undefined | Better HN

0 pointsdundarious7mo ago0 comments

In this little story, what's the difference if the direct ACME URL was used? What does the goo.gl indirection have to do with anything?

0 comments

xp847mo ago

Goo.gl was a terrible idea in the first place because it lends Google's apparent legitimacy (in the eyes of the average "noob") to unmoderated content that could be malicious. That's probably why they at least stopped allowing new ones to be made. By allowing old ones, they can't rule out the Google brand being used to scam and phish.

e.g. Imagine SMS or email saying "We've received your request to delete your Google account effective (insert 1 hour's time). To cancel your request, just click here and log into your account: https://goo.gl/ASDFjkl

This was a very popular strategy for phishing and it's still possible if you can find old links that go to hosts that are NXDOMAIN and unregistered, of which there are no doubt millions.

NewJazz7mo ago

Yeah I'm pretty sure this is the main reason google is shutting the service down. They don't want their brand tainted by phishing attempts.

dundariousOP7mo ago

This reputational risk argument makes sense. The post I was replying to seemed to be making a flawed argument about capabilities.

mattmaroon7mo ago

Only insofar as Google might wish to prevent it since their brand was on the shortened url you clicked to get there. And people not having malware is surely good for Google indirectly.

Presumably ACME used the link shortener because they wanted to put the shortened link somewhere, so someone’s going to click things like these. If Google can just delete a lot of it why not?

MajimasEyepatch7mo ago

As the others have mentioned, the goo.gl step isn't necessary for linkjacking, but it is a reputational risk for Google.

j / k navigate · click thread line to collapse