Premium podcast feed should really be using SSL

Avatar image for gkhan
gkhan

1192

Forum Posts

2

Wiki Points

0

Followers

Reviews: 0

User Lists: 4

#1  Edited By gkhan

It really bothers me that the default premium podcast feed doesn't use SSL. Since it's using http auth to authenticate, it's sending the username and password of a user totally in the clear (well, Base64 encoded, but that's it) across the internet in an http header, in a way that would be trivial for anyone in between a user and the server to parse and collect.

For instance, if I request the premium feed, these are my http headers according to Chrome (I did this in incognito mode, to disable cookies):

No Caption Provided

I blacked out my username and password, obviously. I also used the https, because I don't particularly relish the idea of sending those things over the internet, in the clear, which is exactly what everyone else's podcasting app is doing. Same thing for people using the http://username:password@www.giantbomb.com/podcast-xml/premium/ trick, except then it's embedded both in the request URL and in the headers.

The fix here is super-easy, just change the "http" part of the RSS feed link to "https", since that already works just fine. I realize that there is some cost to doing SSL on the server side in terms of CPU time, but it's just the premium podcast feed we're talking about here. And it's a pretty big security loop-hole. I mean, there's a reason that auth.giantbomb.com forces you to use SSL, and for the same reason the podcast feed should as well.

I realize that disabling the non-SSL feed would be a huge hassle, because everyone would have to update their podcasting app, but at the very least change the link so that new people subscribe to the SSL feed, not the encrypted one. And I really think you guys should at least try to get people to migrate to that feed, it's really kind of a shitty way to treat your users' security credentials.

For regular, non-staff, Giant Bomb users reading this, that also subscribe to the premium podcast feed: if you haven't done it already, change your premium podcast feed from this URL

http://www.giantbomb.com/podcast-xml/premium/

to this one:

https://www.giantbomb.com/podcast-xml/premium/

or this one:

https://username:password@www.giantbomb.com/podcast-xml/premium/

That way, your Giant Bomb username and password will always be encrypted in transit.

Avatar image for belegorm
Belegorm

1862

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#2  Edited By Belegorm

I agree!

That said I normally find the adds in the normal podcast to be rather entertaining so I don't listen to the premium version of those :P

Avatar image for jeff
jeff

6357

Forum Posts

107208

Wiki Points

0

Followers

Reviews: 0

User Lists: 20

I want to say that iTunes couldn't handle SSL connections for podcast feeds, but I just gave it a fresh shot in the most recent version and it at least claims that it's transmitting securely. I'll bring it up.

Avatar image for gkhan
gkhan

1192

Forum Posts

2

Wiki Points

0

Followers

Reviews: 0

User Lists: 4