are sew full of themselves sometimes…

  31. Adonai @ 13: Zone Alarm blocks TinyURL for you? It doesn’t for me. Also, I disagree that most shortened links go to spam or rickrolling; most of the ones I’ve ever clicked on are completely legit.

  32. This does seem like one of those things that while technically correct in many aspects, in not something that will be practically solved even by education. Much like long, complex alpha-numeric passwords – they are certainly stronger and better in theory, but in practice, most users can’t remember them, and will either return to unsafe but memorable ones, or simply short cut the security in another way (post-it note under the keyboard).

    I do use tiny URL all the time, and don’t find any of the arguments particularly compelling. I don’t feel “locked in” to tiny URL. Should they become annoying (say, by forcing ads before forwarding), I’ll just switch or stop using it. My old links are typically in emails, and I have no illusions that those links are so important that they must be preserved.

    In the case of things who’s archives are regularly searched (mailing lists, newsletters, and the like), I myself have tended to adopt the method I’ve seen used elsewhere – to post the full URL, followed up by the tiny URL. The text only list server might munge the full one, but it’s there if one needs it. The tiny URL works, so the link actually gets followed by (the surprising majority) of folks who can’t or won’t fix a wrapped URL.

    I certainly agree that I’d be leery of following an obfuscated URL from an untrusted source, but I typically only use tiny URL (either direction) when sending to friends, or from publications I know. And the preview mode has been pointed out.

    I don’t think I’ve seen a modern email program that hasn’t failed on one URL or another, so I’m not buying that. Were it true that they worked all the time, there would be little enough demand for the service.

  33. My companies firewall blocks (amongst others) URL shortening services. To (almost) quote someone famous: “Yes, we can’t”

  34. Betatron: authentication over an encrypted connection is the proper means of hiding published resources from search engines, not URL shorteners. If you think URL shorteners are an appropriate means of preventing access by search engines, I’m sure the search engines can be modified to follow the redirection. Search engines, on the other hand, have a very hard time supplying proper credentials to a login prompt when the users who can authenticate are forced to use good passphrases.

    Also, I don’t know what a user of average intelligence is or how that would be determined. But I’m fairly certain that most WWW users are not aware of the shortcomings of URL shorteners. I doubt most users are aware of how web services work at all, and are in no position to provide an educated critique of the wisdom of introducing another intermediary in the browsing process.

    You might not use URL shorteners for anything you care about but use of link shortening is a process that involves more than just you. Others might care about the links they get from you and care about people who aren’t aware of link shortener problems. Just because you spend your time online with “utilitarian timewasting bullshit” doesn’t mean we all do nor does it mean that we can’t care about the things you find “silly”. It’s wiser to err on the side of assuming people want reliable URLs that take them directly to where they want to go because that will get everyone (even those who agree with your browsing habits) what they want. Link shortener supporters need better justification for introducing at least one more intermediary which comes with many attendant risks.

  35. The point of shorteners is for the technologically challenged recipients of your emails who say “the link you emailed me didn’t work” because they don’t understand that their email client hardwrapped the url and broke it and wouldn’t know how to fix it if they did understand. I don’t care if the shortened version only works for a week.

  36. HTML email sucks way more than URL shorteners.

    URL shorteners have no lock in at all. They do not, in any way, cause people to become addicted to URL shorteners. A link can be broken. How is that lock in?

  37. JB: how in the world am i going to use an encrypted connection to hide my content from the googlegroups indexbot? What are you talking about?? I said usenet. I don’t care for x-noarchive…

    Your second para drips with elitism. Probably want to reread this stuff before you post.

    Your third para presumes to tell me how to write for my audience. Surprisingly, i have a good handle on my intended recipient’s tech fu and tailor my message.

    BTW the fact you are replying to me on Boing Boing is prima facie evidence that you engage in utilitarian timewasting bullshit, you know… (srsly, you can say that here?? LoL!)

    TinyURL is akin to a Postit note. Stop trying to elevate every little thing written on the innertubes to Historic Timelessnes. sheehs.

    Finally, your entire post maps to the charge “your doing it wrong”. Thanks for the keen insight, but i’ll just write the way i want to, burdening my family and friends and usenet pals with tinyurls instead of monster URLs that truncate.

  38. @38 JB NicholsonOwens
    as soon as tinyurl existed I hated it and everything you say is 100% true but yet whats with these mindless zombies willing to let another layer of advertising and control be wedged in were its totally not neccesary???? I laugh here who don’t use the email breaking links as a reason, but instead have the gall to admit long urls scare people.

    I know.. text is so damn frighting. I keep waiting for the pictograph system to come back to keep the plebs in the unknowing. How ’bout you IGNORE the long urls, or hide them in html tags like you are supposed to. geez idiots.

    JB NicholsonOwens you worded it the best possible way but people will still be sheep so what can ya do.. *sigh*

    @39 Dedalus
    google it dumbass

  39. Who says that URL shorteners undermine googlejuice? Has anyone actually run the experiment? Google’s a smart company, I would not be surprised if they have a subroutine somewhere that does a lookup of the most popular URL shorteners.

    [Disclaimer: I work for Google, but nowhere near the googlejuice department.]

  40. Amusing discussion. Just the right hint of usenet flamewar. Ladies, your slips are showing.

  41. @51 Stephen

    “URL shorteners have no lock in at all. They do not, in any way, cause people to become addicted to URL shorteners.”

    uhm you do understand they run you thru a third party who needs to exist for it to work right?

    “A link can be broken. How is that lock in?”

    ya I don’t think html will ever take off, I try not to support its use either.. nevermind the fact simple html doesn’t need a specific company to exist for it to work. It just works, and I know that’s a major fail, right?

    at least when granny tells me my link is broke I know it was me (mea culpa) and not some f’tard at some service I was using.

  42. Count me in the camp that says it’s not shorteners per se that are evil, it’s that in 2010 people will still be using long unreadable crap urls.

  43. read this two weeks ago linked off an even better article against tinyurl, but alas I cannot find the first article.. but here is the source he quoted – (hey look I don’t need tinyurl). I was researching tinyurl to try and find why people use the damn things. Turns out nobody told me of the twitter useage until this article.

    so I consider twitter kinda broke. hope they fix it, and so when is boing boing gonna ban tinyurl? I have already seen many varied and interesting links in the comment threads and to a lesser degree in the main posts that I just don’t check out ’cause I am a tinyurl ludite.

  44. The original piece by joshua schachter is about a world where email clients (and he forgets to mention mailing list software) don’t clip lines, and further says that he’s focusing on phones with “a proper client” that doesn’t have the 140-character problem. This is in his first paragraph.

    Okay, maybe in that world tinyurl is unnecessary.

    “But the biggest burden falls on the clicker, the person who follows the links. The extra layer of indirection slows down browsing with additional DNS lookups and server hits.” If that’s the biggest burden, I’ve never been able to perceive the delay. Compare, oh say, fetching the main bOINGbOING page.

    Still the article gives some good suggestions.

    With regard to Kotke’s suggestion, if the twitterer can’t fit the whole link into the original txt, how is a shortening service on twitter itself going to help?

  45. TinyURL was intended from the beginning as a convenience to enable the e-mailing of long URLs that were essentially, “Hey looky what I found!”, one-time throwaways. It was never intended for you to run your whole site through its URL shortening service. Ultra-long URLs predate Twitter and basically all this fuss is about a service that is not prepared to deal with long messages of any kind.

  46. If you use a shortened URL in a comment, I have to hand check it. That can significantly increase the time that it takes for your anonymous comment to be approved.

    1. Also, if you do a Google image search, just click Remove Frame to peel several hundred characters off the URL.

  47. the real solution is to make the pie lower. The world wide web should be ghettoized into national grids and whole blocks of unsuitable data removed. This would make it smaller and more efficient and easier for our rulers to make sure we didn’t have inappropriate thoughts or improper conversations with anyone outside our country. Why, I bet we could get any URL down to three characters!

  48. Holy cow, this group must have a lot of sharp axes by now.

    If you don’t like services that shorten URLs, don’t use them. The internet is a system where free market theories of supply and demand work surprisingly well. There is clearly a demand for this type of service, and a number of different companies/organizations have stepped up to the plate. If quality of service from one of them degrades (censorship, ads, booger monsters leaping from the keyboard), then users will simply switch to a different service. It has been pointed out that there are a ton of work-arounds for some of the applications of shortened URLs, but clearly the users of these services feel that those work-arounds are not sufficient or they’d be using them. Until the user’s needs are addressed in another way, they’ll continue to use these services. If you want people to stop using them, develop a cheaper, easier to use alternative.

  49. Personally, I think they should just add a URL field to Twitter that doesn’t count as part of the 140 characters.

    Right now, Twitter is a really stupid way to propagate URLs, precisely because of this problem.

  50. I dislike them because people keep saying “Hey, this is cool! Look at this! (shortened link)”

    And I can’t tell by looking at the shortened link that it’s the same video of a cat falling comedically into a combine harvester that the last twelve people pointed me to.

  51. @61 Antinous/Moderator

    My wife suggested that moderators would have to do just that, and probably did. Once again she’s right – good to know ;)

    @65 Scuba SM

    “If you don’t like services that shorten URLs, don’t use them… ..There is clearly a demand for this type of service..”

    There is demand for many things. It doesn’t mean it makes sense or that society should let it happen.

    free market can be used as a reason to let too much happen. and we aren’t in a true free market anyways.

  52. Summer @ #40 – it’s probably a default setting, and I’m certainly able to keep my computer safe *without* ZA blocking tinyurls, but I almost never come across them, so it’s no biggie. Plus, it’s possible your friends are much more mature than mine when it comes to rickrolling ;)

  53. URL shortener apologists (“you’re just hand-wringing, I only use these for throwaway links, people who use tinyURL are fully aware of the side effects etc.”) are completely missing the security aspect.

    If you didn’t see the pwn2own headlines a week ago, here’s a not-really-news flash: drive-by browser vulnerabilities are common in all the major browsers (OS X + Safari/Firefox expecially vulnerable) and not going away anytime soon, because browsers are hugely complex code bases.

    Yes, that means the link to the cute animal my mom just sent me could very well be to an image splog filled with scraped images of cute animals that will entertain me while my machine is taken over. TinyURL and all these shorteners, because they break the web and don’t let you see where you’re going before you’re there, make the problem a ton worse.

    I’m not saying there’s zero place for URL shortening and aliasing, but URL obscuring by default — and by (mis-) design — by twitter or the new digg bar is really bad, and it’s a criminal’s wet dream because these social link sharing services are already one of their favorite ways of getting traffic to their trap-laden sites.

    So many of us Mac and Linux users have been lulled into complacency just because malware artists haven’t wanted to target us … but any security researcher will tell you that OS X is pretty weak, with a bunch of ports open/services listening and allow-by-default behaviors, and really easy privilege escalation compared to a typical Linux/BSD install. Of course there haven’t been any widespread infections — but to anybody who knows computer security it’s like New Orleans below sea level, something like Katrina is bound to happen sometime soon. If you ask me, bad URLs and browser exploits could easily become the successor to the Word/Excel macro virus plagues of the ’90s … benign-looking documents spread by email with a nasty payload.

    Unless you really want a world where you have to clean malware off your dumber relations’ computers again, where browsers all have to implement “Allow untrusted 301 redirects?” options and URL white/blacklist band-aids, maybe it’s just better to not use something that’s obviously bad, breaks the web, and provides minimal utility at best? If my parents can figure out they just need to hit the backspace key to delete a line break out of a line-wrapped URL in their email, anybody can.

    Twitter can fix their service to allow tweets of >140 characters when they contain URLs (maybe just display the first X characters since the URL’s in the href) — it’s 2009 and it’s not like they have a char(140) table on a mainframe somewhere.

  54. I used to think that shortened URLs suck before I checked out bit.ly . bit.ly keeps a stats page that shows you how many people clicked on your URL over time and where the clicks are coming from.

    From this, you can also see that you are leaking information to the URL shorteners by volunteering them as a proxy. The shortening itself doesn’t add much value, unless you need to read out the URL, your broken mail client breaks on long URLs or you are trying to stuff something into 140 chars but the added statistics are a worthwhile trade.

    Now, don’t get me started on URL shorteners with long domain names…

  55. URL shortners are here to say, the good ones. Snipurl.com (or sn.im) was and is the best service since 2001. It lets me offer a descriptive nickname, has a preview (peek) feature, and by default provides the domain name in brackets when I copy the URL. It has many such best practices that the recent me-too websites don’t have a clue about. Meanwhile the Delicious guy seems not to know much about why people use URL shortners to begin with.

  56. JH, how am I supposed to know whether a given full-length URL is safe or not? I don’t do much analysis of a URL before I click on it, especially if it contains some unparsable-by-ordinary-mortals database codes things. Even an innocent-looking URL might contain a re-direct to something less innocuous. In this case is it functionally any different from a shortened URL where I can’t see the destination?

    In practice, I assume certain levels of trust. A shortened URL printed in ink on paper, I’ll trust. A URL in a tweet from Stephen Fry, I’ll trust. A URL in a tweet from some random stranger, whether it’s long or short, not so much.

    1. how am I supposed to know whether a given full-length URL is safe or not?

      Safe entities like Google or the New York Times can still kick up long search-based URLs, especially for people who don’t know that you can lop off a hundred characters and get the same result.

  57. Kaneda Jones,

    I think the internet services market is very much a free market. There is little to no regulation (by design, and yes, it is a good thing. I’d recommend “The Future of the Internet and How to Stop It” by Jonathan Zittrain.), the costs of entry for a new producer are very small, the population of potential consumers is huge, and frequently there is little to no cost for the consumer to try something.

    One of the things that’s made the Internet so successful is that there isn’t some regulatory agency that decides whether each new service or product is a Good Thing or a Bad Thing. The users themselves decide what’s good and what’s bad by either using it or not.

    As for the argument that shortening URLs is bad for archiving, and we shouldn’t use it because it’ll mess up the whole archiving system if the shortening service goes down… Well, that reason could be used against a lot of services. For example, we shouldn’t use Flickr, because they might close their doors at anytime, or put all the pictures behind a paywall, and then no one will be able to see all that work. Or, we shouldn’t post comments on BoingBoing because they might shut off comments without warning, and delete everything we’ve written without archiving it. Or, you shouldn’t use LiveJournal because they were just bought by a Russian company that cut the American staff substantially, and they might be closing soon, and we’ll all loose everything that’s ever been written on LJ. One of the things that makes the net so useful also encapsulates a basic risk of using it. It’s a dynamic system. You will have sites that are no longer maintained, services that are discontinued, or formats that are shunned by the users. Each time, if you aren’t prepared, you’re going to loose a little data. URL shortening isn’t any different.

    As for the security aspect, I am aware that a variety of exploits were demonstrated recently. However, none of them explicitly relied on URL shortening to work. The risk that shortened URLs seem to pose is one of social engineering. I don’t think shortened URLs are going to lead to more malware on my non-tech savvy friend’s computers than they get already. The fact is, that group of people isn’t going to hover over an inline link to see the URL before they click, and even if they do, their judgment probably isn’t up to your standards when it comes to deciding Good from Bad. If you’re worried about not being able to preview the link yourself, express your concern to your friends, and point out services that allow link-previewing (hey, it’s that demand thing again… if previewing becomes a make-or-break feature of shortened URLs, everyone else is more likely to incorporate it.).

    There are few basic rules of personal computing that everyone should be following, and if they are followed, shortened URLs are a non-issue.
    1. Don’t click on links that are not from a trusted source.
    2. Don’t click on links from trusted sources that are unexpected or unusual in delivery. (Why is my boss sending me a link to fluffy kittens?)
    3. If it’s important to you, back it up. This is the rule that is most often forgotten in all of it’s forms. If a site matters to you, don’t bookmark the tweet that sent you there; bookmark the site itself. If you’re worried about the site going away, archive it to the machine. If you’re worried about your blog company vanishing, export all your posts to your local machine. And for pete sakes, don’t use Flickr as your only photo storage.
    4. Keep your software up to date. Patch your browsers and your OS, update your anti-virus and your anti-spyware, and keep your machine behind an up to date firewall.

    I think this is all more or less a non issue (despite the fact that I’ve spent so much time writing about it). You’re not going to make shortened URLs go away. You can, however, work on making them better, and eliminating the flaws you see.

  58. WHO came up with this 140-character limit? What group vetted this idea and decided it was a wise move? Where are the RFC’s archived?

    If the answer is ‘The Telcos’ the reply is “There they go again.’ Unless, of course, you favor the tinker-toy-ization of the network. Else yes, this trend needs squashing.

  59. @73 – JH –
    Not to start a security debate here,
    “…but any security researcher will tell you that OS X is pretty weak, with a bunch of ports open/services listening and allow-by-default behaviors, and really easy privilege escalation compared to a typical Linux/BSD install.”
    but your statement is just not true. Out-of-the-box, the only network ‘service’ that is turned on by default on a Mac is BonJour, and that’s all. Even the esteemed security egotist and mercenary, Charlie Miller, wasn’t able to ‘get root’ on the Mac that he p0wned with his year old Safari vulnerability because that would have “required additional vulnerabilities”.

  60. This post made me wonder if there is a tinyEarl.com – there is – but it is not being put to good use, and as usual, whenever I invent a pun and Google it I find 500 others had the idea already.

  61. 81 comments in an no one has mentioned http://lnk.nu?

    It puts the destination domain name into the smaller-a-fied link and keeps the file extension when applicable. So you gain a key bit of information without having to inspect anything.

    It’s not perfect, but it’s far better than a solution that completely obfuscates the url.

  62. Is there URL shortening software that can be installed locally and lets visitors create shorter versions of URLs on my website, and only my website? For instance, if BoingBoing had it installed, it would let me create http://www.boingboing.net/urlshorteners which would point to http://www.boingboing.net/2009/04/04/why-url-shorteners-s.html – but it wouldn’t let me point to anything but a boingboing.net url.

    If websites offered this, it would be safer and more reliable than the existing URL shorteners, but I haven’t found any software like this yet.

  63. Imagine, if you will, what would happen if someone hacked into the tinyurl database and randomly scrambled it. Or replaced all the redirects with one to ‘2 girls, 1 cup’.

  64. I didn’t agree. Then Tweetburner went down, and now nobody can click through to my link.

  65. shouldn’t you just not click on random links from random people? I only click through on trusted sources links… URL shorteners are fine by me.

  66. have your cake and eat it to, the convenience of short links but with the safety of knowing you’re never going to get rick rolled or short spammed again. http://www.expandmyurl.com expands shortURLs and has a one click in page short url expansion bookmarklet that lets you preview short urls which ever page you are browsing.

  67. url shortener by itself is a good concept and it does address some problems. However adding framing to url shortener defeats all the purpose, even if it gives you additional features like statistics. I use a plain vanilla shortener at http://url360.me

  68. http://safe.mn/ let people create safe short links. All URLs are checked for viruses, malware, XSS, questionable content, etc. Any potentially harmful links gives a warning to the user (see http://safe.mn/2) instead of redirecting them transparently. This is done to protect the visitors.

    The list of all shortened URLs can also be downladed through FTP, so no worries about the viability of the service.

  69. Spam can be an issue, but the benefit of a short URL outweighs the downside IMHO.

    We think our service http://zi.pe brings a lot of value into the short URL market.

    We not only shorten links, but also text, email addresses, and a photo upload.

    People get a bad taste in their mouths for short url services because they are still using the original old school ones that have little to no value.

  70. After trying to use several popular URL shorteners, I decided to make my own. It is fast and clean, with simple stats — http://go2.st

    Feel free to suggest new features and improvements (twitter: @haqu)

  71. I used a Firefox add on called Puny Url and it wrecked my site in Google because it was using 302 redirects instead of 301.

Comments are closed.