URL shortening is when you use a service such as bit.ly or tinyurl.com to take a very long URL and condense it into a very short URL. This is very useful for when you need a short URLs, when you have to read a URL over the phone, or for a .pdf document. Below is an example using the URL for this blog entry:
https://blog.bham.ac.uk/itsecurity/?p=445&preview=true
into this shortened URL:
The security risk with a shortened URL is you cannot tell where you are going when you click the link, you have to trust the sender. As a result, some organisations teach their employees not to trust shortened URLs, or simply block them at their network gateway. This poses a problem for some areas of the University.
You should not trust any shortened URLs in an unsolicited email that use a public URL shortener.
At the same time we have to respect the security risks that come along with that. The solution is preview mode. By prepending ‘preview’ to a TinyURL, the service does not send you directly to the destination website. Instead you are taken to a landing page that gives preview of where you will ultimately go. However preview mode does not work on all devices, it mainly applies to PCs.
Here is the short URL pointing to this blog article with preview:
https://preview.tinyurl.com/y8ykvwz5
As long as we can trust the URL shortening service, preview mode eliminates many of the risks associated with URL shortening.
Until the University is able to offer its own URL shortening service, we recommend TinyURL, the only one that seems to offer the preview facility. Go to:
for more information. We don’t recommend TinyURL but it is preferable to others that do not have the preview facility.
Short URLs should not be used in email.