The risk of the link shortener
In my twitter feed I got this message from Shared Services Canada. It says:
2019 tech resolutions: Learn about your online security and privacy settings to keep your information private! Stay cybersafe with these tips: http://ow.ly/6pGp30n2i96
#SSCtechSPC @GetCyberSafe #GCdigital
OK, nice sentiment. The URL it references is http://ow.ly/6pGp30n2i96, pointing to ‘https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/index-en.aspx‘. What is this? .ly is the country-code top-level-domain of Libya. Why would the Government of Canada send me to a URL in Libya? And, what would happen if that host (ow) were to do something malicious, maybe 1 time in 10 send back an altered page for spear-phishing?
If we look @ the whois, it has this to say: “Domain Status: Strings shorter than four symbols long are to be registered directly under .ly ONLY through Libya Telecom and Technology co. (LTT) in the upcoming period to guarantee that registrants have Local presence.”. Hmm. So this is directly registered through Libya Telecom and Technology and is state-owned.
Now, I get it. Twitter has a limit on the number of characters. SSC is using ‘Hootsuite’ which, cutely, has registered ‘ow.ly’ (get it, owly? hoot?) as a ‘shortener’. But the fact remains that both the operator of ‘ow.ly’ and also of ‘ly’ ccTLD can change where I go. How would the ly ccTLD (Libya Telecom and Technology) change this you ask? Well, good question. You see, there is no DNSSEC enabled 0n ow.ly (check that here). In fact, the .ly zone has no DNSSEC meaning it can be spoofed or altered at will.
So,.. Let’s think this through. Organisations with good reputations (in this case SSC) suggest a user go to a page via redirect through ow.ly. Along the way at least 3 actors (ow.ly owner, LTT, and arbitrary DNS man-in-the-middle or race-condition) can send you somewhere else. This is exactly the sort of social-engineering flaw that a spear-phishing actor would seek to exploit.
So… What would I recommend? Well, I would avoid URL-shorteners entirely. And, if you must use one, use one from a zone (top-level-domain) that has DNSSEC and is in a country that you trust. But remember, if that service ever stops working, or is hacked, you are hacked. So check them out well. Maybe try ‘https://turl.ca/‘