A Rant about URL Shortening

I’m a fan of Twitter. It’s certainly wormed its way into all of our hearts over the year 2009, becoming bizarrely ubiquitous in our media and in our minds. But despite whatever it may mean for democracy, communication, location-awareness or real-time trend monitoring, it brought with it a horrid curse upon the Web that endangers all of its users.

That curse is URL shortening. And yes, it did exist before Twitter, but Twitter both limits how much its users can post and depends on those users sharing content with each other, often in links–and those URLs can take up a lot of space. The growth of URL shortening has brought with it the growth of URL shortening services, which apparently hope to monetize it.

Leaving aside the issue of how monetizing such a thing can be done, URL shortening is bad from a user’s perspective for the simple reason that if someone shares a link with me, I have no clue where it’s going. If someone just posts “OMG this is awesome”, the shortened URL they post it with could just as easily be a rickroll attempt as it could be an evildoer hijacking their account and sending me to malware. And while I may be running Ubuntu, there’s no way of knowing that there isn’t some kind of zero-day exploit already being used on it (I have no illusions about Ubuntu being perfectly secure, after all).

This isn’t just a security problem–it’s also a usability one. What if I’m playing music and I don’t want to see a Youtube video? What if I’m working and only want to click on a link if I know it’ll be something quick? What if it’s a link to an inflammatory Reddit post that’ll just get me angry and ruin my mood?

Clever users may respond that there are browser extensions and Twitter clients that can solve this problem by showing a preview of the destination. Maybe, but if they don’t show you the URL, do you really think it would be hard for a malware writer to put up a fake display of the site at the destination? If they’re willing to meticulously fake the appearance of a Windows security warning or antivirus program, would it really be hard to put up a fake image of a Youtube page and then switch it out with Javascript if an actual browser is detected? Admittedly, this would likely have to target specific previewers to fake them out, but it’s a real possibility, and not one that an informed user can ignore.

In order to avoid subjecting people to this danger, I’ve installed YOURLS (Your Own URL Shortener… clever!) on my hosting to try to avoid putting people through that. I don’t intend to let anyone else use it for URL shortening, just me–so you can be reasonably certain that if you see a short URL beginning with perpetualstudent.net/, it came from me and not someone who hijacked my account. Yes, my domain isn’t especially short, but it’s probably short enough for my purposes. YOURLS is a great project, if only because it shows just how little work it takes to make a URL shortener beyond thinking of a clever short domain name. All it takes is a cleverly-written .htaccess file, a bit of PHP code and a MySQL database. YOURLS even gives you all the same URL tracking features that the likes of bit.ly do.

So please–if you’re going to use a URL shortening service like bit.ly or u.nu, have the decency to explain in context where those links go and what I’ll get if I click on them. The occasional rickroll won’t kill me, but the last thing I want is to feel paranoid when clicking on links my friends share.