McAfee Offers (not so) 'Safe' URL Shortener

Thu Oct 7 22:22:45 CDT 2010

Because we don't have enough URL shorteners, McAfee decided to enter the fray. Casting aside the fact that 'safe' URL shorteners exist, they are marketing theirs as a way to "create a safe short URL". They do this by rejecting a URL that has signs of cross-site scripting (XSS) and presumably other bad things.

Unfortunately, that is where the "protection" ends. Putting in the URL of a page with the exact same script they reject in the URL is advertised as GREEN with a big check mark. The upper right corner even says " - using Global Threat Intelligence to protect you." A popup with the word 'squirrel' is allowed just as a script call with document.domain is. This makes it pretty clear that the service does no content check for the page you land on, which would actually be a very cool idea. Until then, this service will not protect you any more than TinyURL can (with 'preview' mode activated) from hostile attacks or being Rick Roll'd.

McAfee, you keep using that word (security). I do not think it means what you think it means.

main page ATTRITION feedback