When I was in high school, I took a wonderful career planning course. Instead of being a mind-numbing survey of possible occupations and career paths, it instead focused on understanding yourself. What are you good at doing? What do you actually enjoy doing? What are your values and aspirations? And finally, given all of that, what types of jobs would someone like you find fulfilling? As part of this research, we took a test called the Strong-Campbell Interest Inventory (since renamed) that statistically correlated all of these things and spit out a really cool report showing where your skills and interests overlap with specific careers. (You take a version of that test here for about $23 – it’s fun even if you’re not looking for a career change.)
So what does that have to do with privacy and security? Okay… not much. But David Campbell (of Strong-Campbell fame) wrote a book on career planning (which we read in my class) called If You Don’t Know Where You’re Going, You’ll Probably End Up Somewhere Else. And that was the first thing that popped into my head as a title for an article on how to reveal the true destination of shortened URLs. That’s way too long for a blog name, but it gave me the opportunity to tell you a little story and give you a couple interesting (if completely unrelated) resources.

What is a Shortened URL?
If a web address is anything more than a simple domain name, it becomes impossible to remember. So in situations where you want someone to recall or even write down a web link (or URL), you need to keep it short and memorable. Enter URL shortening services like bitly, owly, and many others. You enter the real web address, which is long and ugly, and these services will convert it to something short and easier to remember.
It’s probably easier to illustrate this with an example. I just opened an online shop where you can buy merchandise that carries my spiffy dragon-and-castle logo. Of course, I’d love to tell my podcast listeners about this merch website, but reading out “https://firewalls-dont-stop-dragons.myspreadshop.com/” is too cumbersome and no one would remember it. For printed material, I could use a QR code. For articles like this, a hyperlink will do it. But for some printed material and definitely for audio-only situations, you need something short and memorizable. Using bitly, I can create something much easier to say and remember like “bit.ly/FDSD-merch”. You can even set up your very own URL shortening service using YOURLS – which I did for my business and use all the time. I bought the domain fdsd.me so I could create custom short URLs, like fdsd.me/merch.
If You Don’t Know Where You’re Going…
The problem with shortened URLs is that they obscure the true destination of the web address. Those shortened links are going to bounce you through at least one intermediate website and you will eventually be redirected to the real target site. Those sites could be fake sites trying to trick you into entering credentials for the real site. They may also be sites running malicious code or containing links to malware-laced files.
Thankfully, there are some helpful tools that can allow you to see the final destination for these shortened URLs before going there. Some of them will give you a preview of the site and even warn you if the final site is known to be malicious content.
Some of these shortening services have built in tools for this. In most cases, you can add a simple prefix or suffix to the shortened URL that will expand it before taking you to the final site:
- bit.ly, goo.gl, is.gd: Just add a plus sign (“+”) to the end, like https://bit.ly/FDSD-merch+
- tinyurl: Add “preview.” to the domain, like https://preview.tinyurl.com/whatever.
- tiny.cc: Add a tilde suffix (“~”), like http://tiny.cc/spp4vz~
- Click here for several others services (I wish they’d settle on a standard)
You can also use dedicated URL expanding services. Most of these will show you a visual preview of the site, as well.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!