SEO is a security issue...

SEO leads to verbosity, verbosity leads to redirection, and redirection leads to risk The acronym URL is so common today that we may have forgotten that it stands for Uniform Resource Locator. There are other words - URI, IRI - which web...

Share

SEO leads to verbosity, verbosity leads to redirection, and redirection leads to risk

The acronym URL is so common today that we may have forgotten that it stands for Uniform Resource Locator. There are other words - URI, IRI - which web geeks deploy to show that they are deeply technical and globally aware, but for me it's the first letter, the first word which today is under-respected: Uniform.

"Uniform" implies standardisation, consistency and even constancy; when a resource provides a uniform means for people to access it then that means should be globally homogeneous, unchanging, and ideally brief. Consider the emergency phone number 999 - concise, well-known, but in the UK we also support European 112 and American 911 numbers in case a tourist is dialling. Lack of uniformity is a clear issue: there is cost to maintaining, supporting and advertising several numbers however it's doubtful for instance that 999 would be revoked in favour of 112, lest lives are put at risk.

First they fatten you up...

On the web there are two forces opposing brevity and uniformity for reasons that are arbitrary, if not ideological. One force is Search Engine Optimisation (SEO) - a system of belief amongst marketing consultants that promises greater profit via finessing of web-page content so that it's ranked more highly in search results. The people at Google and its competitors have been wise to SEO games for many years, so now once you've implemented basic good style for your site, any further effort is unlikely to yield benefit. The Daily Telegraph provides some lovely examples of SEO at work - for instance either of these links will yield the same story:

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8056928/77-inquest-emergency-phone-calls-reveal-77-tube-chaos.html

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8056928/.html

Almost everything after "8056928" in the original URL is not required by the Telegraph content management system, the excess 53 characters providing artificial, redundant and mostly value-free fodder for search engines.

...and then put you on a controlled diet

Opposing the anti-brevity of SEO is the anti-uniformity of the URL-shortener; the concept found its niche in the 140-character world of Twitter where Daily-Telegraph-sized URLs would be untransmissable. In a goldrush-like realisation that URL-shortening is a cheap way to become an interposer, track users, insert cookies and gather analytic data, there are now tinyurl, bit.ly and is.gd, Flickr's flic.kr, Wordpress' wp.me, Google's goo.gl amongst scores of others. At least one security company is jumping in with mcaf.ee, and "branded" shorteners are being deployed by content-houses: youtu.be, the BBC's bbc.in and the New York Times has nyti.ms. Any given resource on the Web may now have dozens of "URLs" in circulation, yet only one is definitive.

Cute? Yes, but with risks. One is of exotic jurisdiction: the GL domain is Greenland, GD is Grenada, EE Estonia, ME Montenegro... and the LY domain is Libya. Last week the Libyan domain name registrar hit the headlines when it revoked vb.ly, the homebrew URL shortener for writer and sex-columnist Violet Blue. Both misreporting and press and public hysteria has muddied the reporting somewhat, however for us security geeks the story is pretty simple: somebody in Libya took a dislike to either Ms Blue or her content and had the DNS record revoked. Libya being how it is, there is unlikely to be a viable appeal process.

Avoiding binge-and-purge

So for the sake of a cute URL a bunch of hyperlinks have been revoked by a third-party DNS authority who didn't like the content; the other risk of course is that through bankruptcy, mismanagement or abuse the shortening service itself goes away. This has happened at least twice, first with tr.im in 2009, and last month with u.nu; at some point these sites will go dark and a lot of those those Tweets being archived in the US Library of Congress will lose their relationship with the larger web. No-one can say whether in the future a shortening web service will be declared "too big to fail"; nor can we foresee whether a Top-Level Domain administrator might be declared "rogue" for not carrying certain traffic, or for ransoming an entire domain.

But to reduce your risk now you should check that your messaging is not needlessly beholden to third parties. If the content you publish have URLs which absolutely require shortening then you should avoid third parties and run your own shortener in your own domain - the theory being that if you go down you'll only take your own stuff with you.

Wiser than that is the realisation that you can't prevent other people from running your links through shorteners - but you can make it unnecessary, so the best thing you can do for the security, availability and integrity of content you publish is to make the links to them uniform, clear, and concise.