A padlock holding some chains together
Jose Fontano

Insecure feeds and audio, and identifiable domains: you don't want them

· First published · By James Cridland · 3.1 minutes to read

This article is at least a year old

Search for your favourite podcast in Podnews, and you may see a message that it’s “insecure” or uses “a unique domain”.

You can click on the message to see more information; and it’ll lead you here to learn even more.

HTTP vs HTTPS

An insecure, unencrypted web address is one that starts http:// not https://.

When you download anything using http:// then anyone who can see your internet traffic can also see all the contents of what you’re looking at.

This is why banks and online stores use websites that start https:// - and we do, too - because nobody can see the content of your communications.

✉️ It’s like sending a letter to a friend. An unencrypted letter lets someone in the post office open your letter to read it: and they can open your friend’s replies, too.

Who else can see my internet traffic?

Your internet service provider, or your cellphone provider, can see every bit of your unencrypted internet traffic.

Your employer or school can also see it.

If you’re using public wifi, perhaps in a hotel or a coffee shop, then anyone else on that network can see it too.

If you use a VPN, the only thing your ISP or employer can see is that you’re using a VPN. But the VPN company you’re using can see your internet traffic instead.

✉️ If you’re writing your letter in a cafe, anyone can look over your shoulder and read the letter; or read your friend’s reply, too.

Insecure Audio

If you download an insecure piece of audio, anyone else who can see your internet connection can see the audio you download, and the metadata that goes with it - from the title of the file to its contents.

✉️ You’re sending a letter to a friend, with a cassette tape in the envelope. Without encryption, anyone who has that letter can take the cassette tape out of the envelope and play it.

Insecure RSS feeds

If you download an insecure RSS feed, then, once more, anyone else who can see your internet connection can also see the contents of the RSS feed that you downloaded.

Some podcast apps download that RSS feed directly: sometimes as often as every hour.

Because an insecure RSS feed isn’t being requested just once, but every single hour, it’s possible that this represents a bigger threat to your privacy.

✉️ If you send a letter every hour to your friend, and they send one back every hour, even a spy who works for an hour a day will be able to examine your letters.

(Your podcast host probably has an https:// version that works just fine: you need to put that into Apple Podcasts instead. Check with them as to how to do this.)

Unique domain names

You might think that all of this is fixed with a secure, encrypted HTTPS connection.

Most of it is.

✉️ To use the letter analogy again: an encrypted HTTPS experience is like sending a letter to your friend in code (and a coded file). Nobody is able to read the letter. Nobody knows what the file is called or what it contains. But your letter still has to have something on it so that it gets there: your friend’s address.

You can encrypt your friend’s name. But your friend’s address is needed to be visible for the postal service. Otherwise it won’t get there.

And, so it works for podcasting. While HTTPS encrypts the filename you’re looking for, it doesn’t encrypt the domain name.

So, if you ask for an RSS feed from Buzzsprout, then the RSS feed comes from the domain name of buzzsprout.com. So do another 250,000 active podcasts. So it’s very hard to know what podcast you’re listening to.

Sometimes, however, podcast hosting companies give domain-names that are unique. Podnews’s RSS feed, for example, is the only one at podnews.net (well, it’s one of two we host here).

Because the domain name is never encrypted, if it is unique to a podcast, it allows bad actors to know exactly what podcast you listen to: which may not be an issue with Podnews, but might be an issue with an anti-monarchy podcast in Thailand, or a gay podcast in the UAE.

A unique domain name is a bad thing for podcast privacy - even if everything else is encrypted.

James Cridland
James Cridland is the Editor of Podnews, a keynote speaker and consultant. He wrote his first podcast RSS feed in January 2005; and also launched the first live radio streaming app for mobile phones in the same year. He's worked in the audio industry since 1989.

Readers and supporters

Gold supporters

Silver supporters

Readers and supporters

Get a global view on podcasting and on-demand with our daily news briefing