An Important Update

Dear Followers Of This Blog ...

If you did not use a Blogger / Google account when you Followed this blog, years ago, you are probably not Following now . During the past...

Thursday, April 28, 2016

Avoid Use Of FeedBurner "Password Protector"

Some Google products contain features that have limited usefulness, when applied to Blogger blogs.

FeedBurner has a feature, "Password Protector", which may be useful, to newsfeed readers that support HTTP authentication. Within FeedBurner, we have the "Email Subscriptions" service - which does not support feed authentication.
Your readers will be required to use newsreader or aggregator software that supports authentication to view your feed.
Some Google, and non Google, services will have a problem, with a FeedBurner protected feed.

Newsfeeds, published by Blogger blogs, are supposed to be publicly accessible.

A blog with designated readers will not produce a newsfeed. Blogger does not support authenticated newsfeeds.

To use Password Protector, look on the FeedBurner dashboard, under the Publicize tab, for "Password Protector". Enter a Username and a Password, and hit "Activate". But don't do this, without knowing the downsides.

Password Protector uses a single username / password combination. All blog readers will use the same username.

FeedBurner warns us of possible problems, caused by this service.





Important: This service prevents our Email Subscriptions service from delivering email updates from your feed, and it will also password protect your feed's content when redisplayed using our Headline Animator graphic. This graphic itself becomes password protected, which is undesirable if you wish to use it to promote your site/feed. Therefore, we recommend not using Headline Animator or Email Subscriptions, and this Password Protector service, with the same feed.

From what I can see, Blogger Reading List may ignore the authentication requirement. People may use Reading List, and view the blog feed, redirected through FeedBurner - even if not authorized.

We know, however, that email subscriptions will not work, with a protected feed. Looking at an HTTP trace of the feed from my test blog http://techdict.nitecruzr.net, we see a symptom of the problem, with this option.

http://techdict.nitecruzr.net/feeds/posts/default

http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://techdict.nitecruzr.net/feeds/posts/default&uag=Mozilla/5.0+(X11%3B+CrOS+armv7l+7834.70.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36&ref=http://www.rexswain.com/httpview.html&aen=&req=GET&ver=1.1&fmt=AUTO

Sending request:

GET /feeds/posts/default HTTP/1.1
Host: techdict.nitecruzr.net
User-Agent: Mozilla/5.0 (X11; CrOS armv7l 7834.70.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Referer: http://www.rexswain.com/httpview.html
Connection: close
• Finding host IP address...
• Host IP address = 74.125.28.121

• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:

HTTP/1.1·302·Found(CR)(LF)
ETag:·W/"32e869db-18a9-4ccf-8ad9-dbded29f2b25"(CR)(LF)
Date:·Wed,·27·Apr·2016·15:04:06·GMT(CR)(LF)
Content-Type:·text/html(CR)(LF)
Server:·blogger-renderd(CR)(LF)
Expires:·Wed,·27·Apr·2016·15:04:07·GMT(CR)(LF)

Cache-Control:·public,·must-revalidate,·proxy-revalidate,·max-age=1(CR)(LF)
X-Content-Type-Options:·nosniff(CR)(LF)
X-XSS-Protection:·1;·mode=block(CR)(LF)
Location:·http://feeds.feedburner.com/ChucksTechWorld(CR)(LF)

This appears to be just a redirected blog posts newsfeed, targeting a FeedBurner published feed.

Here, we see a normal redirected blog posts feed.

But what happens, when we try to open the feed?

http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://feeds.feedburner.com/ChucksTechWorld&uag=Mozilla/5.0+(X11%3B+CrOS+armv7l+7834.70.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36&ref=http://www.rexswain.com/httpview.html&aen=&req=GET&ver=1.1&fmt=TXT

Sending request:

GET /ChucksTechWorld HTTP/1.1 HTTP/1.1

Host: feeds.feedburner.com
User-Agent: Mozilla/5.0 (X11; CrOS armv7l 7834.70.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Referer: http://www.rexswain.com/httpview.html
Connection: close
• Finding host IP address...
• Host IP address = 172.217.0.14

• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:

HTTP/1.1·401·Unauthorized(CR)(LF)

WWW-Authenticate:·BASIC·realm="FeedBurner·feed·ChucksTechWorld"(CR)(LF)

The "HTTP Viewer" service does not support feed authentication (and only works with "HTTP:" protocol). And, we see the result.

It's possible that this feature will be useful, with feeds that are used outside Blogger (noting the Reading List ability). If you're publishing a Blogger blog, however, you're not likely to get any useful result.



Owners of #Blogger blogs, which use the FeedBurner "Password Protector" service, may find that the service delivers less protection - and some interference - other than the service name suggests. It would probably be best to avoid use of this service.

Dude, hit me with a comment!

Yudi Anto said...

i have a dilema ...Using blogspot+Feedburner really help to auto post blogspot to twiteer and then from twiteer to facebook or any other method to distribute/promote blog post to any service Etc....the problem is feedburner doesnt add any security feature to help combat Content scrapper..using password protected feature really help a lot 90% content scrapper unable to steal content as it return 401..if only i can manage to allow feedburner post to twiteer ,do you know work around for this matter? perhaps from their "socialize" feature setting?


Nice reading btw

Chuck Croll said...

Hi Yudi,

Thanks for the explanation.

Will a content scraper stop when encountering a FeedBurner "password protected" feed?

The original Blogger feed remains unprotected - so what's to stop anybody from creating a second feed using FeedBurner - or simply scraping from the original Blogger feed, with feed redirection blocked?

Note that one does not have to be the blog owner, to make a FeedBurner feed from a blog.

http://blogging.nitecruzr.net/2011/01/make-email-based-feed-from-somebody.html