For-Pay Only Podcasting (Password Protected)

Today I learned about iTunes support for password protected podcasts, and am thinking about the security issues, planning out how I can support this in PodPress as well as what this means for podcasting in general.

Overall I think this is very cool for podcasting, because it can open the doors for various content providers to jump in and start offering content. It may also allow existing podcasters to start offering special pay-only content. I know many want everything for free, but Im not opposed to paying people for the time and talent they pour into creating great content.

That aside, I was most curious about the technical issues involved. So I dug in…

Last week I heard that radio talk show host Rush Limbaugh announced that his show would be available from within iTunes. For several months his show was available as a “podcast” which meant his subscribers could download MP3’s a few hours after each show aired. At the time this happened, I dug into the custom downloader, sniffed out the traffic and figured out how it all worked. It wasnt complicated, but it wasnt a real podcast, there was no RSS feed with enclosures, and no way standard podcatchers could ever support it.

Now the landscape has changed, and this is a new solution that works with iTunes. I still didnt know how it was going to work, but my guess was that it had to do with HTTP BasicAuth. This morning the website had the link, and I had my Paros Proxy. I configured my computer to run thru the local proxy, and I went about getting the show into my iTunes, recording all the network traffic along the way.

It turned out to be much easier than I expected. It did use HTTP BasicAuth, and it only does so for the rss feed.
So what we have is a link to the RSS feed, but with the protocol defined as itpc, which I assume to mean ITunesPodCast and is something that iTunes is registered to handle.

So the link looks something like this:


Note: Just because the protocol is itpc instead of http, does not mean you couldnt go to this URL with your browser

If you try, you will get a password prompt. This is using standard HTTP BasicAuth, and once you give your credentials you would get the RSS Feed.
The feed itself is a standard iTunes compliant RSS2 document like we are all used to. As far as the MP3 files themselves, there is only security by obscurity. I will not give an actual URL to one of the MP3 files, but its something along the lines of /username/48123789787qe98/rushlimb/2006/03/ Rush%20Limbaugh%20-%20Mar%2010%202006%20-%20Hour%201.mp3

If you had the actual URL, you could download the MP3 without any sort of authentication. Of course, security by obscrurity is not an ideal solution, but in the case of this type of content it serves the need. It should also be easy use the same HTTP BasicAuth to protect the MP3 files is so desired.

I have also found out that the popular podcatcher Juice supports HTTP BasicAuth as well, so using this solution really seems the way to go.

I believe I can add support into PodPress for all this at some point, and the bottom line is that this is an interesting and exciting development in the Podcasting world.

- Additional Resources -

* Just found out about another blogger who did a write up here


About Dan Kuykendall

Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *