Shared Responsibility
Shared responsibilities between You & Fynlink for a safe and secure experience.
Creating a secure short URL is a shared responsibility between you and Fynlink.
There are some things that we can take care of for you, and some things that you are responsible for. While we could put many more restrictions in place to ensure that you can’t do anything wrong, you will eventually find those restrictions difficult.
Your responsibilities for a safe & secure experience:
Always use an expiry time for your link. For sensitive links, make sure to set an expiry time for a shorter duration. Fynlink provides you with the ability to set an expiry time as low as 5 minutes. Remember, there is no fixed time which can be said as secure. As a general rule, a 1-hour expiry time will be far safer than, say, a 6-hour expiry time.
Unlike other service providers, we actually delete the link completely from our database when it expires.
When creating short URLs for sensitive links, make sure to use combination of random letters, integers & strictly do not use easily guessable & dictionary words. The default link generator within Fynlink does this effectively by generating totally random slugs.
When creating short URLs, make sure the length of the slug is least 6 characters, though we recommend 8 characters for a balance of security & ease of usage.
Use a custom domain if possible, the primary domain available for free to all users will be heavily targeted.
- It is also advisable to make link private for sensitive links. Private links will only be shown once after creation and will remain hidden for all including your team members. It will work as fine just like a normal link, but will not be displayed in the application, simply because private links are encrypted with a key generated from the short URL itself and the short URL is stored as a hash in our database (non-reversible).
Major issues that affect all URL shortening services & how we handle them:
An attacker may try to guess a short URL by means of link enumeration. Link enumeration refers to a potential security issue where an attacker systematically guesses or generates all possible combinations of short URLs to access the original, longer URLs. Since short URLs typically have fewer characters than the original URLs, there are fewer possible combinations, making it easier for an attacker to guess a valid short URL. This could potentially allow unauthorized access to the content at the original URLs, especially if they were intended to be private or temporary.
Even though we have multiple measures to prevent this kind of attacks, we can't guarantee that it will never happen. We will monitor the usage of our service and take necessary actions to prevent such attacks.
There were instances of short URL services submitting customer URLs to search engines knowingly or unknowingly, making them searchable & public.
We will never submit your short URLs to search engines, and will remain private.
You should be aware of the fact that short URLs are not private in most cases. Your target URLs, as well as any data associated with it including tags or notes, can be seen by an employee. This issue has been reported in the past with many short URL services.
At Fynlink, your link data is encrypted before even they leave your browser (e2ee) with a key that we do not store. This means only you & your team members can see the links & none of us could see them, even if we choose to do so!
There were instances of a short URL service getting hacked, and replacing all short URL targets with malicious URLs, making it even worse.
All our databases are encrypted at rest (EAR) & encrypted in transit (EIT). Even our link cache is encrypted. We also have another layer of encryption for all personally identifiable information's like email, name, timezones etc, with a key that we possess. The link data itself is encrypted using e2ee, and we do not store the key. It will be difficult for an attacker to replace targets & leak personal information in our case. We can not completely rule out the possibility of a hack, but we are committed to keeping your data safe.
- Your link data is encrypted, even before leaving the browser & can be decrypted only by you.
- E2EE
- Average link redirection time, depends mainly on location of the end user.
- < 200ms
- Uptime guarantee
- 99.9%
- For quick, uninterrupted URL redirection, our redirection service is available on all major cities worldwide.
- 275+