[Owasp-leaders] OWASP Tinyurl Service (Was Short url)

James McGovern JMcGovern at virtusa.com
Wed Oct 13 09:00:17 EDT 2010


Doesn't this approach require the user to "trust" that they will be
redirected to a page that won't load malware? The most secure thing
would be to show the destination page when hovering over the URL to give
a user a better sense of the destination...

 

James McGovern
Insurance SBU 

Virtusa Corporation

100 Northfield Drive, Suite 305 | Windsor, CT | 06095

Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

  <http://www.virtusa.com/>    <http://www.virtusa.com/blog/>   
<https://twitter.com/VirtusaCorp>   
<http://www.linkedin.com/companies/virtusa>   
<http://www.facebook.com/VirtusaCorp> 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael V.
Scovetta
Sent: Tuesday, October 12, 2010 12:29 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Tinyurl Service (Was Short url)

 

I started a project like this about a year ago, but haven't had much
time to go beyond the initial implementation. The idea was a
security-oriented TinyURL. 

http://fo.ly/

Instead of being immediately redirected when you click on a fo.ly link,
you arrive at a landing page that contains information about the
destination URL (via links to third-party sites that scan for malicious
content).

If OWASP is looking to get into the redirector business, I'd be happy to
donate the domain/code/database. Or really anything else. I'm not doing
much with it as is, and it basically runs itself. The site could really
use some sexing up (as you can probably tell, I'm not a UI guy).

Thanks--

Mike

On Tue, Oct 12, 2010 at 10:58 AM, Neil Matatall <neil at owasp.org> wrote:

Great point Dinis.  I would be glad to develop/manage one but that would
be a conflict of interest of course ;)

 

Neil

 

On Tue, Oct 12, 2010 at 7:19 AM, dinis cruz <dinis.cruz at owasp.org>
wrote:

I think that this is a cool idea, that the OWASP Community should be
involved and that there is a need for such 'security focused' redirects
(note how Twitter and Bit.ly are trying to get into that space)

I'm not sure about the part were OWASP would running these services
(i.e. used in the real world), since that should be done by a
'commercially focused' entity (with SLAs, backups, support, etc..). I
think OWASP's role should be on everything else BUT running the live
service (think Ecosystem, project, PoCs, rules of engagement, security
reviews, etc...)

There was actually a PoC created a while back on this exact topic
(including a live example of it running) but I can't remember who did it
(I think it was implemented in Java??). I just tried to find it on my
inbox(ex) and had no luck, so are the involved parties on this list so
that they can put my memory to shame? (and point us to what has already
been done)

Dinis Cruz





On 11 October 2010 16:33, Neil Matatall <neil at owasp.org> wrote:

Would there be any interest in developing an OWASP tinyurl service?  It
might be a good way to use the brand to promote security with the
potential for damage if a nasty link gets through.

 

There would have to be...

*	an approval process (so there would be very few links actually
"endorsed")
*	a review and alerting process in the case that a site gets
compromised
*	an endorsement of the source by multiple members/leaders
*	etc

I think I just talked myself out of this but it could be useful and a
way to get a little more brand recognition out there.  My vote would be
that this is too cumbersome and the potential impact is a little too big
for my comfort.  Nevertheless, I would like to discuss this if others
are willing and interested.

 

Neil

 

On Mon, Oct 11, 2010 at 5:53 AM, Ferdinand Vroom <
ferdinand.vroom at owasp.org> wrote:

Paulo,

We would like to use a short url for our opsomming BeNeLux conference.
Preferrably, http://www.owasp.org/benelux.
Could you arrange for that?

Greetings,

Ferdinand
Netherlands Chapter

2010/10/9, Paulo Coimbra <paulo.coimbra at owasp.org>:
> Leaders,
>
>
>
> I am glad to announce I've just set a new project up - the OWASP
Secure Web
> Application Framework Manifesto, led by Rohit Sethi. Please welcome
his new
> OWASP initiative!
>
>
>
> 
http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Ma
nife
> sto#tab=Project_About
>
>
>
> http://www.owasp.org/index.php/User:Rksethi
>
>
>
> As always, your suggestions and contributions would be greatly
appreciated.
>
>
>
>
> In addition, this project already has a very mature release, OWASP
Secure
> Web Application Framework Manifesto/Version v0.08 - please glance at
it.
>
>
>
> 
http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Fra
mewo
> rk_Manifesto/Releases/Current
>
>
>
> If the project leader and his contributors ultimately decide to have
this
> release assessed as I am counting on, I will update you.
>
>
>
> Many thanks, regards,
>
>
>
> Paulo Coimbra,
>
>  <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager
>
>
>
>

--
Verzonden vanaf mijn mobiele apparaat

Ferdinand Vroom
OWASP Dutch Chapter Board Member
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 

--

Neil


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 

--

Neil


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
-[ Michael Scovetta ]-


Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101013/e902d619/attachment-0007.gif 


More information about the OWASP-Leaders mailing list