It’s not a gross exaggeration to say that without short URLs from services such as Bit.ly and TinyURL, Twitter might not have become the sensation that it is. They enable the sharing of interesting links and photos and generally let the service transcend its 140-character limit. But they also bring some major gotchas, such as the possibility of your links breaking if the short URL provider goes out of business or simply loses interest.

Another basic problem with short URLs: They can be dangerous. The very idea behind them is that they’re short (and therefore cryptic) but can redirect you to any URL. But the URLs they redirect to can send you to malware-infested sites–and since you see the short URL rather than the real one, you don’t have the opportunity to inspect the address for tell-tale signs that it’s risky.

Security software kingpin Symantec is understandably interested in short-URL security, and produced this video showing some sleazy ones on Twitter:

If you can see the real URL before you click, there’s a very good chance you’ll figure out it’s not something you want to visit. Which is part of why many third-party Twitter apps (such as Seesmic) let you preview the true URL. Weirdly, Twitter itself only provides this capability in its search.twitter.com feature, via “expand” links (which don’t appear next to all short URLs–you don’t get them with Digg links, for instance).

Seems to me that it would be fairly simple for Twitter to make short URLs a whole lot more useful and a whole lot less insecure. Here, I’ll map out a course of action:

1) Twitter should launch its own URL-shortening feature*. (Currently, it uses Bit.ly as its default service.) It’ll tick off every third-party shortener and probably drive most of them out of business, but the benefits to Twitter users will ultimately be worth it. If Twitter itself controls the short URLs, they’ll work for as long as there’s a Twitter, and the company will gain the ability to make them better than existing ones.

2) It should institute a short-URL expansion feature throughout the site–and instead of making you click an “expand” link, it should autoexpand them so the short link never appears. If users need to take the extra step of clicking to see the real link, they may or may not bother–but if the real one is staring them in the face, many questionable URLs will be manifestly obvious. (And some scammers probably won’t even bother to try and do their dirty work via Twitter.)

3) It should put the real URLs that short URLs point to through a malware-detection feature along the lines of ones that are now standard in Web browsers. If a real URL looks suspicious, Twitter shouldn’t permit it to be turned into a short URL in the first place. (Again, doing this should not only foil malware links that do get through, but should discourage scammers from bothering in the first place.)

*If Twitter is really worried about destroying third-party URL shorteners, it could accomplish most of the above without launching its own service, by launching an API (with malware detection and other enhancements) that other URL shortener can take advantage of. Even if it does create its own service, it needs an API so that third-party Twitter clients can bring all of its goodness to their users.

The above game plan would require some time and money, but if Twitter’s ambition is to be the pulse of the planet, it’s going to be responsible for taking actions that make it harder for the bad guys to screw things up for the good guys. And if the company really has a hundred million bucks to play with, it should throw a little of the dough towards solving this problem once and for all.

 
5 Comments


Read more: Security, social networking, Symantec, Twitter