unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Yuri Khan <yurivkhan@gmail.com>
To: rms@gnu.org
Cc: Nicolas Rybkin <nr68020@gmail.com>,
	Emacs developers <emacs-devel@gnu.org>
Subject: Re: [ELPA] New package: shorten-url
Date: Sat, 2 Mar 2019 20:37:09 +0700	[thread overview]
Message-ID: <CAP_d_8V3g+9B7UFDcgzSkiDUrmkE9uH6Dynt2E1QLOerJJ1x9A@mail.gmail.com> (raw)
In-Reply-To: <E1gzvQO-0003AK-16@fencepost.gnu.org>

On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman <rms@gnu.org> wrote:

> Is the shortened URL expanded locally inside Emacs?
> Does it refer to a real website?
>
> In the example it gives https://qps.ru/MjrtW as an example, Was
> https://qps.ru/ chosen by your customization?  If so, what made that
> choice desirable?  Why not use sh:e/ (abbreviation of "short:emacs")
> instead?  It is much shorter.

URL shorteners work this way:

1. Alice gives an ordinary URL to an external web service.
2. That service generates a short ID, associates it with the input
URL, and stores this association into its database.
3. It then responds to Alice with a shortened URL composed from the
service’s prefix and the generated short ID.
4. Alice shares the shortened URL with Bob.
5. Bob accesses the shortened URL with a browser.
6. The web service looks up the ID in its database and retrieves the
original URL.
7. It sends Bob an HTTP response that will, among other things, cause
his browser to go to the original URL.

So no, the expansion does not happen locally, it happens on the web
service that generated the shortened URL.

There are trust, integrity, privacy, and availability issues
associated with URL shorteners:

* Bob does not see where the shortened URL leads. It may expand to a
link to a malicious resource, and Bob has to rely on his browser’s and
operating system’s protection when his browser is redirected there.

* The URL shortener service may attempt to track the users who use it
to shorten or expand URLs, and collect statistics on individual
shortened URL usage. Some actually offer this as a feature; e.g. Alice
might learn whether Bob followed the shortened URL she sent.

* The URL shortener service may attempt to display advertisements to
users who access shortened URLs, before redirecting them to the
expanded URL.

* The URL shortener service may attempt to run non-free and/or
malicious Javascript on the users’ browsers. Executing that Javascript
might or might not be a requirement to obtaining the expanded URL.

* The URL shortener service may be discontinued at any time at the
decision of its maintainer.

* The URL shortener service’s database may be compromised, changing
the ID/URL associations.

* The URL shortener service may reside on a host that later becomes
blocked in a certain country.


As an example, I accessed the https://qps.ru/MjrtW link with curl(1).
I got a 46888-byte response that:

* redirects to https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34607
after 15 seconds or when the user clicks a hyperlink in the HTML;
* attempts to load scripts from
https://pushance.com/ntfc.php?p=2053241&tco=1 and
https://dolohen.com/apu.php?zoneid=2053231;
* attempts to load a (presumably tracking) image from
https://counter.yadro.ru/hit, passing it the shortened URL, the URL of
the page that referred the user to the shortened URL, the screen pixel
count and color depth of the user, and a random number generated on
the user’s browser;
* displays an advertisement offering free-as-in-beer web forum hosting
on mybb.ru;
* and also contains a big unreadable blob of Javascript which I will
not attempt to reverse-engineer.



  parent reply	other threads:[~2019-03-02 13:37 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-01 12:21 [ELPA] New package: shorten-url Nicolas Rybkin
2019-03-02  3:30 ` Amin Bandali
2019-03-02  3:34 ` Richard Stallman
2019-03-02 11:52   ` Nicolas Rybkin
2019-03-03  3:00     ` Richard Stallman
2019-03-03 14:36       ` Nicolas Rybkin
2019-03-04  3:27         ` Richard Stallman
2019-03-04  6:52           ` Nicolas Rybkin
2019-03-02 13:37   ` Yuri Khan [this message]
2019-03-02 16:05     ` Nicolas Rybkin
2019-03-02 17:37       ` Yuri Khan
2019-03-03  2:46         ` Van L
  -- strict thread matches above, loose matches on Subject: below --
2019-02-25 21:15 Bad Blue Bull

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAP_d_8V3g+9B7UFDcgzSkiDUrmkE9uH6Dynt2E1QLOerJJ1x9A@mail.gmail.com \
    --to=yurivkhan@gmail.com \
    --cc=emacs-devel@gnu.org \
    --cc=nr68020@gmail.com \
    --cc=rms@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).