Redirect unwrapping & Abuse reports
August is here, and we’re back with a couple of improvements to safeguard once.to’s users against scammers. This comes as a follow-up to our previous post, which highlighted the issue of malicious short links, mostly created by anonymous users.
The first thing to mention is the so-called link redirect unwrapping technique, which gets applied to all anonymously created links by default.
The idea behind the redirect unwrapping is simple: when someone submits a long URL
A that redirects the user to another address
B, then the address
B is used as the target URL for the short link.
This technique, however, doesn’t stop after a single redirect. If the address
B further redirects the user, once.to will follow that and all subsequent redirects until it arrives at the final destination.
So if you’re to shorten
facebook.com, you’ll end up with something like this (notice the Original URL, with
The number of redirects in the chain is limited at 10, after which the service will display an error message. This behaviour is consistent with how most browsers handle redirections: they will also give up after ten consecutive redirects. You may have seen a screen like this on some faulty website:
Amongst other things, this technique enforces the submitted URL to be valid and reachable by once.to. You won’t be able to submit a non-existent domain or URL for shortening, for instance, on your intranet.
Why unwrap redirects?
This enhancement is being introduced as yet another measure against scammers, who seem to like hiding the real destination URL under a pile of redirects. The link redirect unwrapping renders such a straightforward disguise as good as worthless.
This feature is currently only applied to links created by anonymous users, from the main page of once.to, but our intention is to extend it to the authorized areas, too. once.to aims at being the fastest URL shortener on Earth, after all, and removing unnecessary redirects out of the way is one of the best ways to maintain that.
Target URL validation comes as a nice bonus; the service won’t be littered by wrong or mistyped URLs, whereas you as user can save your time fixing them.
As also announced in the previous post, we’ve created a dedicated page for reporting abusive links.
Using this page, you can directly report a specific URL. The service automatically verifies that the URL you’re trying to submit is indeed served by once.to and that it hasn’t been taken down yet.
This can save time both for you and for us, and eliminate any chance of error.
More to come
We hope that these two enhancements will defeat (most of) remaining malevolent users, but our commitment to our users’ safety doesn’t end here.
The war against scammers rages on, and we have a number of nasty surprises in store for them.
Tags: abuse, blog, cybersecurity, Internet, link shortener, news, phishing, redirect, redirect unwrapping, security, spam, URL shortener, web