Hi, A while ago I was made aware of services such as <www.tinyurl.com>, which will shorten a long url into a shorter one, such as: <http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbearat_private val.tool.html> to <http://tinyurl.com/1qoo> I can see two problems with this type of system, both of which I have contacted the <infoat_private> about, but have not yet received a response. The first being that there is no mention of how long these "shortened" urls stay active on their system; for example, if I was to create a url to a document on another server, and someone mistyped in the tinyurl address for some reason, they may end up at this document which may or may not be sensitive. The second is that anyone can create any url, and the user knows very little about what they are clicking on. I tried entering in the url to activate the Windows XP help center exploit into the url box and the system went ahead and shortened the url without any problem. Resolution: I believe that these problems could be resolved with both the addition of some public statement regarding the TTL of the shortened url, or even better, a user definable TTL for the URL. As for the second problem, I believe that certain urls should be filtered before being processed. Andrew Hodgson. -- Andrew Hodgson, Bromyard, Herefordshire, UK. Email: Andrewat_private
This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 12:27:59 PDT