- This topic has 24 replies, 9 voices, and was last updated 10 years, 2 months ago by
.
-
Posts
-
Per @Admin, at the top of this page, at some point it will be a settings checkbox.
This is now a settings option in the eStore plugin. In the next build it will go live and you will will be able to enable it by check the “Shorten Encrypted Download Links” field.
This creates an intriguing question… if e.g. google is being used as a link shortener, does that imply that google can be inspected for click tracking (assuming the shortening is created under the credentials of a google user?)
That would be cool.
On the other hand, I’m not sure how using the link shortener might result in someone else getting the data ahead of the person its being sent to. Is there some way to see the shortened links?
The link shortening is done using an API so I don’t think you can do the inspection.
The shortened link is sent to the email after the purchase. What do you mean by “Is there some way to see the shortened links?”
Sorry: Quoting from an earlier post in this discussion:
“Caveat: When using an external shorting service, you run the very slight risk of having the shortened link harvested by others and used before the intended customer. This may result in customer complaints about expired links.” ~wzp
My question is by what mechanism might this happen so that someone is either able to find the shortened link or what it points to without having it emailed or displayed. E.g. can a nefarious person snoop the goo.gl links created and view them? I know the links are “public” and that someone could brute force attack them, but is there some other method that I should worry about? The Google API only seems to allow a user with credentials to view the links.
The second part of my question: can I substitute my own API key? That would allow me to see how often the shortened URL is clicked.
Example of link being used by others…
It has been demonstrated that, Microsoft scans links sent over Skype.
[http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/]
Likewise, if you email a link to someone who uses an email account hosted in certain countries (yahoo.cn); it is quite possible the link will be scanned.
The above applies to any links, regardless of how they were shortened. The “caveat” concerned the use of shortening services that may not be trustworthy. Google (goo.gl) is more trustworthy than pirate-bay-shortener.url (or something like that).
On the other hand, you should at least allow encrypted links to be used 2 times at a minimum; to allow for user errors.
You should be able to use your own API key. But if you’re paranoid enough to ask about other people harvesting shortened links, remember this; use of your own API key will immediately associate all shortened links with your Google account!
wzp: I think I’m getting burned by the “link will be scanned”. I have the google link shortener turned on and lately many of my customers are complaining that the “download limit has been exceeded”.
The links are so long, that it’s difficult to determine what exactly is happening, but here is a shortened log. Notice how many times the file appears to be downloaded… all those IP addresses are Google proxies – except one!
66.249.88.172 – – [31/Oct/2014:22:09:44] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “http://www.google.com.br/url?sa=t&r
***.***.13.91 – – [31/Oct/2014:22:09:45] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “-” “Mozilla/5.0 (Windows NT 6.0; WOW
66.249.91.40 – – [31/Oct/2014:22:09:45] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “-” “Mozilla/5.0 (Macintosh; Intel Ma
66.249.83.230 – – [31/Oct/2014:22:10:03] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “http://www.google.com/url?sa=t&rct=
66.249.83.224 – – [31/Oct/2014:22:10:17] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “http://www.google.co.jp/url?sa=t&rc
66.249.83.230 – – [31/Oct/2014:22:10:17] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 529744 “http://www.google.cz/url?sa=t&rct=j
66.249.88.174 – – [31/Oct/2014:22:11:07] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 660 “http://www.google.cz/url?sa=t&rct=j&q=
***.***.13.91 – – [31/Oct/2014:22:12:12] URLtoDNLD=kJ7UX7ofH1wJpX%2BCvQ%3D%3D HTTP/1.1″ 200 660 “-” “Mozilla/5.0 (Windows NT 6.0; WOW64)
So it look like using the Google link shortner and/or someone using Googlemail is causing both a ton of wasted bandwidth and the links to appear to be downloaded more than the limit in times.
The “660” character response is the “You’ve downloaded this too many times” response.
This problem used to occur once in a while, now it’s happening very frequently. Thought I’d put it out there in case it’s a known problem, or in case someone else is seeing it.
Yeah, it might end up being “scanned” multiple times:
- Once by Google, trying to check for malware; before shortening the link.
- Once by Google, checking its own database for previously shortened versions of that link; which it will never find; before creating a shortened link.
- Once by Gmail, et al, trying to check for malware.
- Once by the user’s browser security plugin, trying to preview the link or checking for malware.
- The “real” click by the user.
I think it’s worse than that… Notice:
http://www.google.cz (twice)
So Brazil, the US, Japan and Czech Republic (twice) all scanned this ONE link. I think in this case the user managed to get the file, but if he tried again, the 6 download limit will have been exceeded.
This raises an interesting problem that the download limit even when NOT using link shortener may get repeatedly hammered. Is the take-away to multiply the download limit by a factor of 3 or 4?
We have “an idea” for desensitizing the download.php script, so that it will ignore non-browser requests. But we have to do some research and experiments first.
*****UPDATE*****
We’ve replaced Goo.gl with Bit.ly
https://support.tipsandtricks-hq.com/forums/topic/google-url-shortener-reliability
- You must be logged in to reply to this topic.