return to table of content

L(O*62).ONG: Make your URL longer

ccbikai
19 replies
4d10h

I am the author, I wanted to publish it myself, I didn't expect you had already published it. Thank you very much.

Encountered quite a few problems during the deployment, mainly related to HTTPS certificates.

The longest segment of a domain name is 63 characters. The maximum length of an HTTPS certificate commonName is 64 characters.

This caused Cloudflare, Vercel, and Netlify to be unable to use Let's Encrypt to sign HTTPS certificates (because they used the domain name as the commonName), but Zeabur can use Let's Encrypt to sign HTTPS certificates.

Finally, the Cloudflare certificate was switched to Google Trust Services LLC to successfully sign.

Related certificates can be viewed at https://crt.sh/?q=looooooooooooooooooooooooooooooooooooooooo...

toast0
8 replies
2d19h

Are you accusing them of being a government organzation, or accusing them of being in China?

SamBam
2 replies
2d2h

These are not hard to meet, nor should they be.

But hard for a random url-elongator site to meet.

Registrants are required to certify that they meet the following eligibility requirements when registering a .NGO or .ONG domain name:

1. Focused on acting in the public interest. [...] work for the good of humankind and/or the preservation of the planet

5. Active Organizations. Members of the .NGO and .ONG community are actively pursuing their missions on a regular basis.

6. Structured. Members of the .NGO and .ONG community, whether large or small, operate in a structured manner (e.g., under bylaws, codes of conduct, organizational standards, or other governance structures.)

Clearly this site doesn't qualify.

toast0
0 replies
2d1h

1. Focused on acting in the public interest. [...] work for the good of humankind and/or the preservation of the planet

Operating a publicly available lengthening service is in the public interest and is working for the good of all humans. I used to use hugeurl, but it's no longer in service.

5. Active Organizations. Members of the .NGO and .ONG community are actively pursuing their missions on a regular basis.

This is an active organization, pursing a mission of longer urls for the good of all. Maybe this sounds frivolous, but there's a lot of frivolous but chartered 501(c)(3)s, and the requirements doesn't specifically require a registrant to be registered as a non-profit or charity or similar (although such a registration is likely to satisfy an audit, tax records showing a lack of profits/retained earnings may be sufficient)

6. Structured. Members of the .NGO and .ONG community, whether large or small, operate in a structured manner (e.g., under bylaws, codes of conduct, organizational standards, or other governance structures.)

We don't have evidence of how it's operated. Many organizations operate websites without publishing their bylaws. Although, I'll grant that circumstantial evidence seems to be that it's operated by an individual.

bux93
0 replies
4h4m

You can't see from the site who the owner is. Could be a library. Could be a music club. Could be the Gates foundation. An art collective.

Running the website (in this case, an url elongator) is not required to be an objective in the articles of incorporation.

Nevertheless, an URL elongator strikes me as funny, and providing fun for free is surely for the good of humankind.

Dalewyn
1 replies
2d8h

The author's X account[1] and associated posts are decidedly Chinese, so it's a valid inquiry.

[1]: https://x.com/ccbikai

csande17
0 replies
1d20h

The GitHub repo linked from the page is owned by an individual (not any kind of structured NGO that would be eligible for this), and they set the location field on their GitHub profile to "NanJing,China" (suggesting that they are located in China).

shawabawa3
3 replies
4d8h

Just to expand on this, commonName is not at all required in certificates and is basically deprecated/legacy

Letsencrypt does not require you to set it, just subject alternate names, which can be up to 255 characters, but some providers require it for no reason

semi
1 replies
4d4h

surprisingly it's been deprecated since RFC 2818 was published 24 years ago.

It's only more recently that browsers and other common software stopped validating it though

throw0101c
0 replies
4d3h

    If a subjectAltName extension of type dNSName is present, that MUST
    be used as the identity. Otherwise, the (most specific) Common Name
    field in the Subject field of the certificate MUST be used. Although
    the use of the Common Name is existing practice, it is deprecated and
    Certification Authorities are encouraged to use the dNSName instead.
* https://datatracker.ietf.org/doc/html/rfc2818#section-3.1

    Therefore, if and only if the presented identifiers do not include a
    DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
    supported by the client, then the client MAY as a last resort check
    for a string whose form matches that of a fully qualified DNS domain
    name in a Common Name field of the subject field (i.e., a CN-ID).  If
    the client chooses to compare a reference identifier of type CN-ID
    against that string, it MUST follow the comparison rules for the DNS
    domain name portion of an identifier of type DNS-ID, SRV-ID, or
    URI-ID, as described under Section 6.4.1, Section 6.4.2, and
    Section 6.4.3.
* https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4

Also from 2015:

    9.2.2 Subject Distinguished Name Fields
    a. Subject Common Name Field
    Certificate Field: subject:commonName (OID 2.5.4.3)
    Required/Optional: Deprecated (Discouraged, but not prohibited)
    Contents: If present, this field MUST contain a single IP address
    or Fully-Qualified Domain Name that is one of the values contained
    in the Certificate’s subjectAltName extension (see Section 9.2.1).
* https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf#page=17

* https://stackoverflow.com/questions/5935369/how-do-common-na...

layer8
0 replies
2d21h

To further expand, commonName is only deprecated for SSL/TLS server certificates. It is, for example, mandatory for CA certificates and code signing certificates.

pragma_x
0 replies
2d2h

I love this.

My first impression was: "What in the QA is this? I wonder what this breaks?"

because they used the domain name as the commonName

Understandable, but that's old-school, right? I'm pretty sure the x.509 extensions for SAN cover this now, and I'm kind of surprised that CA's are sticking to the old way of doing this.

micw
0 replies
2d7h

Amazing. Will you provide email services? ^^

mcpherrinm
0 replies
2d17h

Let’s Encrypt now (as of 2023) supports having certificates with no CN now, so long domains are fully supported:

https://community.letsencrypt.org/t/simplifying-issuance-for...

The previous workaround available was to include a second, shorter domain on the certificate but that wasn’t always easy or possible.

Dr_Birdbrain
0 replies
2d11h

Can you help me understand what is the point of this project? :)

jan_Sate
11 replies
4d8h

Be wary with making this kind of website. I made something similar long time ago (urllengthener.sadale.net) and got my site reported for "spam campaign". Turns out that the spammer was abusing my site to generate spam link. I handled that promptly by shutting down my site and didn't receive any penalty for that.

The way how it worked is that the spammer used my urllengthener as a redirection service to a website that looks like an incomplete project, which is actually a disguise. There's javascript code on their site that if there's a URL fragment identifier (the hash thingie postfix for URL) detection mechanism and if the URL fragment identifier matches an ad of their own, it'd redirect to the actual spam ad.

Let's say the spammer owns example.org. The spammer would generate link with my service such that https://urllengthener.sadale.net/foobarbaz would redirect to https://example.org. Then it'd send spam with a link of https://urllengthener.sadale.net/foobarbaz#identifierXYZ to the victim. Then the victim would click on the link, which redirects him to https://example.org/#identifierXYZ, which would show victim the ad. https://example.org/ looks legit on its own and there is no log shown on the HTTP server because the URL fragment identifier is a client-side thing. I'm kind of thankful of that spam abuse report. Otherwise I might have never found out.

(Remarks: example.org isn't the actual spam site. I just use this domain name as an example.)

I don't have the time for now but I think I should make a write up about that some time later.

And I've tested your service and apparently your site is vulnerable for the exact same kind of abuse as mine. I'd strongly recommend you to at least disabling redirection of URL fragment identifier. Example of URL that's prone to abuse: https://looooooooooooooooooooooooooooooooooooooooooooooooooo...

varelaz
5 replies
4d8h

How is this different from GET arguments in the URL? I mean is this relates only to URL fragment, because javascript can parse URL parameters as well and any spam site can abuse it even with rewrite in the path part in the URL.

jan_Sate
4 replies
4d8h

GET arguments are not redirected to the spam site because when the url redirection site has received the GET argument, the GET argument would generally be discarded/disregarded before redirecting the user to the spam site.

varelaz
3 replies
4d8h

But you're not in control of fragment part. Server doesn't receive fragment for request, it's all managed completely by the browser. To handle this you need to do client side redirect with javascript.

jan_Sate
2 replies
4d8h

Good question.

I haven't tested that but I think it's possible to modify the fragment with Javascript: https://stackoverflow.com/a/4282075

So my idea would be getting looo.ong to create a special client-side redirection webpage that would remove the fragment part using Javascript before performing the redirection with Javascript. And no. Using HTTP redirection response on server side won't work.

EDIT: I've actually seen URL redirection websites that removes the fragment part so it should be doable. Perhaps the purpose of that is to avoid spam abuse.

factormeta
0 replies
2d22h

thanks to the need for ES to accommodate SPA (one of the worse thing that has ever happens to the web), that allows ES/JS to change the URL of the page as long as it is within the same domain. What could go wrong. Don't try to make web a QT replacement. Crete your own freaking interface. Stop hijacking web as document based platform to squeeze everything in there.

Izkata
0 replies
2d13h

I haven't tested that but I think it's possible to modify the fragment with Javascript

Yes, this is how single-page apps allowed linking to subpages before history.pushState existed.

sva_
2 replies
2d22h

I handled that promptly by shutting down my site and didn't receive any penalty for that.

What kind of penalty do you think you could've gotten and by whom?

bsoft16385
1 replies
2d21h

Spamhaus or another IP reputation provider will contact your hosting provide or ISP and warn them that either: - You need to follow their best practices (which practically for me meant paying for a subscription) - Or your upstream net block would be marked as untrustworthy (which basically blocks email delivery from that IP range)

You can imagine what your hosting provider or ISP will do with this.

Source: I ran a URL shortening service from 2004-2007 and this happened to me.

TeMPOraL
0 replies
2d11h

That's totally not a protection racket.

chriscjcj
1 replies
2d19h

Indeed. It's depressing to say, but stand by for a bad actor(s) to abuse this service for nefarious purposes in 3... 2... 1....

longerd2
0 replies
2d7h

Yeah. When we build a new road, eventually some gangsters will drive on it. Weirdly, tech is the only place where people then look at the platform.

No one would shut down the post (DHL) for allowing a drug enterprise to send illegal substances using DHL.

So yeah, these links will be abused. What isn't abused?

aendruk
9 replies
2d21h

.ong is intended for “organisations non gouvernementale” and the main difference from .org is that proof of actual NGO status is required.

mrb
4 replies
2d17h

No, proof of NGO status is not required. Anyone can buy a .ong domain.

debugnik
1 replies
2d16h

According to [1], .ong/.ngo domains are eventually audited for NGO status, rather than requiring proof during the purchase. So one can technically buy it but the registrar should eventually take it away from them.

[1]: https://thenew.org/org-people/about-pir/policies/ngo-and-ong...

wongarsu
0 replies
2d7h

However the requirements don't state that you have to be a registered NGO in any country. Being registered as some NGO-like tax-exempt entity anywhere but China will make the audit a lot easier, but technically you should be able to pass even if you are just two people with some bylaws written on a piece of paper.

debugnik
0 replies
2d16h

Check my comment sibling to yours, there's an audit process after the purchase.

zakki
2 replies
2d20h

I wonder why the TLD is not .ngo.

ehPReth
0 replies
2d18h

.ngo also exists alongside .ong depending on what suits the organization. Sadly, they don't automatically get both anymore: https://en.wikipedia.org/wiki/.ngo_and_.ong

aendruk
0 replies
2d20h

The answer to that is easy enough to find. I submit that a better question is why not .gno à la UTC.

lxgr
0 replies
2d18h

the main difference from .org is that proof of actual NGO status is required.

Somehow I have even more questions now. Is this a registered ONG then!?

AbraKdabra
9 replies
2d19h

There should be a label telling people they need the protocol first, as soon as I entered I wrote "google.com" and nothing happened, confused me for a bit and thought there was something broken or maybe it was a victim of a HN hug.

Dr_Birdbrain
4 replies
2d13h

I don’t understand. What is needed? I tried Google.com as well, i don’t understand what I need to do

AbraKdabra
3 replies
2d13h

There should be a label telling people they need the protocol first

You need to put the protocol like I said.

sparky_z
2 replies
2d13h

To anybody who's still confused: start your url string with "http://".

erhaetherth
1 replies
2d11h

https:// please.

berkes
0 replies
2d10h

...which is probably why it's required.

Otherwise the service would have to presume. Which either excludes http:// or https:// probably the first.

I've ran into this when writing an url shortener and decide that without the protocol, I'd just put https:// in there. So that people could still add webcal://, ftp:// ssh:// and http:// in there if they wish.

hackernewds
1 replies
2d17h

Ah I did the same thing. why is it even necessary?

askl
0 replies
2d10h

It's not a URL without a protocol.

scrps
0 replies
2d19h

Seconded. I made this same mistake.

Liftyee
0 replies
2d19h

Agreed. I was about to ask why it didn't seem to work on mobile - that would be it.

w-ll
6 replies
2d19h

I made something similar to make links look "sketchy"

will probably break any auto linking stuff but should work if copy&pasted or properly linked

    https://sketchylinkasdf.com/ssl_webmaster.zip/qwerty/<IMG SRC="javascript:alert('XSS')"/a95a33ab-9f0d-4f64-9cf3-a80d48593de0

eulgro
1 replies
2d18h

There's a few "shady URL" generators, you can search and find a few.

w-ll
0 replies
2d18h

cool, you should make one also and then we can get an old school webring to link to all of them.

Izkata
1 replies
2d14h

May I suggest adding a subdomain? Making the full domain something like "mail.com.sketchylinkasdf.com"

clippyplz
0 replies
2d4h

Cool site! Just went to the /feedback page but there doesn't seem to be any way to actually submit feedback. Am I missing something?

AbraKdabra
0 replies
2d17h

I'm purple team pentester, I can't say if that URL gives me more PTSD or giggles.

rrr_oh_man
5 replies
4d10h

The seemingly required https:// should be prefilled in the form

rrr_oh_man
2 replies
2d19h

Edit:

Also, it seems to only look for `http:` + one character, which is a bit disorienting. (E.g. `https:/a` would be a "valid" domain)

voidUpdate
0 replies
2d10h

it just needs [a-zA-Z]: for it to actually generate, you don't need any valid protocol, just a letter then a colon

arrowleaf
0 replies
2d3h

If it looked for `://` then stuff like `mailto:me@fake.email` would break.

shever73
0 replies
2d19h

This should be the top comment. Thank you!

ryan-duve
0 replies
4d9h

Ah, thank you. I figured it was broken.

ilikeitdark
0 replies
2d22h

That was one of the coolest sites ever, the other one being where you could make virtual mixtapes and send them to people. We can't have nice stuff anymore....

ValdikSS
0 replies
2d16h

You can get @cccccccccccccccccccc.cc email on https://tempr.email/en/, press "agent" icon and paste this domain name.

eka1
2 replies
2d17h

Why the content warning for a hackernews website though?

illusive4080
1 replies
2d16h

That’s the same warning you get for any elongated URL

drusepth
0 replies
2d1h

Yeah, I understand _why_ they provide the warning before forwarding you through to any URL, but at the same time this extra click (or "warning") for users puts this service squarely in the category of joke services rather than actually-usable services (even as a joke service).

Love it as a piece of art/commentary, though.

0a6d187a23dfb4c
0 replies
2d5h

1) the capitalization makes some very visually interesting patterns, if you kinda squint

2) what the fuck lmao

joshmanders
3 replies
2d22h

I love how you encode the url as binary then replace the 0's and 1's with O's and o's. This is genius.

efilife
2 replies
2d21h

How do you know? Where can I read about this? Am I missing something?

myself248
2 replies
2d6h

A company called Halibut Stuff used to sell T-shirts that came with free email forwarding.

I was myself@iwenttodefcon7.andalligotwas.thislousyemailaddress.com

It broke a LOT of signup forms.

I was working in software testing at the time and we talked about setting up a "likely to break things" email service and selling it to other testers, but realized that the people who'd need it would find it hard to explain to the people who write the checks.

tracker1
1 replies
2d3h

While arbitrary, I usually set email fields to at least 100 characters (n?varchar) in databases.

pixl97
0 replies
2d1h

I believe the RFC says they can be up to 256 characters, though the domain must only be 64 characters.

In addition to restrictions on syntax, there is a length limit on email addresses. That limit is a maximum of 64 characters (octets) in the "local part" (before the "@") and a maximum of 255 characters (octets) in the domain part (after the "@") for a total length of 320 characters. However, there is a restriction in RFC 2821 on the length of an address in MAIL and RCPT commands of 256 characters. Since addresses that do not fit in those fields are not normally useful, the upper limit on address lengths should normally be considered to be 256.
jhoechtl
2 replies
2d9h

Why? Because you can or what's the use case?

wongarsu
0 replies
2d7h

It's funny because we are used to URL shorteners making URLs shorter, not longer. Storing the target URL as a series of O and o inside the generated URL is also a clever technical solution that is aesthetically pleasing.

wigster
0 replies
2d9h

i'm glad its not just me

ceving
2 replies
2d11h

Why would you want to do this? It seems to me like cutting yourself.

myself248
1 replies
2d6h

If your job is testing bandages, that might be reasonable.

account42
0 replies
2d4h

I think if my job was testing bandages I would come up with less harmful ways to do that than cutting myself.

andersa
2 replies
2d21h

Am I having a stroke? I am 100% certain I saw this exact topic with these exact comments yesterday, but here we are with all of them saying they're from 5 hours ago.

lolinder
0 replies
2d21h

This happens when an article is revived from the second-chance pool. From what I understand the only way they currently have to resurrect a thread involves changing timestamps, which is extremely disorienting for people who actually did see the previous thread.

See dang's explanation to the same question here (and his link to an algolia search of other previous explanations): https://news.ycombinator.com/item?id=36472976

jv22222
0 replies
2d21h

They engineered a real mandala effect!

tamimio
1 replies
2d19h

Can’t wait to be abused by scammers and phishing attacks.

Liftyee
0 replies
2d19h

At least the page after clicking the long link tells you where you're actually going, making this about as risky as a regular phishing link.

URL filters may have a hard time though.

kelseydh
1 replies
2d10h

This feels about as long as any link Facebook adds with the appended `fbcid=` url parameter.

longerd2
0 replies
2d9h

or &si= when you share YT videos nowadays

Uptrenda
1 replies
2d15h

We should just use URLs to store our files. Amirightguise?

TimLeland
1 replies
2d3h

What about making your URLs super short??

https://t.ly/

itslennysfault
0 replies
1d23h

First of all, short URLs is kinda overdone / common. There are infinite URL shortening services.

Secondly, this is maybe the last service I'd recommend people use. First time I opened it all of the images failed to load and no CSS. Then, I refreshed it with the console open and there were 40+ errors and 500+ warnings in the console, but everything loaded... including 2 pop-up ads stacked on top of each other and a ton of banner ads. Feels like I should wash my laptop with soap and water after opening that URL.

DrMiaow
1 replies
2d13h

This will be abused. A fun idea that seems harmless until you realize that grifters will use it to obfuscate their grifty payloads.

lolinder
0 replies
2d13h

Do you have any reason to believe that this is more prone to abuse than URL shorteners? If anything I'd expect the reverse to be true—a URL like this would raise far more eyebrows among most people than a short one would—and this one has a pretty thorough warning page before giving you a nondescript button to click to proceed to the target.

layer8
0 replies
2d21h

There is a de-facto limit on the total length of an URL [0] which significantly exceeds 255, and the path portion of an URL can be arbitrarily long within that limit, so using only subdomains would be unnecessarily limiting, and using them in addition would provide no further benefit.

[0] https://stackoverflow.com/questions/417142/what-is-the-maxim...

terrycody
0 replies
2d14h

Except for fun maybe, whats the use case of this thing though?

signaru
0 replies
2d12h

It is possible use "recursion" to create a 20kb long URL, which would be blocked by HN for being too long. Some browsers might not support it though.

optimalsolver
0 replies
4d10h

URL too beacoup.

neillyons
0 replies
2d9h

Linked in the footer of that website is https://llili.li/. Even better!

mdrewry
0 replies
2d20h

this is actually really funny

jdthedisciple
0 replies
2d1h

magick.css in the wild - nice!

jaredliu233
0 replies
2d6h

Interesting technical details on the challenges of using long domain names and HTTPS certificates. The author seems to have found a workaround, though potential abuse is a valid concern. I wonder if there are any plans to address that.

hiergiltdiestfu
0 replies
2d10h

cool! strong lmgtfy-vibes :D

heyest
0 replies
4d9h

This is awesome thanks!

elwell
0 replies
2d19h

URL longerer

cush
0 replies
2d21h

Similar to the small web, I equally love the silly web. Good job!

crazygringo
0 replies
2d19h

This is one of the dumbest things I've come across in a long time.

I absolutely love it.

asplake
0 replies
4d9h

Or: how to ruin hckrnews on mobile (Safari, anyway)

Dwedit
0 replies
2d21h

There used to be a URL redirection service called HugeURL. Your URLs were extremely long.