Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
I have remained on a useful Edgewave mailing list even though I bought and use UTM. Tonight, they raised an alarm about URL shortening services that allow modifications after initial creation. Based on some of the discussion in this forum, dating back to at least 2011, it seems like URL shortening services should be considered risky whether they allow changes or not.
Curiously, both UTM and TrustedSource classify the base domain of http://tinyurl.com as category "Internet Services" and reputation "Trusted" Perhaps TinURL cooperates with the major services and all of their billion-plus codes have been scanned at least once. But since the content of any single web page can change at any time, any attempt to assess risk based on a shortened URL seems inadequate, whether the long URL is revisable or not.
Based on my understanding of these services, instead of returning a web redirect to the desired page, they act as a proxy and retrieve the page for you, then deliver the content from their own URL. This means that the category and reputation of the target is completely hidden from a reputation service like UTM. Perhaps the legitimate sites have their own UTM-like device to filter the most noxious links, but one cannot know for certain.
The wikipedia article on TinyURL had a footnote with this link, which itemizes the syntax for causing the largest services to switch from proxy mode to redirect mode. http://security.thejoshmeister.com/2009/04/how-to-preview-shortened-urls-tinyurl.html
(I have not attempted to validate his data, and it is clearly an old post, but it provides a starting point for further research.)
My request would be that UTM Web Protection should rewrite links to known URL Shortening services to force them from proxy mode to redirect mode. That would give UTM two chances to detect and block hostile URLs (and of course additional chances during content inspection and Sandstorm evaluation.)
If a URL shortening service does not publish a mechanism for invoking redirect mode, they should be placed in category "Anonymizers", or something equivalent, and given a reputation of Suspicious or Malicious.
Not certain whether the concept could be applied to email filtering as well, but this would be desirable, since killing a bad url on receipt is better than killing it during activation.
Great idea, Douglas. Please submit it at Ideas and then post a link here to your suggestion.
Cheers - Bob
Done. I had despaired that anyone from Sophos still read http://ideas.sophos.com/
Please edit your post and add a link to your suggestion, Douglas.
Here is the link so that you can vote for this idea.