How to tell if a shortened link is secure in 2018
If you hang out a lot on social media sites such as Twitter or Facebook, you have encountered countless links that were shortened.
What is meant by that is that proxy links tend to get posted on these sites that do nothing but redirect you to the real site when you click on them.
While that may make sense on Twitter with its artificial 140 character limit, it is a dangerous habit that has no real advantage other than reducing the number of characters displayed on the screen.
The danger lies in the fact that you don't know where a link leads you. A link like http://bit.ly/1pHtsqW reveals nothing about its destination and with that comes the danger that you get tricked into loading dangerous sites on the Internet.
Update: Firefox 57+ users may download and install Unshorten.link. The extension is compatible with Firefox 57 and newer, and expands and analyzes links automatically when you activate them.
How to tell if a shortened link is secure in 2018
Maybe you get redirected to a phishing website, a drive by download page, or a site that tries to attack you or your computer in other ways.
You can prepare your system for that somewhat though. Security software may assist you and protect you from many dangers for example, but there is never a 100% protection against all threats.
The source
You can use the source as an indicator. Who posted the link? Is it a trustworthy friend, a company or an individual that you don't know at all or barely?
While that may help you most of the time, it should not be used exclusively to assess the potential danger of a shortened link.
A friend may send you a link that you don't want to visit for example. This does not necessarily have to be a security issue. Maybe you don't want to be rickrolled again, or hate it when friends send you "2 girls one cup" like videos.
Then there is also the possibility of hacked accounts. If a friend's account has been hacked, malicious links may be pushed by the attacker to all followers or friends.
Revealing the link target
The best option that you have is to reveal the target of the shortened link. While it is usually possible to visit the website of the url shortener service to reveal the link target by entering the short version manually on it, it is not practical.
That's where tools come into play that assist you in that. A search for Chrome extensions and Firefox add-ons comes to a surprising result. While there are a handful of extensions available for Chrome that reveal shortened link targets automatically, there is not a single one available for Firefox that works.
The majority of add-ons for Firefox that reveal links date back to 2012 and earlier, and not a single one of them works.
Side note: There is still the possibility that an add-on exists for the browser but I was not able to find it on the official website. If you know of one that works, let me know in the comments.
Chrome users can select LinkPeelr for example which reveals link targets on hover. It supports a wide variety of services including t.co, bit.ly, is.gd or ow.ly to name a few.
So what can Firefox users use instead?
Firefox users can use a service link LongUrl instead. It is a web service that you can paste shortened links in to reveal their destination.
It is not nearly as comfortable as hovering the mouse over links but it is better than not being able to reveal a link destination at all.
The service maintained a Firefox add-on once but it has not been updated since 2009 and won't work in recent versions of the browser. The userscript too is not working correctly anymore.
An alternative to that is Unshorten which reveals the link target and displays Web of Trust ratings and whether hpHosts has blacklisted the url on the results page.
Now You: How do you handle shortened links?
Here’s another site for url expansion: http://urluncoverpro.com/
They also have browser addons and mobile browsing support.
In Firefox, I have Cool Previews… you hover over links and they open in a non-browser window.
I use the Unshorten.it add-on in Firefox, available here (also for Chrome) http://www.unshorten.it/browser-extensions
It adds a link to the right-click context menu and opens a new tab with details of the destination, ratings etc.
Just found this, Martin – https://addons.mozilla.org/en-US/firefox/addon/security-plus/
Will check, thanks!
https://addons.mozilla.org/en-US/firefox/addon/clean-links/
Link Peelr doesn’t work on Twitter. I believe it is because they convert all links short or long to their own link shortener. So it’s getting shortened twice.
Not to mention shortened shortened links. I’ve even seen once a shortened shortened shortened link : before arriving to destination your journey was spotted three times. Nice tracking even if the destination is healthy.
Usually, shortened link posted on social media also show a preview so you can easily spot the website and then you’re pretty much able to tell if it’s a known website or some obscure one.
Other than that, if you really have to open shortened links, let’s say having a friend that sends one (we all have those), opening it in a browser previously opened in Sandboxie, is also a good idea. Or, having the link scaned on Virus Total.
Of course, before any of those, unshortening the link is the easiest and should be the first thing to do, probably.
I browse with Sandboxie and don’t much mind where links take me anymore.
How is that working out for you since Tzuk left the building?
Been meaning to follow up and see if the new owners have f’ed it up yet.
Perhaps Martin could revisit an ol’ fav to see how it fares under the new leadership?
So far so good, surprisingly enough. Fairly regular updates, and all continues to work well. Of course the new owners may have inserted a back door for their own nefarious purposes and I’m now surfing with a false sense of security . . . . ;)
In Firefox, I use the “URL X-ray bookmarklet”. Just Google for it.
But how can you be sure a bookmarklet is safe?
I use it to :) I love it because it’s bookmarklet and not an addon that can spy and use ram and cpu continuously.
My invariable policy is to never click on short links no matter where they may lead. Life is so full of other interesting things to do and to read, that mysterious unknowns can be rejected out of hand. I also immediately depart from websites that want to set cookies in my browser. This is my PC, where P=Personal. It is not available to be written upon or manipulated outside my personal control. If you click on links that take you to places you know not, you have a problem with your self-control being overwhelmed by your insatiable curiosity in the face of danger. If you crave adventure, click on Random Article in Wikipedia. It’s a lot safer, and sufficiently serendipitous.
The point is that you wrote, ” I also immediately depart from websites that want to set cookies in my browser. ”
ghacks, like every website, does want to set cookies in your browser. Quite harmlessly, too. Whether you decide to block your browser from accepting cookies is another matter entirely.
Name one website that does NOT “set cookies in your browser”?
Why are you on ghacks? It sets cookies, too!
I LOVE techno-illiterates bloviating, I really do.
“I LOVE techno-illiterates bloviating, I really do.”
heh.
Dear Ronald,
Although I got into computers in the 1950’s, and made my living at them in the 1960’s, I guess there’s always more for me to learn. For example, my browser setting for accepting cookies is not checked, and the browser does not now show any Ghacks cookies as being present. What am I missing here, Dear Teacher?
If Ghacks required setting a cookie to access its quality content, I would put Ghacks on my list of exceptions voluntarily. Martin, Is this intemperate, dyspeptic Ronald fellow correct that you try to set cookies?
GPB
Ghacks does not require cookies to be accessed. The commenting plugin sets cookies so that you can edit them, and there is Google Adsense which sets cookies as well. None are required to access the contents though.
I use TinyURLs preview link so people know where they are going before actually getting there.
I very rarely use social media, so I don’t have this problem. However I found this script: https://greasyfork.org/en/scripts/5359-url-shortener-unshortener
I tried on twitter and works fine.
There used to be a great script that revealed the destination URL upon hovering over the shortened version. I’m sure there’s been a replacement (or multiple, as is the case with these things) but I’ve found myself not bothering to read any post with a shortened URL these days, no matter if it was posted by someone I trust or not.
Thanks for the tip. I installed and it works fine.
Yep, count me as another satisfied user of the “URL Shortener Unshortener” script for Greasemonkey.
A custom add-on I made for myself on Waterfox then later PaleMoon quite a while ago.
Based it off the Long URL Please add-on.
Can you share this addon with us?
– Pale Moon 25.1.0 and FF 34
– Ubuntu Linux 12.04 (32-bit)
To unshorten a link (which I do quasi systematically) I use LongURL (http://longurl.org/) and feed it with the url via LongURL as a Firefox search engine.
To shorten a link, TinyURL (http://tinyurl.com/ ) with always the preview option (preview.tinyurl.com/xxx) as a commitment to security and respect for the user.
For Google Maps I make an exception for goo.gl in my Hosts file when basically this shortener is blacklisted.
It’s now 12 Nov. 2016, 1:57 a.m., and the longurl.org website, either, no longer exists or is just not loading for a reason such as server administration. I’ve tried it a few times over the past hour or more and the server isn’t found. I’ve tried to go to websites that occasionally wouldn’t load, their servers not be found, and I recall, vaguely but pretty surely, having gone to a few websites that had some server or servers down for admin. work, but a message was still provided to inform the visitor of the reason for getting nothing more service and how long it was expected for the serivce to be unavailble. Some of those messages said 2 hours and it wasn’t at this time of night. It was around 6 a.m.
Since I’m getting no such message for longurl.org, I’m assuming that it has ceased.