It really bothers me that the default premium podcast feed doesn't use SSL. Since it's using http auth to authenticate, it's sending the username and password of a user totally in the clear (well, Base64 encoded, but that's it) across the internet in an http header, in a way that would be trivial for anyone in between a user and the server to parse and collect.
For instance, if I request the premium feed, these are my http headers according to Chrome (I did this in incognito mode, to disable cookies):
I blacked out my username and password, obviously. I also used the https, because I don't particularly relish the idea of sending those things over the internet, in the clear, which is exactly what everyone else's podcasting app is doing. Same thing for people using the http://username:password@www.giantbomb.com/podcast-xml/premium/ trick, except then it's embedded both in the request URL and in the headers.
The fix here is super-easy, just change the "http" part of the RSS feed link to "https", since that already works just fine. I realize that there is some cost to doing SSL on the server side in terms of CPU time, but it's just the premium podcast feed we're talking about here. And it's a pretty big security loop-hole. I mean, there's a reason that auth.giantbomb.com forces you to use SSL, and for the same reason the podcast feed should as well.
I realize that disabling the non-SSL feed would be a huge hassle, because everyone would have to update their podcasting app, but at the very least change the link so that new people subscribe to the SSL feed, not the encrypted one. And I really think you guys should at least try to get people to migrate to that feed, it's really kind of a shitty way to treat your users' security credentials.
For regular, non-staff, Giant Bomb users reading this, that also subscribe to the premium podcast feed: if you haven't done it already, change your premium podcast feed from this URL
http://www.giantbomb.com/podcast-xml/premium/
to this one:
https://www.giantbomb.com/podcast-xml/premium/
or this one:
https://username:password@www.giantbomb.com/podcast-xml/premium/
That way, your Giant Bomb username and password will always be encrypted in transit.
Log in to comment