(In this message, where ever it says "google reader" it can be any subscriber)
Here's a scenario: 1. I know Google Reader (for instance) has the capabilities to be a subscriber. 2. I use Google Reader to subscribe to a feed hosted at my server, this feed states the hub to be my server. 3. I get a subscription request from Google Reader, this enabling me to discover their callback URL. 4. I figure out the callback URL of a different atom feed people are subscribed to that has a different hub, Then I send a POST request to that callback with new "fake" content causing Google Reader's users to see a fake post.. So yeah, If google use a custom callback url they can easily use something like this for example: http://reader.google.com/pushCallBack/feedid/[feed id here]/hash/[hash key for feed here] Then when getting a POST request they can check the hash actually matches what they expect, and hashing can be done with a secret key or whatever. Simple, Right? However, that would totally scratch the possibility of using the "Aggregated Content Distribution" stated in the protocol: http://pubsubhubbub.googlecode.com/svn/trunk/pubsubhubbub-core-0.2.html#aggregatedistribution Which basically says "different callbacks generate different POST requests and no aggregation" I'm surprised a way for a hub to identify itself to a subscriber when POSTing new content isn't in the protocol. Or am I missing something? (If there's another post dealing with this issue, I'd love to be pointed to it, a quick search didn't help..) Thanks for the help :)
