Subscribe by email, free
Your daily briefing for podcasting and on-demand

Insecure feeds and audio, identifiable domains, and why you don't want them

· By · 3.4 minutes to read

Search for your favourite podcast in Podnews, and you may see a message that it’s “insecure”.

You can click on the message to see more information; and it’ll lead you here to learn even more.

HTTP vs HTTPS

An insecure, unencrypted web address is one that starts http:// not https://.

When you download anything using http:// then anyone who can see your internet traffic can also see all the contents of what you’re looking at.

This is why banks and online stores use websites that start https:// - and we do, too - because nobody can see the content of your communications.

✉️ It’s like sending a letter to a friend. An unencrypted letter lets someone in the post office open your letter to read it: and they can open your friend’s replies, too.

Who else can see my internet traffic?

Your internet service provider, or your telco, can see every bit of your unencrypted internet traffic.

Your employer or school can also see it.

If you’re using public wifi, perhaps in a hotel or a coffee shop, then anyone else can see it too.

If you use a VPN, then the only thing your ISP or employer can see is that you’re using a VPN; though now you’ve got a VPN potentially looking at your unencrypted internet traffic too.

✉️ If you’re writing your letter in a cafe, anyone can look over your shoulder and read the letter; or read your friend’s reply, too.

Insecure Audio

If you download an insecure piece of audio, anyone else who can see your internet connection can see the audio you download, and the metadata that goes with it - from the title of the file to its contents.

✉️ You’re sending a letter to a friend, with a cassette tape in the envelope. Without encryption, anyone who has that letter can take the cassette tape out of the envelope and play it.

Insecure RSS feeds

If you download an insecure RSS feed, then, once more, anyone else who can see your internet connection can also see the contents of the RSS feed that you downloaded.

However, some podcast apps - notably Apple Podcasts, though it isn’t alone - download that RSS feed quite often: sometimes as often as every hour.

Because an insecure RSS feed isn’t being requested just once, but every single hour, it’s possible that this represents a bigger threat to your privacy.

✉️ If you send a letter every hour to your friend, and they send one back every hour, even a spy who works for an hour a day will be able to examine your letters.

(Your podcast host probably has an https:// version that works just fine: you need to put that into Apple Podcasts instead. Check with them as to how to do this.)

Unique domain names

You might think that all of this is fixed with a secure, encrypted HTTPS connection.

Most of it is.

✉️ To use the letter analogy again: an encrypted HTTPS experience is like sending a letter to your friend in code (and a coded file). Nobody is able to read the letter. Nobody knows what the file is called or what it contains. But your letter still has to have something on it so that it gets there: your friend’s address.

You can encrypt your friend’s name. But your friend’s address is needed to be visible for the postal service. Otherwise it won’t get there.

And, so it works for podcasting. While HTTPS encrypts the filename you’re looking for, it doesn’t encrypt the domain name.

A thing called ESNI will fix this, eventually.

So, if you ask for an RSS feed from Anchor, then the RSS feed comes from the domain name of anchor.fm. So do another 500,000 podcasts. So it’s very hard to know what podcast you’re listening to.

If you request an RSS feed from Joe Rogan, however, (in November 2020, before he went exclusive to Spotify) the RSS feed came from the domain name of joeroganexp.joerogan.(provider).com, where 'provider’ was the show’s podcast host.

Because the domain name is not encrypted, if it is unique to a podcast, it allows bad actors to know exactly what podcast you listen to: which may not be an issue with Joe Rogan, but might be an issue with an anti-monarchy podcast in Thailand, or a gay podcast in the UAE.

So, a unique domain name is a bad thing for podcast privacy - even if everything else is encrypted.

Podcast privacy matters

We don’t put this info here to shame any particular podcast host. We’re here to ensure that listeners’ privacy is respected. Your thoughts, below, are always welcome.

James Cridland is the Editor of Podnews, a keynote speaker and consultant. He wrote his first podcast RSS feed in January 2005; and also launched the first live radio streaming app for mobile phones in the same year. He's worked in the audio industry since 1989.

Comments

Our supporters

Gold supporters

Silver supporters

Support Podnews, and our industry

Get a global view on podcasting and on-demand with our daily news briefing

Subscribe to our daily newsletter by email, free