Hello,
So tempering with SSL/TLS is a terrible idea imo. The risk is not around
downloading a podcast one doesn't want. The risk is with downloading
compromised files from an unknown source that will affect the security of
your device and the people you know.
For past examples:
https://fortune.com/2015/10/01/stagefright-android-vulnerability-song/
If a website is not able to maintain a valid TLS certificate (it's fairly
easy and even free now with Let's Encrypt), they should offer a non-TLS
version. Try first by changing the URL to http://your-podcast.website/etc.
Then try reaching out to the website in question so that they can fix this
issue.
What could be possible however is to allow a podcast to downgrade to HTTP
if HTTPS doesn't work.
Thomas
Le mar. 17 déc. 2019 à 22:28, Fourhundred Thecat <400thecat@xxxxxx> a
écrit :
Hello,
when downloading podcasts over https or even subscribing to feed, when
the certificate is invalid gpodder fails with download error.
While it is good to know that certificate is invalid, I think there
should be an option to ignore invalid certificates.
Lets be realistic. What is gpodder protecting me from ?
A "man in the middle attack", where somebody tampers with my favorite
podcast and implants fake episode ?
Unlike web browser, gpodder is not used by people to manage e-banking,
or to file taxes.
Simply refusing to download from feed with invalid certificate is
overreaction, or perhaps even security theater.
I suggest, there should be a way to ignore invalid certificates.
In the meantime, If not, how can I circumvent it?
I am happy to change the python code, if necessary, if somebody can
point me to the right section.
thank you
