Back to blog

Behind the Scenes: How We Keep Our E2EE URL Shortener Safe from Abuse

· Administrator

Building a URL shortener is easy. Making it privacy-friendly and end-to-end encrypted is tougher. But the hardest part? Implementing measures to prevent abuse. Dive into our strategy for maintaining a safe, trustworthy, and abuse-free platform.

Security Shield

URL shorteners create tiny links that pack a big punch, saving characters and making sharing a breeze. But like any tool, they can fall into the wrong hands. Spammers, phishers, and malware peddlers love them for hiding shady destinations behind innocent-looking URLs. At Fynlink, we've built an E2EE URL shortener, meaning the URLs you shorten are encrypted on your device and only decrypted when clicked. We can't see them, which is awesome for privacy but a headache for abuse prevention. Recently, we hit a bump when Google blacklisted us (check out the details in our transparency report), pushing us to rethink and reinforce our defenses.

The E2EE Challenge: Privacy vs. Safety

In a typical URL shortener, the service can peek at the URLs you shorten, scanning for red flags like phishing sites or malware. But with E2EE, we're flying blind. The URLs are locked up tight, encrypted before they even reach our servers. It's like running a mail service where every letter is sealed in a tamper-proof envelope. We can't open it, but we still need to make sure no one's mailing anthrax. How do we pull that off? Through a mix of tech, user accountability, and community vigilance. Let's break it down.

Prioritizing Business Emails: Trust Through Accountability

  • Why It Matters: Business emails are gold for us. They're tied to real identities and companies with reputations to protect. When someone uses their work email, they're putting skin in the game. That accountability is a natural deterrent to abuse.
  • How It Works: We give business emails VIP treatment with faster approvals, higher rate limits, and fewer hoops to jump through. Personal email users are allowed but first go to a waitlist, especially when we receive hundreds of signups daily with over 90% using public email providers. Our experience shows that an astonishingly high 95% of these are used for creating problematic links.

Security Alert: We've observed that sophisticated abusers often use professional-looking business domains to appear legitimate. They may control multiple domains that point MX records to the same mail server. We actively monitor for these patterns and signups from such domains are automatically blocked.

Email Verification: The First Line of Defense

Every account needs a verified email with no exceptions. It's a simple step that weeds out drive-by abusers.

  • Critical Functionality: Without email verification, users cannot create short URLs, generate API tokens, or add custom domains to their account. This verification requirement ensures we maintain a secure communication channel for important notifications, security alerts, and service updates.
  • Communication Integrity: Verified email addresses are essential for our ability to communicate with users regarding account status, potential security concerns, and compliance matters. This direct line of communication is non-negotiable for maintaining platform integrity and user trust.

Blocking Temp Email Services: No Throwaway Accounts

Even for privacy-conscious legitimate users, temporary email services present significant risks. Without persistent access to your inbox, you may miss critical security notifications, service updates, or account alerts. Most temporary email services offer limited retention periods, meaning you could permanently lose access to important communications about your account. For a service that manages your shortened links, maintaining a reliable communication channel is essential for both security and continuity of service.

  • The Problem: Disposable email addresses are the abuser's best friend. They create one, cause trouble, toss it, and repeat. They're like burner phones for the digital world.
  • Our Solution: We implement various measures to block disposable email services. Try to sign up with a disposable email, and you'll hit a wall. Temporary email services scream "abuse" to us, and we take a firm stance against them.

Pro Tip: For platform developers, maintaining an in-house list of disposable email domains is impractical due to the sheer volume. Hundreds of thousands of such domains exist and new ones emerge daily. We recommend leveraging specialized services like usercheck.com alongside a curated list of common temporary email providers for faster verification. These services offer a significant advantage for privacy-focused platforms, as they only require the domain portion of the email address for verification, preserving user privacy while maintaining security standards.

Cloudflare Turnstile: Effective Bot Protection

  • The Problem: Automated bots constantly attempt to create accounts and abuse platforms at scale. Traditional CAPTCHAs can be frustrating for legitimate users while still being vulnerable to sophisticated bot attacks.
  • Our Solution: We implement Cloudflare Turnstile, a modern CAPTCHA alternative that provides robust protection against automated scripts while maintaining a good user experience. Turnstile offers a more streamlined verification process that effectively blocks automated signups and abuse attempts.

Pro Tip: Turnstile is particularly effective against large-scale automated abuse, which is a common vector for spam distribution through URL shorteners.

Monitoring Usage Patterns: Spotting the Oddballs

  • The Problem: Malicious users often exhibit unusual usage patterns that differ from legitimate users, but these patterns can be subtle and difficult to detect without proper monitoring.
  • Our Solution: We've implemented usage pattern monitoring that flags suspicious activity. For example, creating hundreds of URLs within minutes of account creation is a clear red flag that triggers our systems. We also monitor for other unusual patterns of platform interaction without compromising privacy. This allows us to identify potential abuse while respecting legitimate users.

Privacy-Preserving Link Checks: Smart Without Snooping

  • The Problem: Checking URLs for malicious content typically requires sending the full URL to third-party security services, which compromises user privacy and contradicts the principles of end-to-end encryption.
  • Our Solution: We check target URL hashes against Google's Web Risk API using a privacy-preserving approach. Unlike other services that directly send URLs to third parties, we utilize local hash prefix tables and only query the API with partial hashes when necessary, ensuring your destination URLs remain private.
  • Google Web Risk API: This is the same technology used by privacy-focused browsers like Brave and Firefox to check user-entered links for malicious content. Google Web Risk maintains a constantly updated database of known malicious URLs across various categories including phishing, malware, and unwanted software. Yes, there are things from Google that actually protect user privacy. Web Risk API is one of those rare services designed with privacy preservation as a core principle, proving that not everything is about data collection.
  • How It Works: The API uses a hash-based lookup system where only partial URL hashes are compared. Brave, Firefox, and other privacy-preserving browsers implement similar methods to protect users without compromising their privacy. First, we download hash prefixes of known malicious URLs to our local servers. When a user creates a short URL, we check if its hash prefix matches any in our local database. Only if there's a potential match do we request the full hash from Google's API to confirm, without ever sending the actual URL.

No Short URL Chains: Breaking the Deception Chain

  • The Problem: URL shortener chains (short URLs pointing to other short URLs) are a favorite tactic of scammers and phishers. Each redirect in the chain makes it harder to detect the final malicious destination and bypasses security checks.
  • Our Solution: We actively detect and block attempts to create short URLs that point to other URL shorteners. This simple but effective policy breaks the deception chain that many attackers rely on, making it much harder to hide malicious destinations behind multiple layers of redirection.

Security Note: URL shortener chains are particularly dangerous because they can bypass security checks by hiding the final destination behind multiple redirects. Custom domain users experience less aggressive checks.

Handling Redirects: Transparency for Users

  • The Problem: Direct redirects can be exploited by malicious actors to send users to harmful websites without their knowledge, creating security and trust issues for URL shortener services.
  • Our Solution: We offer multiple redirect options and safety features to protect users:
  • Direct Mode: Instant redirects without preview pages for trusted destinations and maximum convenience.
  • Safe Mode: Shows a preview page with the destination URL before redirecting. Available to all users regardless of plan. If you're a privacy-respecting organization and need your customers to see a preview page without entering any special characters, you can make use of this built-in safe mode feature while creating short links.
  • Warning Screens: For links that seem suspicious but aren't definitively malicious, we automatically show a warning screen. Users can proceed if they trust the source, but they're making an informed choice.
  • Manual Preview: Anyone can add a + or - sign at the end of a short URL to see it in preview mode, which clearly shows the destination before proceeding.

Abuse Reporting: Power to the People

Our users are our eyes and ears. We make it easy to report suspicious links, and we investigate every report. For official domains, we display automated warnings and immediate link previews based on abuse reports. For custom domain customers, we conduct human verification and automated checks. If a link is found to be problematic, it will be quarantined, potentially leading to blocking all other links created by that customer and account closure.

  • Abuse Detection: We receive regular abuse reports from good Samaritans including security professionals, threat intelligence teams, and other companies. These reports help us identify and address problematic links even though we can't directly read your target or short URLs from our servers.
  • Manual Reviews: If a short URL is reported for abuse, we can perform manual reviews to verify the claim. While a manual check is not guaranteed for every report, we strive to investigate suspicious activity thoroughly. As a customer, you will receive notification almost immediately regarding any abuse report, including details about the type of abuse reported, actions taken by us, and whether automated or manual checks were performed.
  • How to Report Abuse: Anyone can report abuse for any link created with our platform. Here are multiple ways to do it:

How to Report Abuse

Anyone can report abuse for any link created with our platform. Here are multiple ways to do it:

Direct Reporting

Use our dedicated abuse reporting page:

https://fyn.link/report-abuse

From Link Preview

Force a preview page for any link (including custom domains) by adding a + or - symbol to the URL:

fyn.li/examplefyn.li/example+
custom-domain.com/abc123custom-domain.com/abc123-

From the preview page, click the flag icon or the "Report Abuse" link in the footer.

Subscription & Payment Security: Financial Safeguards

Payment systems serve dual purposes in our security strategy. They create a financial barrier that deters casual abusers. They also provide opportunities to implement fraud prevention measures that keep bad actors off the platform entirely.

  • Subscription Requirement: Paid subscriptions create a higher barrier to entry for abusers. This is not just about the money. It is about establishing a level of commitment and trust. Free services are magnets for abuse, while paid services tend to attract more legitimate users.
  • Advanced Fraud Detection: Always include suitable rules to prevent fraudulent payments in your platform. If using Stripe, we recommend implementing Stripe Radar. We have found its detection capabilities were not as successful as we would have liked. Consider supplementing with additional fraud detection systems for better coverage.
  • 3D Secure Authentication: Make sure to implement 3DS or similar technologies and force its use by creating specific rules. This additional authentication layer significantly reduces fraudulent transactions by requiring cardholders to complete an additional verification step with their card issuer when making online payments.

Multi-Layer Security: Protecting Our Infrastructure

We cap how many links you can create in a given time period. Legitimate users rarely hit these limits, but they stop spammers from flooding the system. Different account types have different limits, with business accounts getting more generous allowances.

  • Advanced Security Infrastructure: Beyond our application-level rate limiting, we employ enterprise-grade security infrastructure that provides comprehensive protection against various threats. This includes DDoS mitigation that automatically detects and filters attack traffic, sophisticated bot management to block malicious automation, web application firewall protection against common exploits, and threat intelligence to proactively identify and block known bad actors.

Pro Tip: Consider using Cloudflare for protecting your links and infrastructure. Their comprehensive security suite provides DDoS protection, bot management, and threat intelligence capabilities that can significantly enhance your platform's security posture.

Balancing Act: Security Without the Hassle

The Trade-Off: Every layer of protection risks tripping up legit users. A redirect warning might confuse someone linking to a login page. Rate limits might irk a power user.

Our Promise: We're obsessed with finding the sweet spot between maximum security and minimum friction. False positives are frustrating, and we're tweaking daily to reduce them.

Conclusion

Security is an ongoing journey, not a destination. As technology evolves and new threats emerge, our approach to protection must adapt accordingly. We recognize that no security system is perfect, and we remain committed to continuous improvement. We're constantly learning, refining our methods, and implementing new safeguards based on emerging best practices and feedback from our community. While we strive to create a secure environment, we understand that security is a collaborative effort that requires vigilance from both our team and our users. We welcome your insights and suggestions as we work together to build a safer platform for everyone.

Back to Blog
E2EE
Your link data is encrypted, even before leaving the browser & can be decrypted only by you.
< 200ms
Average link redirection time, depends mainly on location of the end user.
99.99%
Uptime guarantee for our redirection services.
300+
For quick, uninterrupted URL redirection, our redirection service is available on all major cities worldwide.