Podcast privacy: why RSS sub-domains are bad
Some podcast hosts give podcasters a sub-domain for their RSS feed. Here’s why that’s a bad thing.
Visit an unencrypted HTTP website like http://neverssl.com/ and every single part of your connection is visible to anyone who can see your internet traffic: your co-workers, your employer, or your ISP. They can see the entire contents of the web page; and anything you type into it.
Visit an encrypted HTTPS website, like https://podnews.net/ as an example, and almost nothing of your connection is visible. People snooping your data can see nothing: because it’s encrypted, and only you can see what’s inside.
However. That’s the contents of a web-page. Not the HTTP headers, and particularly this one:
The ‘host’ is never encrypted, even when you connect via HTTPS. It’s always visible to anyone who can see your internet traffic. Even if everything else is encrypted, a request for something on the website of
https://illegalthing.podcasthost.example.comwill always be visible through the Host HTTP header.
If a podcast host puts a podcast RSS feed on its own RSS subdomain, that’s bad for your privacy, since it’s clear — literally — when you visit it.
It’s particularly bad for podcasts: because a typical podcast app will repeatedly check for new episodes by visiting that RSS feed again and again: sometimes as often as every hour or so. So, someone snooping on your internet traffic could see the request for an RSS feed at
https://illegalthing.podcasthost.example.com every single hour.
In fact, in most cases, unless you’re using a secure DNS service like NextDNS, you’ll advertise the fact you’re visiting this podcast RSS feed twice: once to anyone who can see your internet traffic, but also once to anyone who can see your DNS call to find out where the domain-name actually is. (I use and recommend NextDNS; that’s an affiliate link).
If a podcast you listen to uses a distinct sub-domain for its RSS feed, be aware that this means your podcast listening isn’t private — from your co-workers, your employer, your school, your ISP or even your government.
Most podcast hosts don’t. But be cautious of those that do. This isn’t an issue of opt-in or opt-out: there’s no choice.
And, if they’re as bad with your privacy in this regard, what else are they doing?