Re: TinyURL

[Troy <th () zeno com>]

On Wed, 29 Oct 2003 08:30:17 -0600, "David Klotz" <klotz () acm org> wrote:

> I don't agree.  First, you shouldn't be using a service like this to send
> sensitive information in the first place, and if you are, you get what you
> deserve.  If I leave my bank account number in my mailbox so I'll know where
> to get it, I shouldn't blame the post office if someone comes along and
> steals it.

I agree with this. The problem is that the average user won't think
about the security issues of using this service.

> Second, the whole idea behind tinyurl is to take long, difficult to type
> URLs and change them into something much easier.  In order for them to
> generate a string that was long enough so that the chance of someone
> randomly guessing another valid string is low, they would have to use a
> string so long that it would only be marginally easier to type or send than
> the original URL it was designed to replace...

I like the implementation at http://www.makeashorterlink.com much better.
First, it doesn't blindly forward you to the new link so, if you're sent
a link to porn, you have a chance to shut the window before you get
obscene pictures plastered across your monitor for your entire office
to see. Second, it's harder to "guess" valid URLs, since it assigns them
more randomly.

However, in the long run, I don't think it's a major security issue.
You'd have to browse through thousands of guesses before you stumble
across sensitive information. There are far easier ways of getting
credit card numbers.

Still, they should have a warning on their site. After all, curling
irons have warnings not to insert them into any orifice. :)

-- 
Troy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html