When people dont understand recursion

  1. evgeni
    3. 4 comments

While drinking my coffee, I stumbled over http://www.longurlplease.com/ on Golem.de (sorry, it's German).

They say, that when you get a shortened URL, you

  • have no idea where it links to
  • are unaware you've been there
  • may secretly linked to yucky websites

That sounds correct, esp with the "funny" "new" ideas of the German government about blocking sites with 'Kinder"pornographie"' (sorry for the German again, and for the multi-quotes, but they say I have to call it like this...) and recording those who try to access such sites.

Anyways, that great service over at longurlplease.com will make the world a safer place:
  • You see you've been there before
  • Tell it links to youtube
  • More information before you click

(the lists are copied from their site, without care about proper rewording for my context)

Sounds great, huh? And they even support 65 different shorturl services. But lets see how they support the same service twice in a row (should be easy too, right?).

  1. Go to http://tinyurl.com/
  2. Create a shorturl for http://gpl.imageafter.com/ (= http://tinyurl.com/oae8sx)
  3. Go to http://tinyurl.com/
  4. Create a shorturl for http://tinyurl.com/oae8sx (= http://tinyurl.com/r6n74h)
  5. Ask the longurlplease.com API about http://tinyurl.com/r6n74h (curl "http://www.longurlplease.com/api/v1.1?q=http://tinyurl.com/r6n74h")
  6. See {"http:\/\/tinyurl.com\/r6n74h": "http:\/\/tinyurl.com\/oae8sx"} as result
  7. Laugh and spread double-shortened Rick-Rolls (people will love you!)


That makes the whole service somehow useless, as you gain exactly nothing, and tell longurlplease.com about each shorturl that comes to your browser (if you have the Firefox plugin installed).

On the other hand, the creator could easily add a recursive resolver, but I bet he (or she? or they?) won't do that, when one does not want the service to die completely in a endless loop (I don't have a black hat, neither I have a white one - I actually don't like hats at all, but it should be possible to construct some funny redirection loops with such services).

Update:
It seems tinyurl.com was intelligent and changed that behaviour now:
Error: TinyURL redirects to a TinyURL.
The URL you followed redirects back to a TinyURL and therefore we can't directly send you to the site. The URL it redirects to is http://tinyurl.com/oae8sx.

But one still can fake this:
http://ow.ly/9Arf -> http://tinyurl.com/oae8sx -> http://gpl.imageafter.com/

Comments

M.Pomme wrote on 2009-05-28 12:03:

After 2 or 3 recursion, it is very likely that the poster of the tiny url is trying to rick roll you or worse, so this is really a minor issue.

However it would be just as good if the service was implemented directly in the extension, i don’t see the point of having the extension call a webservice. This would swipe the privacy concerns

Tim wrote on 2009-05-28 21:12:

I happen to have been to a talk about longurlplease by its author and know that he is well aware about the fact that he did not implement recursion. It’s not that he doesn’t "understand" about it.

@M.Pomme yes, implementing it directly is an option, but can be a *lot* slower, especially for popular urls. The services caches the results and can thereby server them much much faster than if the extension was to resolve them itself.

As for the privacy issue, I’m not sure it’s a terribly good argument. Url shorting services have privacy issues themselves. They sell the information and perform statistical analysis on them. Using longurlplease will actually break their behaviour for each of the sites. Of course, technically it’s now possible for longurlplease to gather and market the info, but from the code I saw, he did not do that. I’d prefer to trust longurlplease with my browser request data than trust any of the tiny-url services. :-)

Evgeni wrote on 2009-05-29 08:29:

@Tim: I’m sure the author understands recursion, that’s why I wrote that he prolly does not want recursion.

The service might "help" with regular twitter etc posts that shorten the URL because they have to, but as it is still possible to hide the final URL from the viewer, there will be evil-guys doing so.

@Tim&M.Pomme about privacy:

There is no code *yet* that would do this. But I think tinyurl and others started like this too: as a pure useful service.

So in the end, where is the difference in resolving that URL via longurlplease or via tinyurl? In both cases there is a third-party which will know that you (or at least the browser X that can send packets from your IP) want to access a site.

Even funnier: with the help of the site the shorturl links to, one could find out, how many people really click on the link of those who see it.

Just my 0.02€

Matt wrote on 2009-05-29 09:09:

More to the point, if it’s a tinyurl, if you go to preview.tinyurl.com/aoeuasdf it will display the site that it’s redirecting to.

Matt

Send your comments to evgeni+blogcomments@golov.de and I will publish them here (if you want).