We will start with the problem, then look at some potential solutions we can implement.
So what is the problem?
The problem in short is, as a business, I shouldn’t be sending out clickable links, especially links that do not reflect my business domain.
This one has been quite a bit of a pain for me. So email exchanges, social media, domain hosting, via making things convenient, they make it really difficult for me to make them secure.
Implementing the solution is easy, finding the solutions and workarounds wasn’t.
Specifically for my business, part of my concerns as a tester and trainer are IT security, so one thing I can’t do is something along the lines of sending out an email with a URL at the same time as telling people “You should never click links in emails”
The reality there is, I should never have put a link in the email in the first place.
Now this presents a problem
- I need to put my website address in an email
- I instruct customers for phishing advice not to click links in emails
- The email exchange automatically turns anything that looks like a URL into a clickable URL
- I now contradict my own advice, simply because if people should not click links, why am I putting them in emails?
The advice people give out for phishing is essentially type the link into the browser.
Now my issues don’t stop there, I have had a 4 day lull in progress because I’m not willing to compromise on my company values, one of which is no tracking or advertising of any kind, no marketing or junk emails of any kind, no cookies including “follow us on social media” links.
To compromise on that, I rely on direct use of social media to share and promote my business.
However, any link I publish on social media will automatically get changed into a Short URL
Again, for phishing, you should never click on a short URL, this is substantially the worst type of URL out there, it does everything in a convenient way that automates someone redirecting us to a destination we do not know.
So lets start by looking at the types of URL that can be sent out, then go onto how I can resolve some of the problems I am having.
Types of URL
Now there are 2 main types of URL
1. Public URLs
Public URLs are the type that would be published on Social Media, this is where you can essentially read the destination via the URL
This page for example, this is a Public URL, I have no reason to hide or mask the destination. It is a readable URL
This is what I want to display on my posts in Social Media, so that my user knows what they are linking to.
2. Secure URLs
These are the ones that are not readable, usually a lot longer than the example given, there is a reason we use these.
So if I were linking to private documentation I would use a secure URL something like the above, but probably a bit longer. Over a decade ago now when I worked for a company who did Home Information Packs (boooo, well I didn’t come up with the idea!) we would send out documents using long jargon URLs
If you get an online quote, often you will get an email with a link, that link is long and is essentially gibberish and unreadable for the most part.
So this is a one to one relationship over the internet. Only that customer/receiver of the link should be able to view the associated page or document.
So what that does is prevents someone from getting hold of one link, changing a character in the link to access someone else’s link.
So if I were sending out this
You would be able to guess that you can see someone else’s secure information by amending the number in the URL by 1
However, given that most services rely on a user account of some kind, we need secure links BUT we don’t actually need to send these out in an email.
Jargon Public URLs
Not to be confused with a Secure URL, these serve a different purpose
So if we take YouTube as an example, you will see jargon in a URL.
These URLs are public, not designed to be secure and the purpose of the Jargon part is essentially so that anyone can easily add a video to YouTube without creating a bespoke unique link, you tube does that for you.
So if you go onto YouTube, click a video, the URL has jargon but this is not a secure URL
Short URLs and Dynamic URLs
These take all the difficult parts of Phishing and Malware Cyber Crime and make it easy.
The worst Idea since trying to unslice sliced bread
1. Secure URLs being sent using URL shortening
This does happen, people take a secure URL and because it is too long, they use a URL shortening service.
A shortened URL is a public URL, essentially, I can write an algorithm to go through all Short URLs from a provider to see what they link to.
Without going into Entropy, this defeats the purpose of a secure URL when you use a URL shortening service.
2. Masking the destination with a Short URL
Short URLs already mask the destination, so where does this URL go to?
The phishing advice is generally hover over the URL link and check in the bottom left hand corner of the screen on the basis that you now know the website you will land on
But you won’t Land on tinyurl website, you will land on a different page of this website.
In short, this is URL redirection and is pretty much the most hypocritical thing a business can utilise whilst being security conscious.
The biggest issue being, individuals will become familiar with clicking short URLs, if something becomes familiar you wouldn’t necessarily consider it a risk if it was used inappropriately.
An argument for short URLs
One argument I see popping up on Google is around Social Media controls for malicious links.
The argument is, because social media auto amends the links to a short URL within their domain, if someone does post a malicious link, they can block the URL.
While that is a potential benefit, ultimately this argument is flawed for one significant point.
Social Media services shorten URLs based on length, they do not replace all URLs with one they control. Essentially, this is a fictitious benefit that has somewhere along the lines been made up.
Let’s have a look at linked in
- LinkedIn shortens hrefs (URLs) to one of their own within the text IF they are longer than 26 characters
- This is only hrefs within the text
So, if I post one long URL to a website address that is formatted correctly for Images, LinkedIn will utilise the full URL as part of the image object
So here is a post, you can see the hover over URL, you can also see the href URL in the object, what this means is, whatever security benefits people were hoping to see from Social Media by introducing short URLs can be easily worked around.
I don’t see anything wrong with this as a method of posting in LinkedIn, you can see the destination address as a known website, patreon, which holds my page for some services.
But as far as social media being able to control the redirection service, well, it can’t in this scenario.
The other obvious and more prevalent issue is around the character limit of 26
This URL would not be shortened
These wouldn’t either, both of which are available domains.
There is then nothing stopping me from using a different URL shortening service provided by someone else, goo.gl for example, then nothing stopping me from creating my own URL shortening service i.e. setting up a domain with a few characters, which are available, then setting up my own redirect service to URLs.
So an argument for Social Media having extra controls is irrelevant, there are no extra controls.
The benefits to cyber crime however, is that people are being conditioned into trusting short URLs which do not make it clear where you are going when you click a link.
A trend, if you have read any of our Articles to date around cyber security, you will know that a trend is what I am targeting, not an individual.
Anyway, that is our problem, what is our solution?
How can I operate in a way that works for me without encouraging non secure behaviour for users.
So we need to fix the way URLs are handled in certain places, so my requirements and known issues are as follows
- Emails should not contain any links
- Emails still need to contain website addresses
- Email Servers automatically re-write anything that looks like a URL to a clickable link.
- The same applies to email addresses
- When posting in Social media, I need to be able to display my actual link
- When adding links to my website, they need to display either the full link if going external, or if remaining internal, they can display text provided it is clear in the bottom left of the screen where the link goes to.
Point 3 is easily resolved, just use the full link if external, internal links can be masked by text, the other two points need a bit of consideration.
I will be listing an Ideal solution, i.e. how the industry should change, followed by workarounds to make you more friendly to your consumers and more conscientious to their needs for cyber security.
They are by no means perfect, but do allow businesses to contribute effectively to cyber security prior to an “ideal” solution being implemented.
This one would obviously be a lot easier to resolve if social media simply allowed us to post full real links, even if it was optional.
Any security benefits they thought they would get from Short URLs are null and void anyway, easily worked around.
The only benefit is around character limits, so if there is a limit to the number of characters you can include in a post, then a short URL does help you.
However, you can also argue that the URL is going to the place with all the writing i.e. you shouldn’t need the full character limit to convince someone of the importance of going to your page.
Workaround 1 – The better version
For something like LinkedIn, you need to structure your website so that it posts pages correctly.
Then add one URL to a post.
What this does is takes the image from your website, subsequently it will use the correct URL in the linked in post as part of the image.
So the most notable reason why you see short URLs used in something like LinkedIn is where the target site does not display well, so a different image is put on the post and then subsequently a short URL. I used this method recently to phish a bunch of people, it worked a treat.
Workaround 2 – Forcing a Display of a full URL
However, there is a simple workaround if you want to display the URL, add an extra slash.
Stupid right? So again any argument around security short URLs increasing security, null and void.
If you put this into a browser for example, the browser will turn the triple slash into 2, the double slash before “Education” will become a single slash when you hit return.
(A naked domain with a tipple slash)
The majority of browsers and versions will interpret too many slashes as an unnecessary step in a path, as will computers
So to post an actual link on LinkedIn, this will not (at the time of writing) be auto shortened by their service.
For Twitter, to get that extra character, go for one slash, the browser will auto correct for the additional one.
I don’t know of anyway to take advantage of this myself (if anyone else knows of one, do tell), but the user can visibly see where they are going if they copy and paste the text into a URL or type it.
Now, a properly structured URL will guide the user anyway.
So for my link above, the user can type “thrace-enterprises.com” into a browser, then click “Education”, i.e. it is a breadcrumb designed URL, same for all the pages on my website.
The address gets them to the same place whether they take a manual route or a copy and paste route.
The short URL on social media however, well, that just takes them anywhere I want really.
But at least this way, as a consumer, we can go back to NOT TRUSTING 301 and 302 redirects from external sources.
ah, 2009, a great year for introducing phishing methods we had worked passed i.e. the rise of short URLs and Redirect services for Phishing
So if I did put a link on Social Media in Text, we have to re-introduce the notion that when you click a link and see it land on any other domain, you are being phished.
So even though this link brings you to my website, you are being phished, this is because the domain you are taken to does not match the domain in the URL
Solutions for Email services
Took a long time to find a workaround, but annoyingly simple.
Email Exchange servers to stop converting things it thinks looks like a link into a Link
If consumers should not be clicking links in Emails, and businesses need to put links in emails, just stop converting them.
We also should not be telling people to copy and paste links into URLs, but, the instruction for individuals should be along the lines of
“Check the domain”
However, this would be a securer method, as the individual is at least guided along the process of reading the domain so has a chance to see that it is dodge.
So the misspelled domain trick still works for this method as it does with anything that is sent out today and until the end of time.
Until we get an ideal solution, here is a workaround to prevent email servers from turning your website and email addresses into clickable links.
If your emails come from a different application, say you have a CRM tool that you send emails from, or you send out marketing emails or something like that, the chances are this writes in HTML anyway, so you can already add your own markup to the email which will be replaced.
So, when you write a link, you just add span like the below which should prevent the webmail server from turning it into a link, it will just remain as plain text which is ideally what we want to combat phishing emails.
The consumer can then type the link into the browser
Until then, the way it is implemented does depend on the email service you use, I am providing Gmail instructions as they are the most complicated, but ultimately, if you are writing emails or sending emails from an application, then you would implement this type of solution there.
Outlook should be simpler as well, in fact you will find almost any solution to this simpler than GMail, the markup you use for the links is the same as above.
This solution is keeping in mind that you want all the other styles offered by HTML emails, but without conditioning consumers into clicking links in emails.
What we do is break the website address by wrapping certain special characters with “Span” markup
So if I want to put these on an email
Then I would enter as follows
To add mark up to my Gmail Emails manually, I do the following
First off, I write my email in something else, like notepad
Then I compose a new email, add the subject and in the text box I just write any random text
Highlight the text right click it and select “Inspect” or “Insect Element”
On the new screen (Developer Tool), right click the highlighted record and select “Edit as HTML”
Find where your ‘random text’ is written and paste in the text from notepad
Click off the element in the Developer tool and the email will format as it will be seen by the user
Send the email
This is received to an external location
As you can see, no links present, they just display as text.
When a user copies and pastes the text from the email into the browser as they are told to do, it will strip the mark up and take them to the correct page
A lot of effort right?
No not really, especially not for businesses
The reality is, most businesses send out HTML emails anyway, if you are sending from your own email account, you only need to do this when you add a link to an email.
A small business may have some extra effort, but again, marketing emails and things like that are largely HTML, these can be configured to operate in this way. It is only really personal one to one emails where you manually add a link that you need to think about. The rest can be automated or implemented in the structure for all emails sent.
At that level of one to one emails, once you get used to doing this, it takes a few seconds longer than the normal route anyway.
But the real issue at hand, cyber security doesn’t work when everyone takes the easy route and option.
Now this is something that is very important to me, convenience vs security.
As a business, from my part, just sticking a link into an email and ignoring the consequences is convenient, but it isn’t secure.
The methods in this article are not convenient to me as a business, but for my consumers it is secure.
It is also more convenient for my consumers that I make the effort so they don’t have to.
If everyone takes the convenient option, then no one is secure.
In short, as a business, practice what you preach and take responsibility.
Now inline with my own rules, see the links below
To see what we offer for business services, click this link (stays on this website)
We are starting an education service which we are hoping to fund via Patreon, at least in the early days, you can see further detail on our page for Education (stays on this website)
To stay updated, follow us on Twitter
@ThracEnterprises (I can’t add the full address via WordPress at the moment without flooding you with a feed and a load of cookies)
(So links on the same domain can be included in text, links on a different domain are being shown clearly, I don’t use the full twitter address, which is a problem for me, as it will currently flood the page with crap, but I intend to find a suitable workaround for this.)
Thanks for reading