Hi,
I've got the same problem. Even deleting "s" from "https:" does not help. I get
this error message:
Einige Podcasts konnten nicht zur Liste hinzugefügt werden:
http://fazeinspruch.podigee.io/feed/mp3: ;<urlopen error [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate
in certificate chain (_ssl.c:1056)>
I noticed that iTunes (which is not my favoured podcatcher) does download
episodes from these podcasts. Can gPodder be adjusted to this problem in any
way?
Viele Grüße
Caspar
Von: gpodder-bounce@xxxxxxxxxxxxx <gpodder-bounce@xxxxxxxxxxxxx> Im Auftrag von
thomas blanchard
Gesendet: Mittwoch, 18. Dezember 2019 12:50
An: gpodder@xxxxxxxxxxxxx
Betreff: [gpodder] Re: ignore invalid certificate
Hello,
So tempering with SSL/TLS is a terrible idea imo. The risk is not around
downloading a podcast one doesn't want. The risk is with downloading
compromised files from an unknown source that will affect the security of your
device and the people you know.
For past examples:
https://fortune.com/2015/10/01/stagefright-android-vulnerability-song/
If a website is not able to maintain a valid TLS certificate (it's fairly easy
and even free now with Let's Encrypt), they should offer a non-TLS version. Try
first by changing the URL to http://your-podcast.website/etc.
Then try reaching out to the website in question so that they can fix this
issue.
What could be possible however is to allow a podcast to downgrade to HTTP if
HTTPS doesn't work.
Thomas
Le mar. 17 déc. 2019 à 22:28, Fourhundred Thecat
<400thecat@xxxxxx<mailto:400thecat@xxxxxx>> a écrit :
Hello,
when downloading podcasts over https or even subscribing to feed, when
the certificate is invalid gpodder fails with download error.
While it is good to know that certificate is invalid, I think there
should be an option to ignore invalid certificates.
Lets be realistic. What is gpodder protecting me from ?
A "man in the middle attack", where somebody tampers with my favorite
podcast and implants fake episode ?
Unlike web browser, gpodder is not used by people to manage e-banking,
or to file taxes.
Simply refusing to download from feed with invalid certificate is
overreaction, or perhaps even security theater.
I suggest, there should be a way to ignore invalid certificates.
In the meantime, If not, how can I circumvent it?
I am happy to change the python code, if necessary, if somebody can
point me to the right section.
thank you
Frankfurter Allgemeine Zeitung GmbH
Hellerhofstra�e 2-4
60327 Frankfurt am Main
HRB 7344 . Amtsgericht Frankfurt am Main
Vorsitzender des Aufsichtsrats: Prof. Dr. Dr. Andreas Barner
Gesch�ftsf�hrung: Thomas Lindner (Vorsitzender), Dr. Volker Breid
---------------------------------------------------------------------
