131 comments

[ 3.5 ms ] story [ 197 ms ] thread
I hate how good this is.

Here: (literally) https://looooooooooooooooooooooooooooooooooooooooooooooooooo...

(comment deleted)
Why the content warning for a hackernews website though?
That’s the same warning you get for any elongated URL
Yeah, I understand _why_ they provide the warning before forwarding you through to any URL, but at the same time this extra click (or "warning") for users puts this service squarely in the category of joke services rather than actually-usable services (even as a joke service).

Love it as a piece of art/commentary, though.

Yeah, tend to agree with you. I think they want you to land on their site so they can publicize their joke service.
1) the capitalization makes some very visually interesting patterns, if you kinda squint

2) what the fuck lmao

I am the author, I wanted to publish it myself, I didn't expect you had already published it. Thank you very much.

Encountered quite a few problems during the deployment, mainly related to HTTPS certificates.

The longest segment of a domain name is 63 characters. The maximum length of an HTTPS certificate commonName is 64 characters.

This caused Cloudflare, Vercel, and Netlify to be unable to use Let's Encrypt to sign HTTPS certificates (because they used the domain name as the commonName), but Zeabur can use Let's Encrypt to sign HTTPS certificates.

Finally, the Cloudflare certificate was switched to Google Trust Services LLC to successfully sign.

Related certificates can be viewed at https://crt.sh/?q=looooooooooooooooooooooooooooooooooooooooo...

Don't you have to be a Non-Government Organization, outside China[1], to be eligible for a .ong domain name?

[1] According to https://www.godaddy.com/help/about-ong-domains-41384

Are you accusing them of being a government organzation, or accusing them of being in China?
NGO is a specific type of organization (such as a 501(c)(3) in the US), which would exclude 'a random person registering a domain': https://en.wikipedia.org/wiki/Non-governmental_organization
That wikipedia article literally says there is "no fixed or formal definition for what NGOs are".

The .ong domain has a policy that has criteria. https://thenew.org/org-people/about-pir/policies/ngo-and-ong...

These are not hard to meet, nor should they be.

> These are not hard to meet, nor should they be.

But hard for a random url-elongator site to meet.

> Registrants are required to certify that they meet the following eligibility requirements when registering a .NGO or .ONG domain name:

> 1. Focused on acting in the public interest. [...] work for the good of humankind and/or the preservation of the planet

> 5. Active Organizations. Members of the .NGO and .ONG community are actively pursuing their missions on a regular basis.

> 6. Structured. Members of the .NGO and .ONG community, whether large or small, operate in a structured manner (e.g., under bylaws, codes of conduct, organizational standards, or other governance structures.)

Clearly this site doesn't qualify.

> 1. Focused on acting in the public interest. [...] work for the good of humankind and/or the preservation of the planet

Operating a publicly available lengthening service is in the public interest and is working for the good of all humans. I used to use hugeurl, but it's no longer in service.

> 5. Active Organizations. Members of the .NGO and .ONG community are actively pursuing their missions on a regular basis.

This is an active organization, pursing a mission of longer urls for the good of all. Maybe this sounds frivolous, but there's a lot of frivolous but chartered 501(c)(3)s, and the requirements doesn't specifically require a registrant to be registered as a non-profit or charity or similar (although such a registration is likely to satisfy an audit, tax records showing a lack of profits/retained earnings may be sufficient)

> 6. Structured. Members of the .NGO and .ONG community, whether large or small, operate in a structured manner (e.g., under bylaws, codes of conduct, organizational standards, or other governance structures.)

We don't have evidence of how it's operated. Many organizations operate websites without publishing their bylaws. Although, I'll grant that circumstantial evidence seems to be that it's operated by an individual.

You can't see from the site who the owner is. Could be a library. Could be a music club. Could be the Gates foundation. An art collective.

Running the website (in this case, an url elongator) is not required to be an objective in the articles of incorporation.

Nevertheless, an URL elongator strikes me as funny, and providing fun for free is surely for the good of humankind.

The GitHub repo linked from the page is owned by an individual (not any kind of structured NGO that would be eligible for this), and they set the location field on their GitHub profile to "NanJing,China" (suggesting that they are located in China).
Just to expand on this, commonName is not at all required in certificates and is basically deprecated/legacy

Letsencrypt does not require you to set it, just subject alternate names, which can be up to 255 characters, but some providers require it for no reason

surprisingly it's been deprecated since RFC 2818 was published 24 years ago.

It's only more recently that browsers and other common software stopped validating it though

    If a subjectAltName extension of type dNSName is present, that MUST
    be used as the identity. Otherwise, the (most specific) Common Name
    field in the Subject field of the certificate MUST be used. Although
    the use of the Common Name is existing practice, it is deprecated and
    Certification Authorities are encouraged to use the dNSName instead.
* https://datatracker.ietf.org/doc/html/rfc2818#section-3.1

    Therefore, if and only if the presented identifiers do not include a
    DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
    supported by the client, then the client MAY as a last resort check
    for a string whose form matches that of a fully qualified DNS domain
    name in a Common Name field of the subject field (i.e., a CN-ID).  If
    the client chooses to compare a reference identifier of type CN-ID
    against that string, it MUST follow the comparison rules for the DNS
    domain name portion of an identifier of type DNS-ID, SRV-ID, or
    URI-ID, as described under Section 6.4.1, Section 6.4.2, and
    Section 6.4.3.
* https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4

Also from 2015:

    9.2.2 Subject Distinguished Name Fields
    a. Subject Common Name Field
    Certificate Field: subject:commonName (OID 2.5.4.3)
    Required/Optional: Deprecated (Discouraged, but not prohibited)
    Contents: If present, this field MUST contain a single IP address
    or Fully-Qualified Domain Name that is one of the values contained
    in the Certificate’s subjectAltName extension (see Section 9.2.1).
* https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf#page=17

* https://stackoverflow.com/questions/5935369/how-do-common-na...

To further expand, commonName is only deprecated for SSL/TLS server certificates. It is, for example, mandatory for CA certificates and code signing certificates.
Can you help me understand what is the point of this project? :)
Amazing. Will you provide email services? ^^
I love this.

My first impression was: "What in the QA is this? I wonder what this breaks?"

> because they used the domain name as the commonName

Understandable, but that's old-school, right? I'm pretty sure the x.509 extensions for SAN cover this now, and I'm kind of surprised that CA's are sticking to the old way of doing this.

The seemingly required https:// should be prefilled in the form
Ah, thank you. I figured it was broken.
This should be the top comment. Thank you!
Edit:

Also, it seems to only look for `http:` + one character, which is a bit disorienting. (E.g. `https:/a` would be a "valid" domain)

it just needs [a-zA-Z]: for it to actually generate, you don't need any valid protocol, just a letter then a colon
If it looked for `://` then stuff like `mailto:me@fake.email` would break.
Or: how to ruin hckrnews on mobile (Safari, anyway)
This is awesome thanks!
Be wary with making this kind of website. I made something similar long time ago (urllengthener.sadale.net) and got my site reported for "spam campaign". Turns out that the spammer was abusing my site to generate spam link. I handled that promptly by shutting down my site and didn't receive any penalty for that.

The way how it worked is that the spammer used my urllengthener as a redirection service to a website that looks like an incomplete project, which is actually a disguise. There's javascript code on their site that if there's a URL fragment identifier (the hash thingie postfix for URL) detection mechanism and if the URL fragment identifier matches an ad of their own, it'd redirect to the actual spam ad.

Let's say the spammer owns example.org. The spammer would generate link with my service such that https://urllengthener.sadale.net/foobarbaz would redirect to https://example.org. Then it'd send spam with a link of https://urllengthener.sadale.net/foobarbaz#identifierXYZ to the victim. Then the victim would click on the link, which redirects him to https://example.org/#identifierXYZ, which would show victim the ad. https://example.org/ looks legit on its own and there is no log shown on the HTTP server because the URL fragment identifier is a client-side thing. I'm kind of thankful of that spam abuse report. Otherwise I might have never found out.

(Remarks: example.org isn't the actual spam site. I just use this domain name as an example.)

I don't have the time for now but I think I should make a write up about that some time later.

And I've tested your service and apparently your site is vulnerable for the exact same kind of abuse as mine. I'd strongly recommend you to at least disabling redirection of URL fragment identifier. Example of URL that's prone to abuse: https://looooooooooooooooooooooooooooooooooooooooooooooooooo...

How is this different from GET arguments in the URL? I mean is this relates only to URL fragment, because javascript can parse URL parameters as well and any spam site can abuse it even with rewrite in the path part in the URL.
GET arguments are not redirected to the spam site because when the url redirection site has received the GET argument, the GET argument would generally be discarded/disregarded before redirecting the user to the spam site.
But you're not in control of fragment part. Server doesn't receive fragment for request, it's all managed completely by the browser. To handle this you need to do client side redirect with javascript.
Good question.

I haven't tested that but I think it's possible to modify the fragment with Javascript: https://stackoverflow.com/a/4282075

So my idea would be getting looo.ong to create a special client-side redirection webpage that would remove the fragment part using Javascript before performing the redirection with Javascript. And no. Using HTTP redirection response on server side won't work.

EDIT: I've actually seen URL redirection websites that removes the fragment part so it should be doable. Perhaps the purpose of that is to avoid spam abuse.

thanks to the need for ES to accommodate SPA (one of the worse thing that has ever happens to the web), that allows ES/JS to change the URL of the page as long as it is within the same domain. What could go wrong. Don't try to make web a QT replacement. Crete your own freaking interface. Stop hijacking web as document based platform to squeeze everything in there.
> I haven't tested that but I think it's possible to modify the fragment with Javascript

Yes, this is how single-page apps allowed linking to subpages before history.pushState existed.

> I handled that promptly by shutting down my site and didn't receive any penalty for that.

What kind of penalty do you think you could've gotten and by whom?

Spamhaus or another IP reputation provider will contact your hosting provide or ISP and warn them that either: - You need to follow their best practices (which practically for me meant paying for a subscription) - Or your upstream net block would be marked as untrustworthy (which basically blocks email delivery from that IP range)

You can imagine what your hosting provider or ISP will do with this.

Source: I ran a URL shortening service from 2004-2007 and this happened to me.

That's totally not a protection racket.
Indeed. It's depressing to say, but stand by for a bad actor(s) to abuse this service for nefarious purposes in 3... 2... 1....
Yeah. When we build a new road, eventually some gangsters will drive on it. Weirdly, tech is the only place where people then look at the platform.

No one would shut down the post (DHL) for allowing a drug enterprise to send illegal substances using DHL.

So yeah, these links will be abused. What isn't abused?

Wouldn't it be possible to use subdomains to make it _looonger_?

From my understanding the domain could be 255 characters long.

https://a.lot.looooooooo(...)nger.than.looooooooo(...).ng

There is a de-facto limit on the total length of an URL [0] which significantly exceeds 255, and the path portion of an URL can be arbitrarily long within that limit, so using only subdomains would be unnecessarily limiting, and using them in addition would provide no further benefit.

[0] https://stackoverflow.com/questions/417142/what-is-the-maxim...

(comment deleted)
(comment deleted)
I love how you encode the url as binary then replace the 0's and 1's with O's and o's. This is genius.
How do you know? Where can I read about this? Am I missing something?
Am I having a stroke? I am 100% certain I saw this exact topic with these exact comments yesterday, but here we are with all of them saying they're from 5 hours ago.
This happens when an article is revived from the second-chance pool. From what I understand the only way they currently have to resurrect a thread involves changing timestamps, which is extremely disorienting for people who actually did see the previous thread.

See dang's explanation to the same question here (and his link to an algolia search of other previous explanations): https://news.ycombinator.com/item?id=36472976

They engineered a real mandala effect!
There used to be a URL redirection service called HugeURL. Your URLs were extremely long.
Similar to the small web, I equally love the silly web. Good job!
.ong is intended for “organisations non gouvernementale” and the main difference from .org is that proof of actual NGO status is required.
I wonder why the TLD is not .ngo.
The answer to that is easy enough to find. I submit that a better question is why not .gno à la UTC.
> the main difference from .org is that proof of actual NGO status is required.

Somehow I have even more questions now. Is this a registered ONG then!?

No, proof of NGO status is not required. Anyone can buy a .ong domain.
According to [1], .ong/.ngo domains are eventually audited for NGO status, rather than requiring proof during the purchase. So one can technically buy it but the registrar should eventually take it away from them.

[1]: https://thenew.org/org-people/about-pir/policies/ngo-and-ong...

However the requirements don't state that you have to be a registered NGO in any country. Being registered as some NGO-like tax-exempt entity anywhere but China will make the audit a lot easier, but technically you should be able to pass even if you are just two people with some bylaws written on a piece of paper.
this is actually really funny
This is one of the dumbest things I've come across in a long time.

I absolutely love it.

There should be a label telling people they need the protocol first, as soon as I entered I wrote "google.com" and nothing happened, confused me for a bit and thought there was something broken or maybe it was a victim of a HN hug.
Agreed. I was about to ask why it didn't seem to work on mobile - that would be it.
Seconded. I made this same mistake.
Ah I did the same thing. why is it even necessary?
It's not a URL without a protocol.
I don’t understand. What is needed? I tried Google.com as well, i don’t understand what I need to do
> There should be a label telling people they need the protocol first

You need to put the protocol like I said.

To anybody who's still confused: start your url string with "http://".
https:// please.
...which is probably why it's required.

Otherwise the service would have to presume. Which either excludes http:// or https:// probably the first.

I've ran into this when writing an url shortener and decide that without the protocol, I'd just put https:// in there. So that people could still add webcal://, ftp:// ssh:// and http:// in there if they wish.

I made something similar to make links look "sketchy"

will probably break any auto linking stuff but should work if copy&pasted or properly linked

    https://sketchylinkasdf.com/ssl_webmaster.zip/qwerty/<IMG SRC="javascript:alert('XSS')"/a95a33ab-9f0d-4f64-9cf3-a80d48593de0
There's a few "shady URL" generators, you can search and find a few.
cool, you should make one also and then we can get an old school webring to link to all of them.
I'm purple team pentester, I can't say if that URL gives me more PTSD or giggles.
Cool site! Just went to the /feedback page but there doesn't seem to be any way to actually submit feedback. Am I missing something?
Can’t wait to be abused by scammers and phishing attacks.
At least the page after clicking the long link tells you where you're actually going, making this about as risky as a regular phishing link.

URL filters may have a hard time though.