While perusing my Facebook news feed, I saw a link share from a friend. It had your typical spam-laced title & image. 'This girl learns why to always turn your webcam off,' along with a photo of a vagina. The odd thing was the URL it was sharing from, which was Harvard Business School.
After grabbing the URL without ending up on whatever deadly page lay on the other end, I discovered that Harvard Business School (HBS) had created a classic web development error - a page on your server that redirects someone to any page on the Web with a simple parameter in the URL.
This is frequently done in order to track links, whether Javscript is enabled or not. It's quick and easy to code. It will look something like this:
http://RyanGillespie.com/redirect?url=ComputerVirusWebsite.com
The Trust Problem
The first problem, as I see it, is you now have a URL that starts with your own, audience loyal domain name. The general public has a hard enough time looking at URLs to know whether or not to trust a site. Your redirect makes that task even more difficult. Your loyal users may now be shepherded into sites that expose them to the latest in web viruses.
Let's start with another real example. I've ragged on Yelp before about this a long time ago and since they still do it to an extent, I'll point to them. Yelp has this URL:
http://www.yelp.com/redir?url=
I can create a page on the Web that looks just like the Yelp login page and start snatching passwords by redirecting people to it. The URL begins with yelp.com so someone would assume if the page they land on looks like Yelp, they arrived at the right page. After I steal the password, I can redirect them from my fake page to yelp.com, so they are none the wiser.
I've heard arguments against this which say, 'who cares if they steal the password for my website? I'm not a bank or holding any other credit card type information.'
First, ask your users how they feel about it. I'm sure they wouldn't care for that attitude. Some people invest a lot of time & effort into these sites and if someone were to erase all of their hard work, they'd be upset. Respect your users or face their wrath.
Secondly, and most worrisome, is many people use the same password for everything on the Web. Their GMail password is the same as their Twitter password or their password to a random craft beer forum. This is not uncommon. Once someone gets the password for your site, they suddenly have access to everything. And no, you can't say, 'Well, that's the user's fault for being stupid.'
The Social Problem
I think the Trust Problem is bad enough, but for those who insist on discounting it, here's a problem I think will get your attention.
Do you want your users to be able to share on Facebook? What if Facebook suddenly shut off all links to your site? Not only that, any time someone were to try to share your site, they get a message that says your site is known to be 'spam or abusive.' Yikes! Not exactly good marketing.
The problem lies partially with you. Spammers know that a URL that looks unsual is less likely to be clicked by others on Facebook. However, if they can get the URL to look like a site someone would trust, like in the case of the Harvard Business School situation I mentioned above, they'll assume it's safe. If you put the HBS URL into Facebook now, you will get the 'abusive or spammy' message.
The Solution
We need to let our users create links in some instances. There's no getting around that. But when it happens, we have to do 2 things and do them loud and clear. First, inform them they are leaving the trusted website and second, give the user the option to stay or leave.
This can be achieved by not placing your own domain at the front of the redirect. If the URL doesn't look like your URL, then there isn't a problem. It communicates both points to a user. As for tracking with this method, an asynchronous Javascript call to your tracking service will work. It doesn't catch users without Javascript, but that's a very small percentage of people.
If you insist on using a URL that redirects from your own domain, create an intersitial page that alerts a person they are about to leave your domain and explicitly show the URL they are about to visit. Also, provide links or buttons to continue to the URL or return to your site. Blogger is an example where this technique is used. You can optionally create a white-list of domains you allow to pass through the interstitial page.
I, personally, prefer the first option as interstitials are annoying to people. And if your site has a lot of external links on it, you're creating a big headache.
The Stubborn Solution
Okay, say you refuse to have an interstitial and you insist on redirecting from your own domain. I don't advise it, but something you can do to hopefully protect yourself from getting Facebook banned is using their open graph sharing meta tags. Don't display your own site's credentials in the redirect page and ensure the redirecting URL is clearly visible. You don't want to be associated with the redirected page!
