[guardian-dev] forcing HTTPS when using goo.gl shortlinks

Jonas Smedegaard dr at jones.dk
Fri Jan 9 11:28:44 EST 2015 

Quoting Hans-Christoph Steiner (2015-01-09 16:01:55)
> I'm digging through the guts of how apps are sharing location 
> information. For the most part, its not a great situation, but there 
> is a lot of hope with the geo: URI (http://geouri.org).  Anyway, lots 
> of Google apps share location using a http://goo.gl shortlink (e.g. 
> http://goo.gl/maps/V9dIV), which is even worse for a number of 
> reasons:
>
> * it uses http: to connect to goo.gl
>
> * the link that the goo.gl redirects to is also http://, so even if you do
> https://goo.gl/maps/V9dIV, then the next step is http://.
>
> * the link that goo.gl redirects do obfuscates the latlong, so it can't be
> parsed out of it by other apps, even though the final link when you get to the
> page includes the latlong (very lame, Google).

I wouldn't call it lame but a deliberate design to not expose semantics 
(gold to them) but replace that with tracking URLs (more gold to them).


> Any ideas on how an app can get the latlong securely?  One simple way 
> to improve this situation would be to pass something in the query 
> string to https://goo.gl/maps/V9dIV to make it only use HTTPS.  Anyone 
> know if anything like that exists?  Or is that ftid thing parseable?
>
> Otherwise, I think an app will have to actually connect to 
> https://goo.gl/maps/V9dIV, then get the redirect URL and convert it to 
> HTTPS.

I expect it is by design not possible to resolve the underlying geodata 
securely.  If my suspicion is correct, then I guess the only possibility 
is if someone hosts a proxy to expand those tracking URLs on behalf of 
privacy-concerned users (who then would need to trust that proxy to not 
log anything).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150109/1dfadc5c/attachment.sig>

More information about the Guardian-dev mailing list