Re: [ELPA] New package: shorten-url

[Yuri Khan <yurivkhan@gmail.com>]

On Sat, Mar 2, 2019 at 10:35 AM Richard Stallman <rms@gnu.org> wrote:

> Is the shortened URL expanded locally inside Emacs?
> Does it refer to a real website?
>
> In the example it gives https://qps.ru/MjrtW as an example, Was
> https://qps.ru/ chosen by your customization?  If so, what made that
> choice desirable?  Why not use sh:e/ (abbreviation of "short:emacs")
> instead?  It is much shorter.

URL shorteners work this way:

1. Alice gives an ordinary URL to an external web service.
2. That service generates a short ID, associates it with the input
URL, and stores this association into its database.
3. It then responds to Alice with a shortened URL composed from the
service’s prefix and the generated short ID.
4. Alice shares the shortened URL with Bob.
5. Bob accesses the shortened URL with a browser.
6. The web service looks up the ID in its database and retrieves the
original URL.
7. It sends Bob an HTTP response that will, among other things, cause
his browser to go to the original URL.

So no, the expansion does not happen locally, it happens on the web
service that generated the shortened URL.

There are trust, integrity, privacy, and availability issues
associated with URL shorteners:

* Bob does not see where the shortened URL leads. It may expand to a
link to a malicious resource, and Bob has to rely on his browser’s and
operating system’s protection when his browser is redirected there.

* The URL shortener service may attempt to track the users who use it
to shorten or expand URLs, and collect statistics on individual
shortened URL usage. Some actually offer this as a feature; e.g. Alice
might learn whether Bob followed the shortened URL she sent.

* The URL shortener service may attempt to display advertisements to
users who access shortened URLs, before redirecting them to the
expanded URL.

* The URL shortener service may attempt to run non-free and/or
malicious Javascript on the users’ browsers. Executing that Javascript
might or might not be a requirement to obtaining the expanded URL.

* The URL shortener service may be discontinued at any time at the
decision of its maintainer.

* The URL shortener service’s database may be compromised, changing
the ID/URL associations.

* The URL shortener service may reside on a host that later becomes
blocked in a certain country.


As an example, I accessed the https://qps.ru/MjrtW link with curl(1).
I got a 46888-byte response that:

* redirects to https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34607
after 15 seconds or when the user clicks a hyperlink in the HTML;
* attempts to load scripts from
https://pushance.com/ntfc.php?p=2053241&tco=1 and
https://dolohen.com/apu.php?zoneid=2053231;
* attempts to load a (presumably tracking) image from
https://counter.yadro.ru/hit, passing it the shortened URL, the URL of
the page that referred the user to the shortened URL, the screen pixel
count and color depth of the user, and a random number generated on
the user’s browser;
* displays an advertisement offering free-as-in-beer web forum hosting
on mybb.ru;
* and also contains a big unreadable blob of Javascript which I will
not attempt to reverse-engineer.