Alongside the rise of Twitter and its famously 140-character message size limit has come an explosion in URL shorteners like bit.ly and tr.im. But with spammers gleefully abusing these systems and some shortening services on the verge of disappearing, we must question whether the use of URL shorteners in any other medium — such as email — is a wise practice.
A URL shortening service takes a long web address like https://hostedjobs.openhire.com/epostings/submit.cfm?fuseaction=app.allpositions&company_id=15953&version=1, and converts it to something short (but often even more obscure) like http://bit.ly/9sUe3. When you click on the shortened link, your web browser (Firefox, Internet Explorer, et cetera) contacts the shortening service’s web server just like any other request for a web page. Most services will reply with a simple HTTP Redirect, telling your browser to go open the longer URL instead. A few open the target URL in a frame, with a bar at the top encouraging you to share the site too — while tracking your activities, and possibly showing ads.
These services have been around for years: TinyURL, which was for a long time the most popular, launched in 2002 and was almost immediately adopted by pranksters. One memorable prank was the rickrolling fad, in which the prankster used various means to fool a target into clicking on a link which resulted in hearing Rick Astley’s 1987 song “Never Gonna Give You Up.” The simplest Rickroll was to send an email saying something like “hey, click on this link, it’s really important!” A savvy user would move their mouse over that link to see what it is before clicking on it, but that only reveals a short URL like http://bit.ly/1628nB — no indication of the annoying final destination.
While Rickrolling is mostly harmless, it’s equally easy to misuse URL shorteners for spam — or worse. The same features which make shortened URLs perfect for pranks also make them perfect for distributing malware. Because of this, many anti-spam systems are suspicious of such links and may block them outright — both from email and on sites like Wikipedia, whose spam blacklist contains one of the most complete & up to date lists of URL shortening services.
The major shortening services do check with Google Safe Browsing, SURBL, and other lists of unsafe URLs to prevent use by spammers, phishers, or other bad guys — but these lists are reactive, waiting for reports before disabling links. Besides, new bad sites spring up all the time — and that isn’t going to change any time soon. A web page that was safe yesterday may be infected today, and then cleaned up tomorrow. There’s no way to know, and URL shorteners only add to the problem.
There are now a few Firefox add-ons which attempt to expand shortened URLs, but I’ve played with all of them, and they all make Firefox 3.5 unusably slow on my Mac. Hopefully they’ll improve over time, because this is an important service. (If you know of anything similar for Internet Explorer, Safari, or other browsers, please share with a comment below.)
Along with the issues above, and the obvious lack of brand recognition, there’s also a concern that URL shortening services may stop working without warning. The popular tr.im closed down recently, saying there’s no way for them “to monetize URL shortening — users won’t pay for it”. They’re back now, but for how long? Meanwhile, others may disappear without any explanation — and their domains expire, they’ll be taken over by SEO bandits or malware distributors. Any shortened URL you registered with their site will be controlled by someone else.
And yet, there are still good reasons to want shorter URLs. Twitter’s 140 character limit isn’t going away any time soon, so brevity in all things is absolutely necessary there; Twitter itself shortens many with bit.ly as they pass through. Some instant messaging networks and all SMS (phone text messaging) services have similar limits. In email, any URL longer than about 70 characters runs a very real risk of being chopped off in recipients’ mail software, either on first viewing or when they reply or forward. This isn’t confined to classic text-based mail readers like Pine; I see it all the time in the latest build of Microsoft Entourage 2008.
If your software creates long, ugly, easily broken URLs, one option might be to install your own shortener using your own domain, which ensures consistent branding. Just make sure that new links can only be created by approved staff inside your company. Many ESPs offer similar services to help track click-throughs — but this type of redirection sometimes results in longer URLs. And whether it’s in-house or external, make sure the service you choose isn’t easily abused, because whether you like it or not: that’s your new brand.
Still, most of the time — unless you’ve got a very good reason — you’re best served by keeping your original link exactly as it is. It preserves your brand, which encourages trust and reduces the ease with which a bad guy can hijack your reputation.
And when you’re out there reading email or Twitter or surfing the web, be very careful where you click.