From: Nicolas Rybkin <nr68020@gmail.com>
To: Yuri Khan <yurivkhan@gmail.com>
Cc: rms@gnu.org, Emacs developers <emacs-devel@gnu.org>
Subject: Re: [ELPA] New package: shorten-url
Date: Sat, 2 Mar 2019 19:05:57 +0300 [thread overview]
Message-ID: <CAJAcu-XY0oH_FoBMYsugszgtobnWxLfTimgAA2wxFPyzDpHvXw@mail.gmail.com> (raw)
In-Reply-To: <CAP_d_8V3g+9B7UFDcgzSkiDUrmkE9uH6Dynt2E1QLOerJJ1x9A@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4098 bytes --]
https://clck.ru/FHnJJ is the alternative
> ~ $ curl https://clck.ru/FHnJJ
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> <title>Redirecting...</title>
> <h1>Redirecting...</h1>
> <p>You should be redirected automatically to target URL: <a href="
> https://sba.yandex.net/redirect?url=https%3A%2F%2Fdebbugs.gnu.org%2Fcgi%2Fbugreport.cgi%3Fbug%3D34607&client=clck&sign=ae74c1736ecb62b804356c42c7186694
> ">
> https://sba.yandex.net/redirect?url=https%3A%2F%2Fdebbugs.gnu.org%2Fcgi%2Fbugreport.cgi%3Fbug%3D34607&client=clck&sign=ae74c1736ecb62b804356c42c7186694</a>.
> If not click the link.
>
On Sat, Mar 2, 2019 at 4:37 PM Yuri Khan <yurivkhan@gmail.com> wrote:
> On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman <rms@gnu.org> wrote:
>
> > Is the shortened URL expanded locally inside Emacs?
> > Does it refer to a real website?
> >
> > In the example it gives https://qps.ru/MjrtW as an example, Was
> > https://qps.ru/ chosen by your customization? If so, what made that
> > choice desirable? Why not use sh:e/ (abbreviation of "short:emacs")
> > instead? It is much shorter.
>
> URL shorteners work this way:
>
> 1. Alice gives an ordinary URL to an external web service.
> 2. That service generates a short ID, associates it with the input
> URL, and stores this association into its database.
> 3. It then responds to Alice with a shortened URL composed from the
> service’s prefix and the generated short ID.
> 4. Alice shares the shortened URL with Bob.
> 5. Bob accesses the shortened URL with a browser.
> 6. The web service looks up the ID in its database and retrieves the
> original URL.
> 7. It sends Bob an HTTP response that will, among other things, cause
> his browser to go to the original URL.
>
> So no, the expansion does not happen locally, it happens on the web
> service that generated the shortened URL.
>
> There are trust, integrity, privacy, and availability issues
> associated with URL shorteners:
>
> * Bob does not see where the shortened URL leads. It may expand to a
> link to a malicious resource, and Bob has to rely on his browser’s and
> operating system’s protection when his browser is redirected there.
>
> * The URL shortener service may attempt to track the users who use it
> to shorten or expand URLs, and collect statistics on individual
> shortened URL usage. Some actually offer this as a feature; e.g. Alice
> might learn whether Bob followed the shortened URL she sent.
>
> * The URL shortener service may attempt to display advertisements to
> users who access shortened URLs, before redirecting them to the
> expanded URL.
>
> * The URL shortener service may attempt to run non-free and/or
> malicious Javascript on the users’ browsers. Executing that Javascript
> might or might not be a requirement to obtaining the expanded URL.
>
> * The URL shortener service may be discontinued at any time at the
> decision of its maintainer.
>
> * The URL shortener service’s database may be compromised, changing
> the ID/URL associations.
>
> * The URL shortener service may reside on a host that later becomes
> blocked in a certain country.
>
>
> As an example, I accessed the https://qps.ru/MjrtW link with curl(1).
> I got a 46888-byte response that:
>
> * redirects to https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34607
> after 15 seconds or when the user clicks a hyperlink in the HTML;
> * attempts to load scripts from
> https://pushance.com/ntfc.php?p=2053241&tco=1 and
> https://dolohen.com/apu.php?zoneid=2053231;
> * attempts to load a (presumably tracking) image from
> https://counter.yadro.ru/hit, passing it the shortened URL, the URL of
> the page that referred the user to the shortened URL, the screen pixel
> count and color depth of the user, and a random number generated on
> the user’s browser;
> * displays an advertisement offering free-as-in-beer web forum hosting
> on mybb.ru;
> * and also contains a big unreadable blob of Javascript which I will
> not attempt to reverse-engineer.
>
[-- Attachment #2: Type: text/html, Size: 5959 bytes --]
next prev parent reply other threads:[~2019-03-02 16:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-01 12:21 [ELPA] New package: shorten-url Nicolas Rybkin
2019-03-02 3:30 ` Amin Bandali
2019-03-02 3:34 ` Richard Stallman
2019-03-02 11:52 ` Nicolas Rybkin
2019-03-03 3:00 ` Richard Stallman
2019-03-03 14:36 ` Nicolas Rybkin
2019-03-04 3:27 ` Richard Stallman
2019-03-04 6:52 ` Nicolas Rybkin
2019-03-02 13:37 ` Yuri Khan
2019-03-02 16:05 ` Nicolas Rybkin [this message]
2019-03-02 17:37 ` Yuri Khan
2019-03-03 2:46 ` Van L
-- strict thread matches above, loose matches on Subject: below --
2019-02-25 21:15 Bad Blue Bull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJAcu-XY0oH_FoBMYsugszgtobnWxLfTimgAA2wxFPyzDpHvXw@mail.gmail.com \
--to=nr68020@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
--cc=yurivkhan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).