On Aug 15, 2011, at 10:12 21AM, Randy Bush wrote:
I've always wondered if the next cisco/juniper 0 day will be delivered via a set of exploits delivered via a link posted to NANOG. :) Maybe I'll do a talk at DEFCON next year about that.
more likely a 'shortened' url. how anyone can click those is beyond me.
I'm curious what your objection is. Mine is privacy -- the owner of the shortening site gets to see every place you visit using one of those. I don't think there's a significant incremental security risk, because the URL you click on doesn't tell you what you'll receive in any event. Case in point: https://www.cs.columbia.edu/~smb/SMBlog-in-PDF.pdf does *not* yield a PDF. (As far as I know, it's a completely safe URL to click on, but I can't guarantee that someone else didn't hack my site. I, at least, haven't put any nasties there.) Yes, when you avoid shortened URLs you get some assurance of the owner of the content. Given the rate of hacking -- is anyone really safe from a determined amateur attack, let alone state-sponsored nastiness? -- and given the amount of third-party content served up by virtually all ad-containing site, you really have no idea what you're going to receive when you click on any link. --Steve Bellovin, http://www.cs.columbia.edu/~smb