URL Redirection: Is it Safe?

URL Redirection is a method of forwarding or redirecting a page or link to another location within a domain or another website.

Advantages of using URL Redirection

Webmasters can redirect their visitors to customized page (if the entered link is broken), a new content of the page but the link has changed, current download or location of the page (if the directory or domain has moved). Internet users can also take advantage of free URL Redirection services to shorten a long URL, customize the link with their name or chosen words, take advantage of previewing a page (not all URL redirection service offers preview function), and/or hide the real address of a page using frame or scripting codes.

I was surprised to see the news by PC World today on Vendors Tweet their Updates. “Enterprise IT companies are setting up Twitter accounts in droves, and security companies are among the most enthusiastic given that Twitter is ideal for quick updates on vulnerabilities such as Conficker/Downadup...”

I had a look at the Twitter accounts by malware scanners and security vendors and to my surprise they are using free URL redirection services to send their followers to their blog, press release and research papers. They have to use the URL redirection service because Twitter limits them on what they can tweet. It's similar to the Short Messaging System (SMS) which is limited to 140 characters.

The advice of WiseGeek, “If your link is intended to be used for a short period of time, then redirection services are fine. If, however, you have a more permanent link that you want to post on a website, then you should realize that you are giving away valuable control to an external entity. If you want to use redirects for a more permanent or important application, make sure you trust the redirection service thoroughly.”

ThreatChaos reported: “Short URLs are a threat the social sites are going to have to deal with”. The article is linked to Joshua Schachter’s blog on URL shorteners.

As far as I know, URL redirection is another method by marketers, online scammers and malware authors to trick users in viewing unsafe website or download. Also, some redirection services can track if a user clicks on a redirection link provided by a friend or another user. Another issue with redirection service is to lose the page rank of the popular website or webpage.

URL redirection can contain characters to hide the page or article title. It can mislead users by sending users to another link that is not safe. Users should just go to the website or blog of the software vendor to get the new content or news about their services. It does not make sense to “follow their method” if there’s a risk in using the service. I think it’s OK to use URL redirection if the redirected page is on the same domain or the owner of 2 or more domains is one. Example: Microsoft is using http://go.microsoft.com/?linkid= to redirect their users to another page on Microsoft website. Sunbelt Software does the same for their download of VIPRE Antivirus + Antispyware, http://go.sunbeltsoftware.com/?linkid=411. The usage of URL redirection is to send their users to the current location of the download or a site instead of sending to non-existing webpage or outdated version of the download file.

This is similar reason why I don’t send users to search on their own, especially if the users are not using any method to block malicious links or rate any link within search results because search engines is another method by online scammers or malware authors to trick users to fall into their rogue or malicious works (see my article How To Check If a Website Is Safe for information about some link checking security products).

Note that even if a user is using add-ons to block malicious sites or rate a malicious links, it is not going to prevent malicious links that hide in a URL redirection because the rating system or diagnostics system will usually check the domain instead of the redirected site which could be malicious!