Monday, July 20, 2009

Tired of Security Nonsense About URL Shorteners Being Dangerous

Am I the only one who is tired of hearing of the security risks of URL shorteners? It looks like the complaint boils down to:

- When using a shortened URL I can't tell what site I'm visiting before I go there

Which I suppose leads to people thinking:

- If only I knew which site I was going to visit, somehow I could avoid security issues

Who believes this anymore? Except for cases of a site that is clear NSFW, does anyone really believe anymore that if they see a URL before they click on it they can somehow divine whether it is likely malicious, has malware, etc? I mean, seriously?

I've seen no fewer than 5 blog posts this week about how to unshorten URLs for many of the popular URL shortening services. Give it a rest already. This isn't a big risk, threat, exposure, etc.


kurt wismer said...

"Who believes this anymore? Except for cases of a site that is clear NSFW, does anyone really believe anymore that if they see a URL before they click on it they can somehow divine whether it is likely malicious, has malware, etc? I mean, seriously?"

you're applying a blacklist paradigm, trying to determine if a url points to something bad. the advice about url safety has always been to only go to sites you trust (which is more of a whitelist paradigm).

while it's true that you cannot avoid malicious content 100% by following said advice, it does reduce the risk. url shorteners make it more complex and tedious to follow that advice, however.

while i suppose you could say that in this day and age you should treat the entire web as untrusted (thereby invalidating the advice by shrinking the set of trusted sites to zero), the implication of that is that you should never buy anything online, never do banking online, etc. you may be safer this way, but it's not progress.

the advice about only going to trusted sites isn't a perfect security control, but it's better than nothing.

Anonymous said...

Not to mention URL shorteners hide reflective XSS attacks that otherwise would have been (more) obvious.

Andy Steingruebl said...

Kurt - it isn't that I think people can't sort of whitelist sites, but that would defeat 99% of the links people send to each other. So, mostly the whitelisting advice makes the web useless for the vast majority of people.

On top of that, the advice being pitched about URL shorteners is targeted towards average consumers, who haven't a clue about what sites to visit or not.

On top of that, sicne studies have shown malware being hosted on a huge number of sites, I think the advice is still silly.

Anon - sure, but is that really the biggest concern? I guess I just don't think so, especially as most of the guidance I see is for average users rather than security experts.

Me - I just ignore all shortened URLs, or open them from a browser that doesn't have any history in it or logged in status that can be abused.

Joshbw said...

I habitually check URLs and oftentimes make judgement calls based on the contents (maybe it is a site I have already been to, maybe it is an obvious NSFW site, and maybe I have never seen a useful site hosted on .cx) - granted it is by no means a scientific process that I employ when doing so.

That said, in that regard URL shortners are an annoyance. Where the security risk comes in is that there is now a third point of compromise that can be used to distribute malware. Just think if a malware author compromised tinyurl and pointed the entire database of urls at sites with hosted malware. Rather than something like ASPROX which works to compromise thousands of sites and hope people stumble across them this scheme would only need to compromise a single site and guarantees a huge amount of traffic will be exposed to the malware.

Of less utility, the same idea could be used to flood a single target website with millions of unanticipated requests and would make an effective DoS (until the site checked the referrer header and blacklisted tinyurl or similar service).

In essence the presence of what amounts to URL proxies presents another vector to redirect traffic to your desired location, but one that could affect a much larger audience much more easily than something like DNS poisoning.

Andy Steingruebl said...

Joshbw - sure you could compromise tinyurl that way, but I suppose you could compromise the google homepage too and the whole world would be in pretty bad shape too.

I was really thinking of all of the article about unveiling the tinyurl real target though. Those I think are mostly useless.

Additionally, I'm generally a big believer that the problem isn't visiting malicious sites, its that the platform you're on can get owned. That can happen regardless of how careful you are about what sites you visit to a large extent. This is why I think the whole "be careful what URLs you visit" stuff is really a mask for the underlying problem of fairly weak security in web browsers and platforms.

Maybe that's just me.

Joshbw said...

The comparison of the URL shorteners to Google is off by a wide margin - in the same way that comparing the relative chance of compromising some random DB written by a couple of guys and compromising SQL Server would be well off. Most of the URL shortening services are not, shall we say, the product of professional enterprises that have hard learned security controls in place. Mostly the best hope is that the couple of guys that wrote the system are familiar with OWASP and read through it. In essence the whole movement puts location resolution in the hands of completely untested hands, and if that doesn't strike you as a tad risky, I am not certain what would.

The malware was just an example, btw, and largely I disagree that it is the fault of insecure platforms any more than finding your car robbed in a bad neighborhood is the result of poorly made car windows that can't withstand a blow from a crowbar. The platform itself, any platform, will never be impervious, especially given the fact that people are so bad at patching them (zero day vulnerabilities are hardly the primary vector of attack), which is why layers of security are necessary, including efforts to restrict exposure to malware. That aside, there are a wealth of nefarious utilities in getting someone to hit your website (CSRF and phishing are equally attractive)

That said, I think you also hasty to discount the utility of a clear URL - essentially the best defense against things like phishing is to breed obsessive awareness of the url into the minds of surfers and while certainly things like the various safe browsing features of browsers help augment that they are in no way bullet proof. The whole obfuscated URL approach goes a long ways to countering such a movement, intentionally obscuring awareness of the URL. Yes, a technological solution to phishing would be ideal as then it no longer is prone to human failure (which personally I think will require something a bit more thought out than our current URL scheme), but until the point that is feasible we have education as about our only option.

Andy Steingruebl said...

It is a percentages game. I remain entirely unconvinced that the vast majority of internet users can tell the different between and

I wasn't focused nearly as much on security experts, but the regular user.

A few other notes.

1. For attacks like CSRF, an img or hidden iframe could be anywhere. If you ever visit anyones blog on a site like this one, or elsewhere, they could have a CSRF attack against you. Not a whole lot you can do to protect against it.

2. For attacks like viruses and the like, you don't really have any more idea that my blog doesn't have a hidden iframe with lurking exploit than you do if you visit a tinyurl or some other unknown site.

3. An extremely large majority of phishing sites these days don't actually include or mimic the brandowners name in the hostname of the site, but somewhere else in the URL or not at all. They are still fairly effective. Making the URL in question look like a tinyurl or a full hostname or random origin won't really help with this problem. Neither of the URLs matches the one of the brandowner, and that is the lesson that should be taught to users.

Joshbw said...

Whether tha majority of users can or do tell the difference between URLs is fairly immaterial - the fact of the matter is that *trying* to get them to tell the difference is about the only mechanism that actually protect them from phishing. If they are trained to know that they should ONLY enter their paypal credentials on and that they should pay attention to the URL habitually they are far less likely to become victims. Yes, this method ultimately sucks since the user is most often the weak link in security, but as no technological control has offered reasonable protection education remains the most effective solution at this date. URL obfuscation is an entirely contrary effort as the whole idea is to train people not to care about the URL.

I am not talking about tinyURL being used to phish specifically (it certainly could be, but it isn't at all necessary) but rather the general effect of URL obfuscation training people to in general ignore the URL, making phishing with *any* url easier.

Your response to my other points pretty much misses them. Yes, malware/CSRF/etc can be anywhere and going to any site could potentially put me at risk. URL proxying doesn't change that basic fact nor was I argueing that it does. What I was argueing is that URL proxying provides a single point of control over where traffic goes, and if that point of control is compromised (or intentionally abused by the organization that owns it) that is a significant risk, for any number of reason. Being able to compromise a URL proxy means that you control where millions of users go, and among the potentially lucrative uses of that is to guaranty that traffic is exposed to your malware, or your CSRF attack, or whatever.

To put it in more mathmatical terms, from a user perspective -

1) they click on a non-obfuscated link. Their chance of it exposing them to something bad depends on a number of things- whether the site on the other end is either control by or compromised by an attacker, whether they have DNS poisoning that will lead them to a controlled or compromised site, and so forth. If the user is astute their chances are lessened by the fact that they can verify that the site is a site they trust.

2) the user clicks on a proxied url. They have equal chance that the end target is controlled or compromised, though they can't visually ensure the target is a site they trust, and they also have an equal chance that their DNS was poisoned or similar, but they also have the chance that the proxy is compromised or controlled by a malicious individual.

So the risk is clearly greater as there are more things that can lead them to malicious content. The degree is debatable, but I personally haven't seen tinyURL or similar service touting their SDL process that is designed to lower their risk, or otherwise evangalizing that they practice good security, so I don't see any reason to assume that they are reasonably secure.

Andy Steingruebl said...

Josh - I guess we'll just have to disagree on how much users are capable of checking out the targets of the links they click.

Disappointingly I don't have any actual user studies to refer to to back up either side of this debate, though I'm hoping to be able to actually sponsor a few to figure out whether any of this matters.

As a practical matter, when we have a limited number of things we can tell a user, and get them to actually understand and do, I find that things like applying patches, keeping your browsers and OS up to date, and running a modern AV package, are actually a lot more manageable for the average user, than trying to get them to understand URLS, what to click on, etc. Its simply a losing battle with a complicated internet with millions of sites, lots of them useful, to try and educate users about what a dangerous link is.

As for url-shrinkers being dangerous from a redirect perspective, again, while I agree that they are a potential point of compromise, teaching users ho to understand the link they are clicking rather than fixing or mitigating the underyling problem isn't going to work.

If our defense against malware is to get users to pay close attention to what links they click, we're doomed to failure.

Jhon Marshal said...

Post is very informative,It helped me with great information so I really believe you will do much better in the future.

Anonymous said...

I am really very agree with your qualities it is very helpful for look like home. Thanks so much for info and keep it up.
link shorter

Jhon Marshal said...

I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post.
UTM builder