Twitter, It’s Time to Fix Short URLs Once and For All

By  |  Friday, September 25, 2009 at 12:26 pm

twitterlogoIt’s not a gross exaggeration to say that without short URLs from services such as and TinyURL, Twitter might not have become the sensation that it is. They enable the sharing of interesting links and photos and generally let the service transcend its 140-character limit. But they also bring some major gotchas, such as the possibility of your links breaking if the short URL provider goes out of business or simply loses interest.

Another basic problem with short URLs: They can be dangerous. The very idea behind them is that they’re short (and therefore cryptic) but can redirect you to any URL. But the URLs they redirect to can send you to malware-infested sites–and since you see the short URL rather than the real one, you don’t have the opportunity to inspect the address for tell-tale signs that it’s risky.

Security software kingpin Symantec is understandably interested in short-URL security, and produced this video showing some sleazy ones on Twitter:

If you can see the real URL before you click, there’s a very good chance you’ll figure out it’s not something you want to visit. Which is part of why many third-party Twitter apps (such as Seesmic) let you preview the true URL. Weirdly, Twitter itself only provides this capability in its feature, via “expand” links (which don’t appear next to all short URLs–you don’t get them with Digg links, for instance).

Twitter short URL with expand link

Seems to me that it would be fairly simple for Twitter to make short URLs a whole lot more useful and a whole lot less insecure. Here, I’ll map out a course of action:

1) Twitter should launch its own URL-shortening feature*. (Currently, it uses as its default service.) It’ll tick off every third-party shortener and probably drive most of them out of business, but the benefits to Twitter users will ultimately be worth it. If Twitter itself controls the short URLs, they’ll work for as long as there’s a Twitter, and the company will gain the ability to make them better than existing ones.

2) It should institute a short-URL expansion feature throughout the site–and instead of making you click an “expand” link, it should autoexpand them so the short link never appears. If users need to take the extra step of clicking to see the real link, they may or may not bother–but if the real one is staring them in the face, many questionable URLs will be manifestly obvious. (And some scammers probably won’t even bother to try and do their dirty work via Twitter.)

3) It should put the real URLs that short URLs point to through a malware-detection feature along the lines of ones that are now standard in Web browsers. If a real URL looks suspicious, Twitter shouldn’t permit it to be turned into a short URL in the first place. (Again, doing this should not only foil malware links that do get through, but should discourage scammers from bothering in the first place.)

*If Twitter is really worried about destroying third-party URL shorteners, it could accomplish most of the above without launching its own service, by launching an API (with malware detection and other enhancements) that other URL shortener can take advantage of. Even if it does create its own service, it needs an API so that third-party Twitter clients can bring all of its goodness to their users.

The above game plan would require some time and money, but if Twitter’s ambition is to be the pulse of the planet, it’s going to be responsible for taking actions that make it harder for the bad guys to screw things up for the good guys. And if the company really has a hundred million bucks to play with, it should throw a little of the dough towards solving this problem once and for all.


Read more: , , ,

4 Comments For This Post

  1. Chris Heath Says:

    Harry, I’d bet you’re aware of this, but many people aren’t. Friendfeed has been auto-expanding shortened URLs for a while now (one of the enhancements in the real-time UI rolled out early this year)

  2. DaveZatz Says:

    Long URL Please Firefox bookmarklet has been helpful.

  3. Bastien Says:

    Excellent post, Harry. I like the API plan, probably because I’m a developer. Making the API available would make all the clients better and provide a solid deterrent to scammers.

    From a tech perspective, I find Twitter one of the most interesting thing out there in some time. I can see some real possibilities in using the app for business.

  4. Rob Says:

    So this is all great and it seems like a great plan… BUT… why doesn’t twitter just have it so it recognizes a URL in a tweet and counts it as 0 or 1 characters? Seems like that would solve lots of the issues here and would actually make most shortener sites obsolete. The only thing that should still be developed if my suggestion is taken are your malware-detection propositions.

1 Trackbacks For This Post

  1. Twitter Fights Against Phishing Says:

    […] anti-phishing technology to detect dangerous short URLs submitted in direct messages and Tweets. I proposed that it do so last September. And given how many fake direct messages I get with short URLs that lead to sites […]