Skip to main content

Disabling HTTP WebSub for HTTPS Feeds

FeedMail supports WebSub for real-time feed updates. WebSub is a great technology that allows faster and more efficient content distribution. However WebSub hubs have the ability to inject arbitrary content into feeds. This is normally not an issue because feed owners will use hubs that they trust. The decentralized nature of WebSub even allows feed owners to run their own hub and trust no one.

However if a WebSub hub is hosted over unencrypted http:// anyone who can see traffic between the subscriber (in this case FeedMail) and the hub can inject arbitrary content into the feed. We consider this too risky for too little benefit and will be removing support for this configuration.

When a user sees an https:// feed they expect that it is private and secure. In order to maintain this expectation FeedMail already takes a number of precautions.

  • https:// to http:// redirects for feeds are not followed.
  • Feed URLs are never updated to http:// URLs. (Generally, FeedMail follows feed URL changes.)

This change should ensure that users can trust the content of any https:// feeds.

What's Changing

Starting May 24th FeedMail will no longer use WebSub for https:// feeds if the WebSub hub is not https://. Affected feeds will continue to be polled like other non-WebSub feeds. If a feed specifies both http:// and https:// hubs the https:// ones will be used.

Update May 24th: This change is now active. No new insecure subscriptions will be made on insecure hubs. 

Updates from existing http:// hub subscriptions will continue to be accepted until the end of their lease (up to 7 days) at which point they will be ignored.

Example

If https://example/feed.atom contains a link to the hub http://example/hub that hub will be ignored. In order to use WebSub for https:// feeds the hub must be https:// as well.

Exception

pubsubhubbub.appspot.com is the most popular hub and it supports HTTPS. However many feeds reference it using http://. FeedMail will use the https:// endpoint for these feeds as if that is what they specified. This is not expected to cause any problems and will simply improve security.

This exception may be removed at any time, we highly recommend that feed owners update their feeds to reference the https:// endpoint. It should require no other changes on your part.

Effect

This is expected to have no significant impact on users. Despite FeedMail subscribing to hundreds of feeds via WebSub, only 8% of those feeds currently have this issue.

Of those, 75% will be covered by the above exception.

The remaining 25% feeds are all using http://medium.superfeedr.com/ as a hub. This hub is intended for use by Medium which has a broken WebSub implementation that never sends updates. This means that ignoring this hub will actually improve update speed as FeedMail will poll more often.

So in conclusion, 8% feeds will become more secure and 2% of those will also update faster. No current feeds will become worse in any way.

For Feed Owners

If you are a feed owner please inspect your feeds for links that start with http://. These links hurt your reader's privacy and risk the integrity of your content. We recommend using https:// for all links even if they are covered by the above exception.

If you are still unsure of how this change will affect your feed feel free to reach out to FeedMail support.

Comments

Popular posts from this blog

Announcing FeedMail

I'm pleased to be sharing a project that I have been working on for a while and have been thinking about doing for even longer. FeedMail is a simple service that aims to get updates from your favourite websites to your email with no fuss and no nonsense. If you are already sold and want to follow some feeds simply go to feedmail.org to get started. How FeedMail Works FeedMail works using a set of technologies informally called RSS. FeedMail actually supports a variety of feed formats including Atom, RSS2 and RSS1. These feeds are created by websites and updated whenever new content is posted. FeedMail subscribes to these feeds on your behalf and forwards new entries to the email address of your choice. Many websites support these feeds. Just post the URL to an article or website that you want to subscribe to and FeedMail will show you the available feeds. For example the following websites support RSS: YouTube Channels Medium GitHub Releases Tumblr Many news sites Many more... RSS

Providing Email Subscriptions to your Readers with FeedMail

If you offer a blog with an RSS feed you can reach more users by offering email subscription as well. FeedMail provides an easy-to-integrate newsletter that has no cost to you. Just select one of the implementation strategies below. Implementation Options Link The easiest option is to provide a link to the subscribe page. First got to the FeedMail New Subscription page. Enter your website's URL and click "Go".  Then copy the URL from your browser's address bar. This the the URL to subscribe to your website! It should look something like https://feedmail.org/subscriptions/new?url= https%3A%2F%2Fyour-site.example . You can then link to that URL from your site. For example if you are using raw HTML in your design it would look something like: <a href="https://feedmail.org/subscriptions/new?url= https%3A%2F%2Fyour-site.example ">Click here to subscribe by email.</a>  Subscribe Button To use a button simply add the following code to your website. &l

How to Subscribe to YouTube via Email

YouTube disabled native email notifications in August 2020 . Luckily FeedMail lets you get these notifications back, and they are better than ever! Why Email Notifications? At FeedMail were are a huge fan of email notifications! Synced across all of your devices. Easy to sort and filter. Very customizable. You can decide if you want them to buzz your phone, ding your computer, both, or quietly file into a folder for you to check when you have some downtime. One place for all of your updates. No need to remember to log into YouTube, Odysee, Vimeo, PeerTube and Nebula on every device. Better than Native? We think so! No need to create a YouTube account. Per-video notifications, no batching to mess up your filters and workflow. You can pick a different email address for each channel for easy filtering. Not everything needs to go to your primary address. Instructions Find the channel that you want to subscribe to. If you are watching a video you can get to the channel but clicking the cha