My last post focused on SEO drawbacks of framed URL shorteners which is mostly a concern for content creators. I later realized that URL shorteners which frame entire pages, like the Diggbar and BurnURL, are even worse than I originally though. These services are not only stealing page rank points (and arguably stealing content) they are shifting the third-party distrust to the target site and essentially become a man-in-the-middle.

Degrees of relation matter

Most security conscious geeks refuse to accept cookies or run Javascript from third parties. I won't go into details except to say that there is a big difference in trust between the second and third+ parties. For more information I recommend listening to Security Now 119 and reading references to Noscript in the SN transcripts.

By framing the target page, these URL shorteners have now assumed the role of the second party and demoted the target page to the third party. In a way it's analogous to privilege escalation. They are a man-in-the-middle who can install cookies and run Javascript even on browsers that have explicitly restricted third party resources. This also means that the target site won't be able to install cookies nor run Javascript on secured browsers which, on some pages, could render the page unusable or just really ugly.

I might sound alarmist since these services make no attempt to spoof their identity (as most man-in-the-middle attacks do) and I'm sure it was not their goal to circumvent third party restrictions but it is the result of their implementation and benefits them nonetheless.

Potential for misuse

I trust that Digg and BurnURL won't do anything like this but it should be noted that it is trivial for a man-in-the-middle to implement malicious exploits like clickjacking, password stealing, and phishing on trusting users.