From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Yuri Khan Newsgroups: gmane.emacs.devel Subject: Re: [ELPA] New package: shorten-url Date: Sat, 2 Mar 2019 20:37:09 +0700 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="8966"; mail-complaints-to="usenet@blaine.gmane.org" Cc: Nicolas Rybkin , Emacs developers To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Mar 02 14:38:19 2019 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1h04qI-00027G-OJ for ged-emacs-devel@m.gmane.org; Sat, 02 Mar 2019 14:38:18 +0100 Original-Received: from localhost ([127.0.0.1]:54687 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h04qH-00068C-Oe for ged-emacs-devel@m.gmane.org; Sat, 02 Mar 2019 08:38:17 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:44531) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h04pS-00067r-AE for emacs-devel@gnu.org; Sat, 02 Mar 2019 08:37:27 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h04pR-0000CD-6a for emacs-devel@gnu.org; Sat, 02 Mar 2019 08:37:26 -0500 Original-Received: from mail-ot1-x342.google.com ([2607:f8b0:4864:20::342]:39238) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h04pP-00009n-P1; Sat, 02 Mar 2019 08:37:23 -0500 Original-Received: by mail-ot1-x342.google.com with SMTP id e15so565451otk.6; Sat, 02 Mar 2019 05:37:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=QY9psi3TGNEj0ICN7ksOZNOQBgtl05rgu+sIl9kVqgQ=; b=dSGyZqdv8B7gJwfxDkV/J5iXmCSc1FuCo0q4a1GMIaNqQbStdZcSrYNaUApKN8zIH0 ePIyNU4A05W/rEFjdHJKR1u0HhJ3I6heipWnRVQ2vVaFjdW9kldj90tdzpqWNsOR/k4u e6uIqEtXgi02N0sMKMss5p+rIUk+GXG8kJMDs+G3q4sLwovZeaKqq6HK4pZ74pCLCzkO Us78HuPzYMPEGB7qnGYRAdngZQdsag5bGSPJK/E738/hOLWw2HuFi7WyAKj1x78YOmQ4 UtTvaX49aXnvZWbg4935oLw32gjebLijfDnCIWMkOPM/AXPJNPAwsqiusQAH7V7Lipz1 4WHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=QY9psi3TGNEj0ICN7ksOZNOQBgtl05rgu+sIl9kVqgQ=; b=o2U4s4pz81rEG8ainP/knUd5lTq2vXIJo3c5YMGsMHAv01PW/UAT2X4EfDo4dmE/8z R8Hb5Ehg4Qw62qgqe3sq4FgCNLKo8789HnjGRw2PdsypwhGHmVRc8A+nEnJQa0LKADeh crF3X1WIuoAZ+2rGJfE7CBj08zGMXIN00WUGgsiq++dEHxm2+ksShFQpwSIXqC7mcEGY ++9hGLGrCAZYz8HfUqJl9GEnF6l6HJZ/EzWVkthduiNAnb7XF0dwkUnmPOyyN9NyDs8w d02YeaPLie//IIf5eaJLrX0UkWomHudif055vqP5HVYdlhCiPTEfskiyJT5OCOjls9op rjfg== X-Gm-Message-State: APjAAAVbIN8Edy2s+x/XJiWfjsotobOM8jzabCETQiLs9jcE+AKRKWSU gLMSMMntWVia/WLx34a1iSYQSlUaViv1fAX1DdqpT97P X-Google-Smtp-Source: APXvYqyoUTjr49BQJtSfJqYpsjR6mpU4YCfyjIo8kbbCgbyk/Las8FpvqxkM8jYku/5RyT/DmLmnyXFRr5M3KXX+DAk= X-Received: by 2002:a9d:f63:: with SMTP id 90mr6875260ott.120.1551533842410; Sat, 02 Mar 2019 05:37:22 -0800 (PST) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::342 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:233767 Archived-At: On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman wrote: > Is the shortened URL expanded locally inside Emacs? > Does it refer to a real website? > > In the example it gives https://qps.ru/MjrtW as an example, Was > https://qps.ru/ chosen by your customization? If so, what made that > choice desirable? Why not use sh:e/ (abbreviation of "short:emacs") > instead? It is much shorter. URL shorteners work this way: 1. Alice gives an ordinary URL to an external web service. 2. That service generates a short ID, associates it with the input URL, and stores this association into its database. 3. It then responds to Alice with a shortened URL composed from the service=E2=80=99s prefix and the generated short ID. 4. Alice shares the shortened URL with Bob. 5. Bob accesses the shortened URL with a browser. 6. The web service looks up the ID in its database and retrieves the original URL. 7. It sends Bob an HTTP response that will, among other things, cause his browser to go to the original URL. So no, the expansion does not happen locally, it happens on the web service that generated the shortened URL. There are trust, integrity, privacy, and availability issues associated with URL shorteners: * Bob does not see where the shortened URL leads. It may expand to a link to a malicious resource, and Bob has to rely on his browser=E2=80=99s = and operating system=E2=80=99s protection when his browser is redirected there. * The URL shortener service may attempt to track the users who use it to shorten or expand URLs, and collect statistics on individual shortened URL usage. Some actually offer this as a feature; e.g. Alice might learn whether Bob followed the shortened URL she sent. * The URL shortener service may attempt to display advertisements to users who access shortened URLs, before redirecting them to the expanded URL. * The URL shortener service may attempt to run non-free and/or malicious Javascript on the users=E2=80=99 browsers. Executing that Javascr= ipt might or might not be a requirement to obtaining the expanded URL. * The URL shortener service may be discontinued at any time at the decision of its maintainer. * The URL shortener service=E2=80=99s database may be compromised, changing the ID/URL associations. * The URL shortener service may reside on a host that later becomes blocked in a certain country. As an example, I accessed the https://qps.ru/MjrtW link with curl(1). I got a 46888-byte response that: * redirects to https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34607 after 15 seconds or when the user clicks a hyperlink in the HTML; * attempts to load scripts from https://pushance.com/ntfc.php?p=3D2053241&tco=3D1 and https://dolohen.com/apu.php?zoneid=3D2053231; * attempts to load a (presumably tracking) image from https://counter.yadro.ru/hit, passing it the shortened URL, the URL of the page that referred the user to the shortened URL, the screen pixel count and color depth of the user, and a random number generated on the user=E2=80=99s browser; * displays an advertisement offering free-as-in-beer web forum hosting on mybb.ru; * and also contains a big unreadable blob of Javascript which I will not attempt to reverse-engineer.