undefined | Better HN

0 pointsobtu14y ago0 comments

In the sense of following them, or rewriting them as well?

0 comments

3 comments · 1 top-level

indec14y ago· 2 in thread

We follow them on the server side and check the final URL we get to against the GSB database. We don't modify the user-generated content.

underwater14y ago

I assume you check each step of the unrolling? Otherwise a malicious site could easily do:

   if (is_etsy_ip()) header('Location: http://www.google.com/') && die();

indec14y ago

Well, generally following the redirects is actually somewhat redundant. The idea of GSB is that URLs that lead to bad things would all be identified and added to the database.

Customising attacks for a given site specifically adds complexity and cost to the attack, which is really the aim for all of this sort of work. Everything you can do to drive up the cost of the attack makes you a less inviting target.

It would be a mistake to think that usb4ugc (or tools like it) would protect everyone all the time. It's never a replacement for vigilance and education on the user-side, just a useful extra line of defense.

1 more reply

j / k navigate · click thread line to collapse