Bypassing Google Tracking Redirects with HTTPS Everywhere

tl;dr Install this custom HTTPS Everywhere rule.

If there’s one thing you can set your watch by these days, it seems to be Google’s dedication to making it as difficult as possible to get what you want out of their services without logging in. NoScript isn’t very helpful because everything except GMail and Google Maps is served from www.google.com, userscripts and other hacks seem to break every other weekday, etc. etc. etc.

Today, my gripe is with how, if you disable JavaScript on encrypted.google.com via NoScript to reliably and anonymously get a simple, basic search engine experience, every single result requires you to manually OK an untrusted redirect from the https://encrypted.google.com/url?url=... nowhere that NoScript stops you at.

As this is most evident when you’re using HTTPS Everywhere (most userscript authors don’t support encrypted.google.com), I’m going to show you how to use HTTPS Everywhere to kill the redirects and fix the problem. (And since we’ll be fixing it AFTER the browser has done the hard work of finding the URL, it will only break if Google actually cares enough to change their redirect URL, rather than every time they “innovate” with their JavaScript or HTML templates)

For those who aren’t already familiar with it, HTTPS Everywhere is a generalized engine for hijacking requests and pointing them somewhere else without ever contacting the original target. (Though, normally, the intent is to keep your ISP from knowing where you’re going by snooping on your traffic)

That means that, when your “friend” tricks you into clicking a link to search www.google.com for “hot sexy six-year-olds”, it’s redirected to the encrypted version of Google before anything goes over the wire… which means you only have to worry about Google’s friends in the FBI, not your ISP’s too.

The reason that matters is that you can write your own rules using regular expressions, so you can redirect anything to anything like this. (No practical jokes please. Slipping a custom “PirateBay -> FBI” redirect into your friend’s browser is not cool.)

This rule, if placed into the HTTPSEverywhereUserRules folder in your Firefox profile, will skip over Google’s tracking URL and take you direct to what you actually wanted:

CC BY-SA 4.0 Bypassing Google Tracking Redirects with HTTPS Everywhere by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

This entry was posted in Geek Stuff. Bookmark the permalink.

2 Responses to Bypassing Google Tracking Redirects with HTTPS Everywhere

  1. Stefan Fröberg says:

    Hi!

    Has this rule been integrated with latest version of HTTPS Everywhere?
    And if so where can I locate and view it’s source ?

    • Forcing encrypted Google has always been part of the HTTPS Everywhere rulset but I never submitted my un-tracker because there’s an edge-case I couldn’t figure out how to fix. (If the redirection target has a query string of its own, it doesn’t get unescaped.)

      (That’s also rarely a problem for me since SEO recommends not using query strings in URLs for specific resources.)

      Hence, people who want to view the source can just use the GitHub Gist embed on this page.

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.

All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.