Research and Development

URL shorteners are a main-stay of Internet use these days, helping users to cut down unsightly long URLs to concise links that can be easily shared. Social media has helped to fuel the popularity of the various services available, but how do you know if you can trust the link you’re clicking? I’ve always been wary of shortened links and decided I’d take a look at how you can check what it is you’re actually clicking on.

It’s worth noting that there are numerous browser extensions that will attempt to lengthen short URLs in-situ. While this is probably works well most of the time, it could be open to exploitation (if the extension is coded badly) or subversion. One piece of functionality I’ve seen in such an extension was to replace the link with the meta data title for the page. This doesn’t really help if the link leads you to a convincing looking phishing site, complete with fake meta-data.

I’ve picked out a sample of what seem to be the most popular shortening services. They are (in no particular order):

  • bit.ly
  • tinyurl.com
  • goo.gl
  • is.gd
  • tiny.cc
  • ow.ly

I’ve come up with this list as a result of a quick search and those I’ve had previous experience with. There are a couple of notable exclusions from the list such as t.co and fb.me, the services run by Twitter and Facebook respectively. I’ve excluded these (as well as others) as they’re only used by themselves.

Twitter’s shortener, t.co, is only accessible when using twitter it seems and doesn’t provide any kind of dedicated front-end to view information for a given link. It does however replace some of the text in-line and provides the original URL in the link title which you can see by hovering over the URL.
Facebook’s version seems a little… undocumented. I couldn’t find a great deal of information on it other than it seems to be used largely for mobile users and (from what little I checked) is only used for linking back to Facebook. One feature I did find however was that it can be used to link to any Facebook page given its alias. For example, fb.me/PortcullisCSL.

I’ve also only chosen services which are free to use and for obvious reasons I’m excluding any that you can create using your own domain (Coke has one for example – cokeurl.com).

For this post, we’re going to use https://labs.portcullis.co.uk as our long URL to put through the shorteners.

Here’s a list of how our shortened links come out and the associated ways of previewing the actual destination:

Service Short link Preview link
bit.ly http://bit.ly/2cx5kA http://bit.ly/2cx5kA+
tinyurl.com http://tinyurl.com/nt79ln4 http://preview.tinyurl.com/nt79ln4
goo.gl http://goo.gl/cgc0Wb http://goo.gl/#analytics/goo.gl/cgc0Wb/all_time
is.gd http://is.gd/ObGfiX http://is.gd/ObGfiX-
tiny.cc http://tiny.cc/43z67w http://tiny.cc/43z67w~
ow.ly http://ow.ly/rObWZ Couldn’t find a way to expand the URL.

In summary; bit.ly, is.gd and tiny.cc all have nice simple ways of taking a look, you just have to add a character onto the end (providing you pick the right one). Google’s service seems like the most complicated requiring the knowledge of the correct runes, and I couldn’t find a way to preview ow.ly.

When writing this post, I was pointed at a bit of quick Perl that Tim wrote a little while ago to assist in a test which will follow a short link and print out each redirect it encounters along the way. This is particularly useful if your chosen link leads you to yet another URL shortener service.

#!/usr/bin/perl

use strict;
use LWP;

my $url;
my $redirectflag;
my $httphandle;
my $requesthandle;
my $responsehandle;

sub usage {
        die "usage: " . basename($0) . " ";
}

if (@ARGV != 1) {
        usage();
}
$url = shift;
$httphandle = LWP::UserAgent->new(max_redirect => 0);
$httphandle->agent("Mozilla/5.0 (compatible; resolveurl.pl 0.1)");
$redirectflag = 1;
while ($redirectflag == 1) {
        $redirectflag = 0;
        $requesthandle = HTTP::Request->new(HEAD => $url);
        $responsehandle = $httphandle->request($requesthandle);
        if ($responsehandle->is_redirect) {
                $url = $responsehandle->header("location");
                print $url . "\n";
                $redirectflag = 1;
        }
}

Lastly, I’ve decided to make a quick mention of adf.ly which was pointed out to me by a colleague. This is a service for presenting ads before sending users onto the end URL. From a quick look, there didn’t appear any way in which to preview the URL you were being sent to. Given that following one of their links will present you with a third party ad could have its own implications. But that’s for another post.


Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)