As I've been pruning my podcast bonsai tree, I've been reminded that the premium Bald Move feeds use username and password credentials which are stored as plaintext
in the subscription url. Although I personally use separate passwords for all sites, this is still a vulnerability as the credentials are sent via http. Since personal security hygiene is still not a common practice among the masses, there are surely dozens or hundreds of multi-use username and password combinations sitting on servers for the various pod catchers. Anytime a subscriber's device refreshes its feeds, these credentials are passed unencrypted via http according to the subscription tool
I'd like to float the idea of using token based authentication for the feeds. In addition to mitigating the URL vulnerability, tokenized urls might also simplify some of the issues with Pocket Casts, which I use. The new feeds should also utilize https as an added layer of protection. I see https is already supported for apps that prompt for username and password.
As an example, Slate Plus offers token based urls for their feeds:http://www.slate.com/articles/slate_plus/slate_plus/2014/03/your_slate_plus_podcast_link.html
The internet is not a friendly place. If you guys can find the time to secure the feeds, it would likely prevent fallout from a security breach down the road. This will only become a growing concern as the Bald Move empire expands. Thanks for your consideration.