From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Nicolas Rybkin Newsgroups: gmane.emacs.devel Subject: Re: [ELPA] New package: shorten-url Date: Sat, 2 Mar 2019 19:05:57 +0300 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000009a0c0005831eb37c" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="193222"; mail-complaints-to="usenet@blaine.gmane.org" Cc: rms@gnu.org, Emacs developers To: Yuri Khan Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Mar 02 17:07:13 2019 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1h07AO-000o7a-3f for ged-emacs-devel@m.gmane.org; Sat, 02 Mar 2019 17:07:12 +0100 Original-Received: from localhost ([127.0.0.1]:56065 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h07AN-0007cA-3q for ged-emacs-devel@m.gmane.org; Sat, 02 Mar 2019 11:07:11 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:52239) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h079f-0007bw-Ex for emacs-devel@gnu.org; Sat, 02 Mar 2019 11:06:28 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h079d-0005wN-DA for emacs-devel@gnu.org; Sat, 02 Mar 2019 11:06:27 -0500 Original-Received: from mail-lj1-x242.google.com ([2a00:1450:4864:20::242]:42505) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h079W-0005pc-AK; Sat, 02 Mar 2019 11:06:22 -0500 Original-Received: by mail-lj1-x242.google.com with SMTP id d14so709478ljl.9; Sat, 02 Mar 2019 08:06:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tK2rQYwFLwfpV+kyEFcqRbQl4nd1qX1ZAf4Ow30ketE=; b=KSBRMsxT6pV2DkmBHxtJlrrPaHDoDaMjzYpogy11pg3edoM9z0H20uMUgE8oK+FX2h GzHKDkTUlkSPqu9V9wdoeaxrW0ukKwQLhtC+bWDHcL5Llwci6fc+S2dPHveq8xWL6nHL K63kt+TvCks2bz1zfb3ebBj6Izz1nhqGQtKEoINCEZClKNltj5PUsDzUmw78JCGoNsBT RFG554fdpyIs5PjXCuSzaeUvtsR5Q0Bi3x7ZIM6BlWYYoZOdlm7OX7S0GEYCX7GvGay5 J0LU6Wl0r9uTZvkYmKrMOp6XmMvP8TSmWoExKHi41Tu+nJAf05Yr23OlpNPwLEVsc2xt R9tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tK2rQYwFLwfpV+kyEFcqRbQl4nd1qX1ZAf4Ow30ketE=; b=A3Vq1HfAGzprHexmiJpteDIfR4hKOFrpzJdae8bxg/hwOnBHXpiazy4ldFu3absRfj H8evga0ps0Ha85cqsB8QKDHJd1yHaZs8n+4cU7mNtc5TV5RhSMeUl+Xnstr+SeOG/Dag Uprn+ZLckmP1qzYiPrP/nxDYeIDtFmHQtdJ7TNWx89s7w+iTvo1WAwMiRJRyt8MNxeNk dtG85gPOk7G2wYqkad+PKpw/yoRQEPHUx0vf0JC3/4V4z5NmauJ+Gzhr4zvpjioFrBPD PnH6rQQF+bBnZqtUKp7NMnzfqE4nkp9ZSrdktThTv32JuWDYPLUWH+Ej2QUWDIf4ctYZ Ib/w== X-Gm-Message-State: APjAAAVstfaS5PAZZDdnm8kKstzn23sgvDlHh5iPhtjv97NiR4bcFbpB I8m9sBtfgFKk0C3Z4bN+xhrscJMZIYvR0CEoAzk= X-Google-Smtp-Source: APXvYqyTjAGKXuyJRNHiGGg3Bkn19CbeUyjnFYq3g79HWwrwhmSdMooMah0g8zSXo+McuIHSERekgGvIl40apZHHGv8= X-Received: by 2002:a2e:2419:: with SMTP id k25mr5847781ljk.38.1551542769026; Sat, 02 Mar 2019 08:06:09 -0800 (PST) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::242 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:233772 Archived-At: --0000000000009a0c0005831eb37c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable https://clck.ru/FHnJJ is the alternative > ~ $ curl https://clck.ru/FHnJJ > > Redirecting... >

Redirecting...

>

You should be redirected automatically to target URL: https://sba.yandex.net/redirect?url=3Dhttps%3A%2F%2Fdebbugs.gnu.org%2Fcgi= %2Fbugreport.cgi%3Fbug%3D34607&client=3Dclck&sign=3Dae74c1736ecb62b= 804356c42c7186694 > "> > https://sba.yandex.net/redirect?url=3Dhttps%3A%2F%2Fdebbugs.gnu.org%2Fcgi= %2Fbugreport.cgi%3Fbug%3D34607&client=3Dclck&sign=3Dae74c1736ecb62b= 804356c42c7186694. > If not click the link. > On Sat, Mar 2, 2019 at 4:37 PM Yuri Khan wrote: > On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman wrote: > > > Is the shortened URL expanded locally inside Emacs? > > Does it refer to a real website? > > > > In the example it gives https://qps.ru/MjrtW as an example, Was > > https://qps.ru/ chosen by your customization? If so, what made that > > choice desirable? Why not use sh:e/ (abbreviation of "short:emacs") > > instead? It is much shorter. > > URL shorteners work this way: > > 1. Alice gives an ordinary URL to an external web service. > 2. That service generates a short ID, associates it with the input > URL, and stores this association into its database. > 3. It then responds to Alice with a shortened URL composed from the > service=E2=80=99s prefix and the generated short ID. > 4. Alice shares the shortened URL with Bob. > 5. Bob accesses the shortened URL with a browser. > 6. The web service looks up the ID in its database and retrieves the > original URL. > 7. It sends Bob an HTTP response that will, among other things, cause > his browser to go to the original URL. > > So no, the expansion does not happen locally, it happens on the web > service that generated the shortened URL. > > There are trust, integrity, privacy, and availability issues > associated with URL shorteners: > > * Bob does not see where the shortened URL leads. It may expand to a > link to a malicious resource, and Bob has to rely on his browser=E2=80=99= s and > operating system=E2=80=99s protection when his browser is redirected ther= e. > > * The URL shortener service may attempt to track the users who use it > to shorten or expand URLs, and collect statistics on individual > shortened URL usage. Some actually offer this as a feature; e.g. Alice > might learn whether Bob followed the shortened URL she sent. > > * The URL shortener service may attempt to display advertisements to > users who access shortened URLs, before redirecting them to the > expanded URL. > > * The URL shortener service may attempt to run non-free and/or > malicious Javascript on the users=E2=80=99 browsers. Executing that Javas= cript > might or might not be a requirement to obtaining the expanded URL. > > * The URL shortener service may be discontinued at any time at the > decision of its maintainer. > > * The URL shortener service=E2=80=99s database may be compromised, changi= ng > the ID/URL associations. > > * The URL shortener service may reside on a host that later becomes > blocked in a certain country. > > > As an example, I accessed the https://qps.ru/MjrtW link with curl(1). > I got a 46888-byte response that: > > * redirects to https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34607 > after 15 seconds or when the user clicks a hyperlink in the HTML; > * attempts to load scripts from > https://pushance.com/ntfc.php?p=3D2053241&tco=3D1 and > https://dolohen.com/apu.php?zoneid=3D2053231; > * attempts to load a (presumably tracking) image from > https://counter.yadro.ru/hit, passing it the shortened URL, the URL of > the page that referred the user to the shortened URL, the screen pixel > count and color depth of the user, and a random number generated on > the user=E2=80=99s browser; > * displays an advertisement offering free-as-in-beer web forum hosting > on mybb.ru; > * and also contains a big unreadable blob of Javascript which I will > not attempt to reverse-engineer. > --0000000000009a0c0005831eb37c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

https://clck.ru/FHnJJ is the alternative
=C2=A0

On Sat, Mar 2= , 2019 at 4:37 PM Yuri Khan <yuri= vkhan@gmail.com> wrote:
On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman <rms@gnu.org> wrote:

> Is the shortened URL expanded locally inside Emacs?
> Does it refer to a real website?
>
> In the example it gives https://qps.ru/MjrtW as an example, Was
> https= ://qps.ru/ chosen by your customization?=C2=A0 If so, what made that > choice desirable?=C2=A0 Why not use sh:e/ (abbreviation of "short= :emacs")
> instead?=C2=A0 It is much shorter.

URL shorteners work this way:

1. Alice gives an ordinary URL to an external web service.
2. That service generates a short ID, associates it with the input
URL, and stores this association into its database.
3. It then responds to Alice with a shortened URL composed from the
service=E2=80=99s prefix and the generated short ID.
4. Alice shares the shortened URL with Bob.
5. Bob accesses the shortened URL with a browser.
6. The web service looks up the ID in its database and retrieves the
original URL.
7. It sends Bob an HTTP response that will, among other things, cause
his browser to go to the original URL.

So no, the expansion does not happen locally, it happens on the web
service that generated the shortened URL.

There are trust, integrity, privacy, and availability issues
associated with URL shorteners:

* Bob does not see where the shortened URL leads. It may expand to a
link to a malicious resource, and Bob has to rely on his browser=E2=80=99s = and
operating system=E2=80=99s protection when his browser is redirected there.=

* The URL shortener service may attempt to track the users who use it
to shorten or expand URLs, and collect statistics on individual
shortened URL usage. Some actually offer this as a feature; e.g. Alice
might learn whether Bob followed the shortened URL she sent.

* The URL shortener service may attempt to display advertisements to
users who access shortened URLs, before redirecting them to the
expanded URL.

* The URL shortener service may attempt to run non-free and/or
malicious Javascript on the users=E2=80=99 browsers. Executing that Javascr= ipt
might or might not be a requirement to obtaining the expanded URL.

* The URL shortener service may be discontinued at any time at the
decision of its maintainer.

* The URL shortener service=E2=80=99s database may be compromised, changing=
the ID/URL associations.

* The URL shortener service may reside on a host that later becomes
blocked in a certain country.


As an example, I accessed the https://qps.ru/MjrtW link with curl(1).
I got a 46888-byte response that:

* redirects to https://debbugs.gnu.org/cgi/bugr= eport.cgi?bug=3D34607
after 15 seconds or when the user clicks a hyperlink in the HTML;
* attempts to load scripts from
https://pushance.com/ntfc.php?p=3D2053241&t= co=3D1 and
https://dolohen.com/apu.php?zoneid=3D2053231;
* attempts to load a (presumably tracking) image from
https://counter.yadro.ru/hit, passing it the shortened URL, the URL = of
the page that referred the user to the shortened URL, the screen pixel
count and color depth of the user, and a random number generated on
the user=E2=80=99s browser;
* displays an advertisement offering free-as-in-beer web forum hosting
on mybb.ru<= /a>;
* and also contains a big unreadable blob of Javascript which I will
not attempt to reverse-engineer.
--0000000000009a0c0005831eb37c--