[Owasp-leaders] OWASP Tinyurl Service (Was Short url)

Tin Zaw tin.zaw at owasp.org
Tue Oct 12 12:40:45 EDT 2010


http://is.gd has a feature that if you put dash at the end of their
tiny url, it lands on a page that shows the real url (e.g.,
http://is.gd/fHiFb-).

What other security features should a URL shortening service have?

I think OWASP will be better off promoting/advocating these features,
than actually implementing it.

On Tue, Oct 12, 2010 at 9:32 AM, Neil Matatall <neil at owasp.org> wrote:
> Have to throw this in even if it is somewhat missing the point of this
> particular conversation: http://news.ycombinator.com/item?id=1763431
>
> On Tue, Oct 12, 2010 at 9:29 AM, Michael V. Scovetta
> <michael.scovetta at gmail.com> wrote:
>>
>> I started a project like this about a year ago, but haven't had much time
>> to go beyond the initial implementation. The idea was a security-oriented
>> TinyURL.
>>
>> http://fo.ly/
>>
>> Instead of being immediately redirected when you click on a fo.ly link,
>> you arrive at a landing page that contains information about the destination
>> URL (via links to third-party sites that scan for malicious content).
>>
>> If OWASP is looking to get into the redirector business, I'd be happy to
>> donate the domain/code/database. Or really anything else. I'm not doing much
>> with it as is, and it basically runs itself. The site could really use some
>> sexing up (as you can probably tell, I'm not a UI guy).
>>
>> Thanks--
>>
>> Mike
>>
>> On Tue, Oct 12, 2010 at 10:58 AM, Neil Matatall <neil at owasp.org> wrote:
>>>
>>> Great point Dinis.  I would be glad to develop/manage one but that would
>>> be a conflict of interest of course ;)
>>> Neil
>>>
>>> On Tue, Oct 12, 2010 at 7:19 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>>
>>>> I think that this is a cool idea, that the OWASP Community should be
>>>> involved and that there is a need for such 'security focused' redirects
>>>> (note how Twitter and Bit.ly are trying to get into that space)
>>>>
>>>> I'm not sure about the part were OWASP would running these services
>>>> (i.e. used in the real world), since that should be done by a 'commercially
>>>> focused' entity (with SLAs, backups, support, etc..). I think OWASP's role
>>>> should be on everything else BUT running the live service (think Ecosystem,
>>>> project, PoCs, rules of engagement, security reviews, etc...)
>>>>
>>>> There was actually a PoC created a while back on this exact topic
>>>> (including a live example of it running) but I can't remember who did it (I
>>>> think it was implemented in Java??). I just tried to find it on my inbox(ex)
>>>> and had no luck, so are the involved parties on this list so that they can
>>>> put my memory to shame? (and point us to what has already been done)
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>> On 11 October 2010 16:33, Neil Matatall <neil at owasp.org> wrote:
>>>>>
>>>>> Would there be any interest in developing an OWASP tinyurl service?  It
>>>>> might be a good way to use the brand to promote security with the potential
>>>>> for damage if a nasty link gets through.
>>>>> There would have to be...
>>>>>
>>>>> an approval process (so there would be very few links actually
>>>>> "endorsed")
>>>>> a review and alerting process in the case that a site gets compromised
>>>>> an endorsement of the source by multiple members/leaders
>>>>> etc
>>>>>
>>>>> I think I just talked myself out of this but it could be useful and a
>>>>> way to get a little more brand recognition out there.  My vote would be that
>>>>> this is too cumbersome and the potential impact is a little too big for my
>>>>> comfort.  Nevertheless, I would like to discuss this if others are willing
>>>>> and interested.
>>>>> Neil
>>>>>
>>>>> On Mon, Oct 11, 2010 at 5:53 AM, Ferdinand Vroom
>>>>> <ferdinand.vroom at owasp.org> wrote:
>>>>>>
>>>>>> Paulo,
>>>>>>
>>>>>> We would like to use a short url for our opsomming BeNeLux conference.
>>>>>> Preferrably, http://www.owasp.org/benelux.
>>>>>> Could you arrange for that?
>>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> Ferdinand
>>>>>> Netherlands Chapter
>>>>>>
>>>>>> 2010/10/9, Paulo Coimbra <paulo.coimbra at owasp.org>:
>>>>>> > Leaders,
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > I am glad to announce I've just set a new project up - the OWASP
>>>>>> > Secure Web
>>>>>> > Application Framework Manifesto, led by Rohit Sethi. Please welcome
>>>>>> > his new
>>>>>> > OWASP initiative!
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manife
>>>>>> > sto#tab=Project_About
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > http://www.owasp.org/index.php/User:Rksethi
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > As always, your suggestions and contributions would be greatly
>>>>>> > appreciated.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > In addition, this project already has a very mature release, OWASP
>>>>>> > Secure
>>>>>> > Web Application Framework Manifesto/Version v0.08 - please glance at
>>>>>> > it.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framewo
>>>>>> > rk_Manifesto/Releases/Current
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > If the project leader and his contributors ultimately decide to have
>>>>>> > this
>>>>>> > release assessed as I am counting on, I will update you.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Many thanks, regards,
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Paulo Coimbra,
>>>>>> >
>>>>>> >  <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>>
>>>>>> --
>>>>>> Verzonden vanaf mijn mobiele apparaat
>>>>>>
>>>>>> Ferdinand Vroom
>>>>>> OWASP Dutch Chapter Board Member
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> --
>>>>>
>>>>> Neil
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> --
>>>
>>> Neil
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> -[ Michael Scovetta ]-
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
>
> --
>
> Neil
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw


More information about the OWASP-Leaders mailing list