Darth Hideout 🏳️‍🌈 on Nostr: My quasi-annual #PSA for any neophytes or anyone else who may not be aware of an ...

My quasi-annual #PSA for any neophytes or anyone else who may not be aware of an important issue with #links on #Mastodon. Mastodon counts exactly a certain number of characters for each link in a post. By default, the number is 23. It is configurable per instance. You can see it on your instance by visiting https://<instance-domain>/api/v1/instance, among numerous other methods. Chrome, eg, has a Pretty-print option. The parameter is configuration.statuses.characters_reserved_per_url (see attachment). It doesn’t matter how long or short the link is. It always contributes the same character count toward the limit of the post, regardless.

Link shorteners and redirects are an important threat vector in network security. If I give you a link to, idk, cnn.com or youtube.com, you can immediately see where the link is taking you. A short link from bit-ly can take you anywhere, possibly through a malicious intermediate redirect you may not notice.

Previews help, of course. But previews don’t show up when there are attachments. A short link in a toot with an attachment is particularly opaque. At least in a case like that, ask yourself how well you trust the poster. You really don’t know where the link is going until you’ve tapped it.

With a fixed character count per link, there’s no advantage to shortening links. Even a very short URL, like this instance, https://c.im, which is only 12 characters (including the https:// prefix), is counted as 23. You gain nothing at all by shortening a link on Mastodon except opacity.

I think there are some cases where automation feeds a number of destinations like RSS & numerous social media platforms, including Mastodon. So they feed the same content to all of them, including short links. I encourage maintainers of all such automation to give this some thought. For my part, I treat all such links with suspicion, and I advise anyone else to. ✌️

#fediverse