How so? By shortening the link, you're hiding where the link goes to. bit.ly/12345 could go to amazon.com or big-scam-with-a-virus.com, and until you click on it you'd never know.

With bit.ly specifically, add a "+" at the end of the url to see what it points to. It also shows you some stats like creation date and number of clicks over time.

https://bit.ly/19y8wyr+

I also didn't know about that, so thanks. But - how on Earth was I to know? How are all my non-tech friends to figure it out?

> But - how on Earth was I to know?

from a Don Norman design-of-everyday-things perspective the design is completely non-discoverable https://en.wikipedia.org/wiki/Affordance#As_perceived_action...

What does that matter? Once they've clicked they'll see the URL in the location bar

It's useful to know the domain of the link before you click because some people might not want to navigate to unknown sites at work, or at least don't want to navigate to certain sites at work (Facebook, Instagram, YouTube, pornhub, etc, etc.)

It also works for goo.gl links. [0]

Also note that a ".info" suffix might sometimes be easier to type. [1][2]

Too bad most URL shorteners don't support them. :(

[0]: http://goo.gl/vulnz+

[1]: https://bitly.com/19y8wyr.info

[2]: http://goo.gl/vulnz.info

Fun fact: Google is shutting down their shortener.

https://developers.googleblog.com/2018/03/transitioning-goog...

This is an awesome thing I will never remember to use.

TIL. Thank you.

Once the link shortening service knows it's a scam they can redirect you to a "saved you from being scammed" page.

(although evidence of this happening in practice hasn't crossed my radar, but it's probably because I just don't click those links in the first place)

You don't need a link shortening service for that. The website and API can just start changing the URL it includes in the tweet if it determines the original URL is a scam.

They can redirect you anywhere. They can also rewrite anything in the URL, like add affiliate IDs or whatever. I'm sure some of them do that, because why not.

> The whole point of link shortening on a social network is to improve security and reduce abuse.

How does link shortening do that?

See this great post by Matt Jones (from FB antispam/security team) about Facebook's link shortener https://www.facebook.com/notes/facebook-security/link-shim-p...

That's a decent point about email, but there is nothing they're doing on the website that couldn't be done without a link shortener. And even within the context of email it doesn't really make sense, because email clients can just do the same thing without rewriting the URL.

How would you show an interstitial without rewriting the url?

Every time a link is clicked, send an event to the server with the URL so that it can be tracked. If the URL is already known to be malicious when the page is generated, either don't include the URL or use javascript to intercept the click event and display the interstitial. If links need to be checked for validity at the moment the user clicks them, then just wait for the 200 response and do the same thing, the performance would be identical either way.

And you think running that type of JS on the page is more secure than a simple redirect? What benefit do we get by adding all of this complexity?

Also -- anyone who views a copy/pasted version of this content won't get this protection.

> And you think running that type of JS on the page is more secure than a simple redirect?

It's not more secure, but it's not less secure and it doesn't break the web. It also shouldn't add an appreciable amount of complexity, given that most of the heavy lifting to sanitize, parse, and format UGC content already happens on the server. E.g. if you're already turning UGC snippets into an AST on the server so that you can cleanly syndicate them in different formats, having the AST generate some js around URLs isn't a big lift.

Requiring js for your security features to work adds more attack surface area but yes, it can be mitigated. But so much extra complexity!

I still don’t understand why you think url shorteners break the web.

> I still don’t understand why you think url shorteners break the web.

How do you know where the links resolve to once FB goes out of business?

Given the fact that there are still lots of people whose entire job is translating 6,000-year-old grocery receipts from Sumeria, it's not at all unlikely that tweets being written today will be still be widely studied and considered important 10,000 years from now. But those short links are unlikely to resolve for even the next 20 years.

Also, adding js should no longer add more attack surface now that we have things like subresource integrity in addition to CSPs.

onclick handler and event.preventDefault

Replacing links with onclick handlers breaks "open in new tab".

You can use window.open to simulate that. If you're fb, you're probably already whitelisted in the popup blocker.

Though I agree it's not ideal.

I'd like to read this but I have facebook blackholed and refuse to change that. Do you have another link?

TL;DR: clicking on their shortener can trigger just-in-time malware scan; they can retroactively block links already sent to people; they can strip away the Referer; they can inject their own analytics.

That sounds like the same authoritarian justification for hiding URLs in browsers and such --- "we'll tell you if it's safe, you don't need to know"...

It's not like you can't see the original URL and manually skip the redirect if you wanted to. It's just that most users won't do that which limits the ROI of spam and phishing campaigns.

Link shortening makes it easier to brute force.

Shortened links become trackable by a third-party (less secure), obfuscate the real URL (less secure), and can be brute forced easier: https://www.schneier.com/blog/archives/2016/04/security_risk...

The point of link shortening was to allow links within the constraint of 140 characters.