Usage of sur.ly for outbound links.

[KNTRO]

Hi!

I've got this:

in this reply, at both YouTube links.

Is there a per user way to disable this?

Thanks.

[New Tobin Paradigm]

So.. why did you just blind post in this thread without reading?!

As moonchild stated in the opening post there is no way at present to do enable or disable on a per-user basis.

Almost the rest of the posts in this thread are about my userscript I wrote to rewrite links back to their original form..

This kind of inattention to the forums and threads is what creates so much extra work on our or other user's end that could be expended in more productive ways.

So, in the future, you and everyone need to stop and pay attention.

[KNTRO]

This kind of inattention to the forums and threads is what creates so much extra work on our or other user's end that could be expended in more productive ways.

I asked this because I thought some more progression has been done to this, but now I understand I'm wrong.

Anyway, in my opinion this sur.ly thing is nonsense if it's gonna show me a warning when I go to… YouTube?! Really?!

[New Tobin Paradigm]

sur.ly does provide a good if slightly immature service. Perhaps, with our help we can make it better. Also, it does give people a warning when going to links and a good way to get back to the forum.

Though, if you are like me and make heavy use of Tabbed Browsing and click most links with the middle mouse button that aspects can be a little lost. Also, not everyone is as obsessive as I am and reads every post ever posted on the forum since 2013 soo.. It does help when those like me are not awake because it gives a chance for the user to not actually visit a questionable link.

Still, if you do not like the service.. Then use my script. Perhaps, at some later time, sur.ly will work out how to get their plugin to be more per-user with an opt-out option. In the meantime, use my script if you don't like it..

By the way did I mention that someone could use my script.. Cause I am not sure I did.. At any rate.. Use my script

[Wuzzy]

This is a very, VERY bad idea and I strongly propose to remove this as soon as possible.

It adds a totally avoidable single point of failure into links. If sur.ly dies, many links die!
It also needlessly increases the attack area. If sur.ly will be widely adapted in the web, it will surely becomes a VERY attractive target to crackers. Imagine some XSS being injected into the landing page (which is full of JavaScript). Now HUGE numbers of users are subject to the attack. A hostile takeover of the sur.ly servers would be catastrophic. The server operators need to make sure their server is NEVER EVER cracked for years to come.
These are general issues I have with any “intermediate services” like sur.ly.

But I do have specific issues with it as well:
It needlessly reduces user privacy by introducing another instance which can follow user's movements in the Web. I have zero reason to trust sur.ly to keep this data confidential. Ironically, this goes a bit against the idea of “protecting” users.

This is VERY annoying and disrupts my browsing experience. One more pointless link to click / pointless waste of time (5 second delay, more HTTP requests).
Personally, I HATE every website which does this. It feels like a hostile takeover, and it is not nice to posters and readers alike.

I feel like users are being deceived. If the poster just wrote an URL like this:

http://example.org

It actually links to:

Code: Select all

http://outbound.palemoon.org/example.org/

Check the real URL with e.g. your status bar. No, I did not use the URL tag. In other words, the simple example link is a liar.

Also, sur.ly is way to overcomplicated. It depends on JavaScript, so without JavaScripts, outbound links are pretty much broken.

Isn't this kind of checking more a browser thing? There are add-ons for this. If users want to know the WOT score, they would have installed the appropriate add-on anyway or just visit their website directly.
Let users decide which sources of “approval” to trust (if any) instead of forcing a single, centralistic “website rater” (which sur.ly is) on all users.

Guess I have to install another userscript to fix stupefied links. Because surely sur.ly will NOT go into my NoScript whitelist. Sigh.

I vote for disabling this. People should know where they're clicking. And it shouldn't require a browse change of any kind to surf normally.

[Moonchild]

Or you can just calm the f*** down and stop screaming murder.
It takes exactly 1 operation in the forum to disable it if it is a problem for any reason whatsoever. If sur.ly for whatever reason goes down or has an issue, links will be direct after disabling it. The original links are at all times stored in the forum database.

Apart from reducing the risk of having direct malware links AND making the forum less attractive for SEO spammers (that require direct links to target domains to be useful), sur.ly offers you an indicator of the trust level of the external site from several sources and a quick way to go back to the forum. That is added value. Some protection, even if it isn't the one you'd personally choose, is better than no protection.

[coffeebreak]

Tobin wrote a script (named "Unsurly") that restores "surlified" outbound links to their original form.

Found here:
https://greasyfork.org/en/scripts/22256-unsurly

Code: Select all

https://greasyfork.org/en/scripts/22256-unsurly

It is also linked in the original post of this thread.

I use it and can testify that it works.

[Wuzzy]

Well, you asked me for my opinion, you got it.

If sur.ly for whatever reason goes down or has an issue, links will be direct after disabling it. The original links are at all times stored in the forum database.

That's a relief.

It takes exactly 1 operation in the forum to disable it if it is a problem for any reason whatsoever.

Okay, but will this actually happen? I think I already made my point that sur.ly is a problem by design.

Apart from reducing the risk of having direct malware links AND making the forum less attractive for SEO spammers (that require direct links to target domains to be useful), sur.ly offers you an indicator of the trust level of the external site from several sources and a quick way to go back to the forum. That is added value. Some protection, even if it isn't the one you'd personally choose, is better than no protection.

I am aware of this argument. The problem I have here, it is essentially ignoring my privacy and cracker arguments I posted before. You are buying “some” protection by introducing a VERY attractive attack surface. As I said, sur.ly must NEVER EVER be cracked, or else many users will be screwed. So any potential “security” gained by protecting users from direct malware links would instantly be undone if sur.ly gets cracked only once. I argue this is not worth the risk and goes directly against the idea of what sur.ly is supposed to achieve.

If you still insist on this kind of checking, are you maybe aware of any alternatives which don't rely on a 3rd party redirect? Maybe a forum software plugin or something like this. I'm pretty sure sur.ly is not the only way to implement what you desire. I could maybe think of a forum plugin which internally checks links against some database, then rewrites some of the links to point to a special page (only hosted at forum.palemoon.org (instead of a 3rd party)) which could serve a similar purpose than the sur.ly page. It could basically have the same effect as sur.ly in the end, but without redirecting users to 3rd parties, therefore avoiding the increased attack surface and privacy concerns.

And yes, of course I am aware of the “unsurly” script. I argue against sur.ly in general since in the 1st post you said you run it “as a trial”.

[Moonchild]

As I said, sur.ly must NEVER EVER be cracked, or else many users will be screwed.

In the very unlikely event this happens, it'd be only for as long as none of the generally observant users of this forum notices. As I said (once again), it takes 1 operation to disable this if needed for whatever reason.

What you argue is that placing trust in any 3rd party is faulty by design. I think you need to re-evaluate how you view the current web. For argument's sake, consider this statement: I'd rather place my trust in 1 3rd party that I have some measure of control over, than all parties involved in raw links (both users and externally-linked sites). I'm aware of the "worst case" scenario - it's why I audit these kinds of services before I consider them.

are you maybe aware of any alternatives which don't rely on a 3rd party redirect?

There is no such thing. You are always going to rely on a third party for this kind of thing one way or another.

[Wuzzy]

What you argue is that placing trust in any 3rd party is faulty by design. I think you need to re-evaluate how you view the current web. For argument's sake, consider this statement: I'd rather place my trust in 1 3rd party that I have some measure of control over, than all parties involved in raw links (both users and externally-linked sites). I'm aware of the "worst case" scenario - it's why I audit these kinds of services before I consider them.

It goes the other way, too: If sur.ly breaks, most links in this forum will be “infected”. An attacker only needs to attack 1 site for a large impact. But with “raw” links, an attacker would need to “infect” ALL these links to achieve the same effect. So it isn't that easy, after all.
Yes, I agree that having random links all over the place is a security risk, too. I just don't think that sur.ly is a good way to deal with them.

Besides: You audited sur.ly? How? This sounds interesting. Did you have access to source code? What can you tell us about the security of sur.ly? How much control do you have over it (just curious)? Sur.ly must be VERY secure, especially if you plan to use it for many years. I think this level of security, with 0 successful attacks for many years is hard to maintain, especially since sur.ly is an attractive target for crackers.

I still argue it would be better in removing the attack surface altogether rather than hoping it will never be attacked.

are you maybe aware of any alternatives which don't rely on a 3rd party redirect?

There is no such thing. You are always going to rely on a third party for this kind of thing one way or another.

Read again: I wrote “3rd party redirect”. Yes, you obviously have to depend on 3rd parties to get the data about website security ratings. But fetching this data could be done in the background (server-side), while the actual “intermediate” site is hosted on forum.palemoon.org, generated from the data acquired in the background. So it is perfectly possible to have some sort of link checking without exposing users to any “intermediate” pages hosted by 3rd parties, therefore avoiding the introduction of an additional attack surface.

[dark_moon]

I also don't trust nor like sur.ly

Just look at the third-party-requests:

JavaScript from a russian site? No thanks.
JavaScript from newrelic.com & addthis? No, i don't like tracking.

# The site only works with javascript, else no website status is available
# the real link is a iframe, which is a realy bad idea and anyway it open automatic after 5 secons so no user have the chance to read the website status. The only way is to go back and read it, after the iframe site has loaded.
# I don't want use a javascript script just for a workaround for sur.ly but i also understand why its implemented. Only the way how its works isn't nice.

I also vote to disable sur.ly

[dark_moon]

And today we have the first sur.ly problem:

I try to open the link from that post: viewtopic.php?p=92458#p92458 (http://betanews.com/2016/09/13/ancile-i ... y-blocker/)
But i get that:

If i click on the "http://hits.informer.com/log.php?id=1702&r=" Link i get a blocked site from uBlock:

Anyway why in hell the link send me to informer.com instead of sur.ly or the original link?

Edit: Funny, the problem is gone. But yeah, not realy nice. One more reason to stop using sur.ly
Maybe you have more infos, Moonchild.

[satrow]

Dark_moon, looks like Noscript is behind that redirect?

[Moonchild]

You know what?

Fine.

I'll stop trying to make the forum a better place. I'll quit trying to improve things or putting my time into it.
Yes, sur.ly is relatively new, and it's not flawless. The service is still a human effort depending on third party data.

I'll just let it sit from now on. If you have a problem with spam, malware, or getting infected because you're being sent to a malware site from a user post, it will be all on you. I'll make sure to adjust the user content policy to reflect the inherent risks taken. Don't come crying to any of the staff if you end up with ransomware or something similarly catastrophic from data posted here. Rely on client-side alternatives if you want, with their own risks and pitfalls and tracking.

PS: you know why it contacts a russian site? because I asked for integration of yandex metrica for analytics to see the impact of these links. Would you have preferred Google analytics instead... ? ;P Not everything in Russia is evil, and I would appreciate it if you keep an open world view.