Home > Articles

RSS Security

RSS Security
By S. Housley

RSS is growing at a lightening speed. What was once only known as a "techie tool", RSS is becoming a tool that is continuously being used by the general population. Along with the good comes, the not so good. And while some have mentioned the emergence of RSS spam, where content publishers dynamically generate nonsensical feeds stuffed with keywords, the real concern relates to security. While an annoyance to the search engines, spam in RSS feeds pales in comparison to the possible security concerns that could be in RSS' future.

Security Implications Related to RSS.
As RSS gains momentum security fears loom large. As publishers are quickly finding innovative uses for RSS feeds, hackers are taking notice. The power and extendibility of RSS in its simplest form is also its achilles heel. The expansion capabilities of the RSS specification, specifically the "enclosure" field which has launched the podcasting phenomenon, is where the vulnerabilities lie. The enclosure field in itself is not the problem, in fact the majority of RSS feeds do not even use the enclosure tag. The enclosure tag is essentially used to link to file types, things like images, word documents, mp3 files, power point presentations, and executables and can be thought of in similar terms to email attachments.

The fact that RSS can be used to distribute these file types has opened a myriad of doors to users of the syndication standard, but also has created cause for concern.

Most people do not feel that the risk is significant because people "choose" the content that they receive, and while it might make the distribution of malware, viruses and spy applications via RSS less prevalent, their is still the inherent risk of a infected file being distributed.

The problem is one of both technology and lack of education.
The danger lies in the fact that many RSS readers, news aggregators, or pod-catchers automatically download the information contained in the enclosure field regardless of its file type or source.

Most RSS developers acknowledge the risks associated with the enclosure field, but few have had the forethought to include filtering, screening or authentication capabilities and many automatically download enclosures.

Nick Bradbury of Bradsoft/NewsGator seems to be proactive, designing FeedDemon with security in mind. FeedDemon uses an editable safelist of file types as well as allowing users to monitor what files are automatically downloaded. FeedDemon also contains hard-coded warnings related to specific file types.

Developers of ByteScout took a different approach to the handling of enclosure files, ByteScout does not automatically download anything without user intervention for each download.

Unfortunately, not all RSS readers, aggregators and podcatchers consider the possible security implications associated with RSS feeds and podcasts, some will automatically download enclosures without warning or any thoughts of security. Be sure to examine how your RSS reader handles files contained in the enclosure field of an RSS feed.

With the increased use of RSS and podcasting, the security risks increase with it. Their is cause for concern, however proactive users and conscientious developers can easily subvert the risk by taking precautions seriously. Computer viruses and malware are cause for legitimate concern, there is ample time and action that can avert potential problems.

About the Author:
Sharon Housley manages marketing for FeedForAll http://www.feedforall.com software for creating, editing, publishing RSS feeds and podcasts. In addition Sharon manages marketing for FeedForDev http://www.feedfordev.com an RSS component for developers.

Permissions:
Permissions and notification of use not required.

RSS Feeds for Teachers Can Stop Classroom Management Problems and Streamline Your Time

(Submitted by: Ruth Wells)

It may be a new year, but you are probably still dealing with the same old "kid problems." The bad attitudes, disrespect, peer conflict, lying, school failure or family problems didn't change when you flipped the page on the calendar. Don't ... Read article

RSS Revolution and Definition

(Submitted by: Vinay Rana)

RSS (Really Simple Syndication) is channelizing or syndicating the flow of content from different sources to different target WebPages or websites.It has helped in content providing website to distribute their data across the globe using ... Read article

Displaying RSS Feeds on Your Web Page

(Submitted by: Sanjay Johari)

RSS feeds have made it very convenient to syndicate information from various sources. Most of websites and services that publish fresh content, such as ezines, press release, new agencies, blogs make their content available thru RSS feeds. As new ... Read article

RssToBlog Review

(Submitted by: Tony Guribal)

Here is review of RSStoBlog by an owner of the product The RSStoBlog software is an wonderful piece of automation. Developed by the author to have all blogs updated, it has evolved into a feature packed auto blogger update package. No ... Read article

The Basics of RSS

(Submitted by: Jonathan Coupal)

RSS stands for Really Simple Syndication, and it is a standard, public format designed for sharing headlines and the content of web sites (previously known as the RDF Site Summary). But RSS feeds are not just for news anymore. Almost anything ... Read article

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92