[guardian-dev] forcing HTTPS when using goo.gl shortlinks

Hans-Christoph Steiner hans at at.or.at
Fri Jan 9 10:01:55 EST 2015


Hey all,

I'm digging through the guts of how apps are sharing location information.
For the most part, its not a great situation, but there is a lot of hope with
the geo: URI (http://geouri.org).  Anyway, lots of Google apps share location
using a http://goo.gl shortlink (e.g. http://goo.gl/maps/V9dIV), which is even
worse for a number of reasons:

* it uses http: to connect to goo.gl

* the link that the goo.gl redirects to is also http://, so even if you do
https://goo.gl/maps/V9dIV, then the next step is http://.

* the link that goo.gl redirects do obfuscates the latlong, so it can't be
parsed out of it by other apps, even though the final link when you get to the
page includes the latlong (very lame, Google).

Here's an example flow:

https://goo.gl/maps/V9dIV
  - redirect -
http://maps.google.com/?q=4761+Hacking%2C+Austria&ftid=0x47746f58dbfe9b5d:0x22ff26bff5c5b0d8&hl=en&gl=us
  - redirect -
https://www.google.com/maps/place/@48.388835,13.6370603,15z

Any ideas on how an app can get the latlong securely?  One simple way to
improve this situation would be to pass something in the query string to
https://goo.gl/maps/V9dIV to make it only use HTTPS.  Anyone know if anything
like that exists?  Or is that ftid thing parseable?

Otherwise, I think an app will have to actually connect to
https://goo.gl/maps/V9dIV, then get the redirect URL and convert it to HTTPS.

.hc


More information about the Guardian-dev mailing list