Skip to main content

Disabling HTTP WebSub for HTTPS Feeds

FeedMail supports WebSub for real-time feed updates. WebSub is a great technology that allows faster and more efficient content distribution. However WebSub hubs have the ability to inject arbitrary content into feeds. This is normally not an issue because feed owners will use hubs that they trust. The decentralized nature of WebSub even allows feed owners to run their own hub and trust no one.

However if a WebSub hub is hosted over unencrypted http:// anyone who can see traffic between the subscriber (in this case FeedMail) and the hub can inject arbitrary content into the feed. We consider this too risky for too little benefit and will be removing support for this configuration.

When a user sees an https:// feed they expect that it is private and secure. In order to maintain this expectation FeedMail already takes a number of precautions.

  • https:// to http:// redirects for feeds are not followed.
  • Feed URLs are never updated to http:// URLs. (Generally, FeedMail follows feed URL changes.)

This change should ensure that users can trust the content of any https:// feeds.

What's Changing

Starting May 24th FeedMail will no longer use WebSub for https:// feeds if the WebSub hub is not https://. Affected feeds will continue to be polled like other non-WebSub feeds. If a feed specifies both http:// and https:// hubs the https:// ones will be used.

Update May 24th: This change is now active. No new insecure subscriptions will be made on insecure hubs. 

Updates from existing http:// hub subscriptions will continue to be accepted until the end of their lease (up to 7 days) at which point they will be ignored.

Example

If https://example/feed.atom contains a link to the hub http://example/hub that hub will be ignored. In order to use WebSub for https:// feeds the hub must be https:// as well.

Exception

pubsubhubbub.appspot.com is the most popular hub and it supports HTTPS. However many feeds reference it using http://. FeedMail will use the https:// endpoint for these feeds as if that is what they specified. This is not expected to cause any problems and will simply improve security.

This exception may be removed at any time, we highly recommend that feed owners update their feeds to reference the https:// endpoint. It should require no other changes on your part.

Effect

This is expected to have no significant impact on users. Despite FeedMail subscribing to hundreds of feeds via WebSub, only 8% of those feeds currently have this issue.

Of those, 75% will be covered by the above exception.

The remaining 25% feeds are all using http://medium.superfeedr.com/ as a hub. This hub is intended for use by Medium which has a broken WebSub implementation that never sends updates. This means that ignoring this hub will actually improve update speed as FeedMail will poll more often.

So in conclusion, 8% feeds will become more secure and 2% of those will also update faster. No current feeds will become worse in any way.

For Feed Owners

If you are a feed owner please inspect your feeds for links that start with http://. These links hurt your reader's privacy and risk the integrity of your content. We recommend using https:// for all links even if they are covered by the above exception.

If you are still unsure of how this change will affect your feed feel free to reach out to FeedMail support.

Comments

Popular posts from this blog

Announcing FeedMail

I'm pleased to be sharing a project that I have been working on for a while and have been thinking about doing for even longer. FeedMail is a simple service that aims to get updates from your favourite websites to your email with no fuss and no nonsense. If you are already sold and want to follow some feeds simply go to feedmail.org to get started. How FeedMail Works FeedMail works using a set of technologies informally called RSS. FeedMail actually supports a variety of feed formats including Atom, RSS2 and RSS1. These feeds are created by websites and updated whenever new content is posted. FeedMail subscribes to these feeds on your behalf and forwards new entries to the email address of your choice. Many websites support these feeds. Just post the URL to an article or website that you want to subscribe to and FeedMail will show you the available feeds. For example the following websites support RSS: YouTube Channels Medium GitHub Releases Tumblr Many news sites Many more... RSS

Digests are Coming

Up to this point FeedMail has only supported real-time notifications. Meaning that every feed update immediately produces a single email. However this is about to change! When we asked for feedback on the features you would like to see in FeedMail we had a number of users reach out saying that they wanted a way to batch notifications together. We saw two main reasons for this: To reduce noise in their inbox. For some high-volume feeds users wanted to be able to quickly skim, then delete the entire batch in one go. While deleting one-by-one offers more flexibility, the bulk option is easier for high-volume feeds. To reduce costs. While we believe that our prices are incredibly reasonable, they can add up if you are getting lots of updates. For example if you follow a feed that updates every 15min that will be about $35 a year (or half price if you buy your credits in bulk). Not super expensive but maybe more than you want to spend for a single feed! Digests provide and option for cost

Providing Email Subscriptions to your Readers with FeedMail

If you offer a blog with an RSS feed you can reach more users by offering email subscription as well. FeedMail provides an easy-to-integrate newsletter that has no cost to you. Just select one of the implementation strategies below. Implementation Options Link The easiest option is to provide a link to the subscribe page. First got to the FeedMail New Subscription page. Enter your website's URL and click "Go".  Then copy the URL from your browser's address bar. This the the URL to subscribe to your website! It should look something like https://feedmail.org/subscriptions/new?url= https%3A%2F%2Fyour-site.example . You can then link to that URL from your site. For example if you are using raw HTML in your design it would look something like: <a href="https://feedmail.org/subscriptions/new?url= https%3A%2F%2Fyour-site.example ">Click here to subscribe by email.</a>  Subscribe Button To use a button simply add the following code to your website. &l