[guardian-dev] forcing HTTPS when using goo.gl shortlinks
Jonas Smedegaard
dr at jones.dk
Fri Jan 9 11:28:44 EST 2015
Quoting Hans-Christoph Steiner (2015-01-09 16:01:55)
> I'm digging through the guts of how apps are sharing location
> information. For the most part, its not a great situation, but there
> is a lot of hope with the geo: URI (http://geouri.org). Anyway, lots
> of Google apps share location using a http://goo.gl shortlink (e.g.
> http://goo.gl/maps/V9dIV), which is even worse for a number of
> reasons:
>
> * it uses http: to connect to goo.gl
>
> * the link that the goo.gl redirects to is also http://, so even if you do
> https://goo.gl/maps/V9dIV, then the next step is http://.
>
> * the link that goo.gl redirects do obfuscates the latlong, so it can't be
> parsed out of it by other apps, even though the final link when you get to the
> page includes the latlong (very lame, Google).
I wouldn't call it lame but a deliberate design to not expose semantics
(gold to them) but replace that with tracking URLs (more gold to them).
> Any ideas on how an app can get the latlong securely? One simple way
> to improve this situation would be to pass something in the query
> string to https://goo.gl/maps/V9dIV to make it only use HTTPS. Anyone
> know if anything like that exists? Or is that ftid thing parseable?
>
> Otherwise, I think an app will have to actually connect to
> https://goo.gl/maps/V9dIV, then get the redirect URL and convert it to
> HTTPS.
I expect it is by design not possible to resolve the underlying geodata
securely. If my suspicion is correct, then I guess the only possibility
is if someone hosts a proxy to expand those tracking URLs on behalf of
privacy-concerned users (who then would need to trust that proxy to not
log anything).
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150109/1dfadc5c/attachment.sig>
More information about the Guardian-dev
mailing list