Is the Web Heading Toward Redirect Hell?

Ant snips from Royal Pingdom this excerpt: "Google is doing it. Facebook is doing it. Yahoo is doing it. Microsoft is doing it. And soon Twitter will be doing it. We're talking about the apparent need of every web service out there to add intermediate steps to sample what we click on before they send us on to our real destination. This has been going on for a long time and is slowly starting to build into something of a redirect hell on the Web. And it has a price."

Re:How do you get offenders to stop?

[tom17]

Like this? http://unshorten.com/

I just 'thought of' that only to find it was done aages ago...

Facebook

[Xacid]

To play the devil's advocate - facebook's redirects started as a way to filter out all the spam links.

Re:How do you get offenders to stop?

[shog9]

Close enough: https://addons.mozilla.org/en-US/firefox/addon/9549/

Re:wasn't there a time....

[JesseMcDonald]

To be fair, that is nothing more than a workaround for several other major security issues:

1. The referrer header itself. This header serves no useful purpose, and leaks information that the destination website has no need to know. There is no way to use the referrer information securely, since it can be trivially forged, but it does serve as an invaluable tool for malicious attacks and unwanted tracking.

2. Session IDs should be validated to prevent hijacking. At the very least the session ID should be ignored if it comes from a different IP address than the one which created the session. It's not a perfect solution, given dynamic IPs, NAT, and proxies, but it would block most attacks without inconveniencing normal users.

3. No private information, including session IDs, should ever go in the URL. HTTP POST requests or cookies are a better solution here. (Naturally, cookies should be valid only until the end of the session unless the user explicitly indicates otherwise.)