You’ve probably never heard of link shimming but have seen it many times. Links posted on sites like Facebook, Twitter or LinkedIn, appear as l.facebook.com, t.co or lnkd.in. Let’s look at it with Facebook link shims as an example.
What is link shimming?
Links that you share on Facebook get internally translated into another URL. For example, upon posting the link www.example.com/cute-dog-video, Facebook turned the link into something that could look like l.facebook.com/gbF342gk4sT2. It is like an extensive list that assigns a new URL to every link that is shared. Now, if you see that gibberish link, you don’t know what it is and will probably not click it, risking to miss the cute dog video. What Facebook does is the following: the original link (www.example.com/cute-dog-video) is still shown but sends you to the link shim (l.facebook.com/gbF342gk4sT2).
Why is it good?
The purpose that these sites use link shims is to prevent users from accessing malicious sites through links on Facebook. When clicking on a link, the requested site is tested against Facebook’s internal firewall to check for malicious content. What Facebook does, is checking if the URL is on their list of malicious sites. The list contains scam and malicious websites from McAfee, Google, Web of Trust, etc.
A second purpose of shimming is to protect user identity. Depending on your settings, your browser tells every site, which site you were visiting before. This information is called HTTP Referer. Since some URLs on Facebook contain user information like the full name, the browser could send the URL including your name to a third party site. For example, if you are on your Facebook profile and access another site, this site will get the address of the page you visited before, i.e., https://www.facebook.com/JohnDoe, revealing your full name. To protect your information Facebook uses the link shim’s address as a referrer.
The referrer header help site owners analyze where their traffic comes from. If you use Facebook over HTTPS and access an HTTP-link, the site owner doesn’t get a referrer header. Facebook solves this problem by always serving link shims over HTTP.
Sounds like a good thing. It actually is, but wait there is more.
Why is it bad?
With having link shims everywhere on their site, Facebook can not only protect you but also see what links you follow. In the classical sense, as soon as you click on a link, you quit the previous page, and Facebook can no longer track you. With link shimming, Facebook is the origin and destination of that link, since it leads to l.facebook.com…..
This allows Facebook to collect information about where you come from and where you go to. Although we only talked about Facebook, the principle is similar to other services.
The solution
So also here they managed to take a legitimate technology aiming to protect users and turn it into a tracking machine. There is also a way out of this privacy-intruding story. Luckily, EFF’s Privacy Badger now removes the Referer Header from facebook.com entirely. You can find this browser extension for Firefox and Chrome here. The latest version of Privacy Badger also protects from link shimming on Google services. SnowHaze has HTTP Referer blocker turned on by default.
Related Posts
Download SnowHaze
