I'm against link rot and I hate how Google doesn't maintain old projects. But this is one shutdown I 100% agree with.
Having an official Google domain that anyone can hijack is dangerous, given that many people's main internet identity is GMail (aka their Google account). I know anyone can create an offshoot (goooogle.org, etc), but Google was using goo.gl too.
It was easy to redirect a goo.gl to a Google login page (which is on a real Google domain), and trick people into authorizing access to their account.
I consider myself savvy, and I got a pretty convincing one recently. The email looked legit, and the link was a goo.gl link that ultimately landed me on a legitimate Google login page. It didn't trick me, but it did take me a few minutes to figure out how it wasn't legit.
NOTE: This article is kinda misleading. They already stopped letting people add new links in 2019. And now, they're only removing "inactive" links, AKA links that had no activity since 2024. If you visit a link right now, it will be kept. Here's more info: https://blog.google/technology/developers/googl-link-shorten...
I think it's pretty easy to make an argument against URL shorteners, but I think it's a bit harder to defend killing existing short links. Stop new links from being minted, keep up a "Report Abuse" page, maybe even scan the existing DB for Google Login look-alikes. The upkeep is as much or less than responsibly running a URL short link site in the first place.
Instead, they're just disappearing _all_* goo.gl short links. The overwhelming majority of which are benign links made by users who were promised a super stable URL link shortening service backed by the Google brand.
> All other [active] goo.gl links will be preserved and will continue to function as normal. To check if your link will be retained, visit the link today. If your link redirects you without a message, it will continue to work.
I know its been deprecated. I'm just saying that they could have stopped it there.
It is true that it is not _all_ links, apologies. "Inactive" here is defined as "not visited in 2024" which is a crazy small envelope. I wouldn't be surprised if nearly all links were deleted.
I fully agree. Official looking redirect URLs are a dream come true for scams and phishing attacks.
The goo.gl link shortener hasn’t accepted new links for many years. Over 99% of the links had no recent activity. The play was to scrape the web for old goo.gl links that went to expired domains, register the domain, and then you have a goo.gl URL that you can send wherever you want, indefinitely.
Nearly all of the angry blog posts, Tweets, and HN comments missed this and jumped to the conclusion that it was purely a cost cutting measure, but link official-looking open redirect URLs are a big deal in the security space.
"Recent" is defined within the last year. If the Wayback Machine adopted this logic, it would be useless.
The security concerns were largely addressed by not accepting new links. This was a cost cutting measure, plain and simple. I think we all agree that a goo.gl shortener was a terrible idea to begin with, and my blog post even shows evidence that folks knew this was a bad idea at launch.
Yeah, and I question how much cost they're saving. Just how much storage do you need for a URI redirect? How much are you spending to have a record that isn't being used?
It would make sense if they were pruning links whose TARGETS were no longer responding. But all the unused links are costing essentially nothing. Essentially all the cost was spent already.
The security concerns were not addressed by not accepting new links. As the post you replied to said,
> The play was to scrape the web for old goo.gl links that went to expired domains, register the domain, and then you have a goo.gl URL that you can send wherever you want, indefinitely.
Instead of shutting down completely, why not this:
For goo.gl links that were created by google, continue redirecting them as normal.
For others, show a warning page explaining to the user that the link wasn't created (or vouched for) by google. If they press an "agree" button, still don't show a clickable link, but instead show it as plain text to be copied.
Having an official Google domain that anyone can hijack is dangerous, given that many people's main internet identity is GMail (aka their Google account). I know anyone can create an offshoot (goooogle.org, etc), but Google was using goo.gl too.
It was easy to redirect a goo.gl to a Google login page (which is on a real Google domain), and trick people into authorizing access to their account.
I consider myself savvy, and I got a pretty convincing one recently. The email looked legit, and the link was a goo.gl link that ultimately landed me on a legitimate Google login page. It didn't trick me, but it did take me a few minutes to figure out how it wasn't legit.
NOTE: This article is kinda misleading. They already stopped letting people add new links in 2019. And now, they're only removing "inactive" links, AKA links that had no activity since 2024. If you visit a link right now, it will be kept. Here's more info: https://blog.google/technology/developers/googl-link-shorten...