Make it easy to validate your short URLs

2021-12-27|4 min

My sister got Covid for Christmas. A few days after getting tested, she received this text:

My sister received a text with a cryptic short URL and mention of test results

She receives a lot of spam and phishing texts. So, understandably, she was trepidatious: is this legitimate? Did I sign up for this?

Here's what the URL looks like (with a fake secret):

The simple rules I've taught my family to counter phishing:

  1. If you can, avoid following unsolicited links that are texted to you. Find another way to perform the function you're being prompted to perform.
  2. If you must follow a link, always verify the domain actually belongs to who you think it does before clicking it.

#2 is often complicated by short URLs, like we have here.

Visiting redirects one to this page:

A google page about express covid notifications

So this appears to be a link from a Google service. pulls up this page:

A basic page mentioning that express notifications were not found

On this page, there's a link to a URL, which is in turn a link to the same page above on Google.

Of course, anyone can redirect their base domain to Google. Or have a link that says "About this totally legit page" that links to Apple.

We can't trust this domain to tell us it's from Google. Instead, we need Google – at – to tell us this domain is from them.

Sometimes, you can Google a domain to verify its owner. Unfortunately, that trick doesn't work for this Google domain:

A google page about express covid notifications

One way to solve all this: Both and should have links to a page on that explicitly mention these domains belong to Google. That would mean a quick investigation or Google search would confirm ownership.

Still, it feels like something critical is missing for short URLs. We should use DNS or CAs to surface sibling or parent domains as a first-class concept in the browser. In that world, Google could list as a child domain of, making ownership easy to verify with a new browser feature.