Free Website Content
Security and RSS
RSS is growing at a lightening speed.
What was once only known as a "techie tool",
RSS is becoming a tool that is continuously being used
by the general population. Along with the good comes,
the not so good. And while some have mentioned the emergence
of RSS spam, where content publishers dynamically generate
nonsensical feeds stuffed with keywords, the real concern
relates to security. While an annoyance to the search
engines, spam in RSS feeds pales in comparison to the
possible security concerns that could be in RSS' future.
Security Implications Related to
RSS.
As RSS gains momentum security fears loom large.
As publishers are quickly finding innovative uses for
RSS feeds, hackers are taking notice. The power and
extendibility of RSS in its simplest form is also its
achilles heel. The expansion capabilities of the RSS
specification, specifically the "enclosure"
field which has launched the podcasting phenomenon,
is where the vulnerabilities lie. The enclosure field
in itself is not the problem, in fact the majority of
RSS feeds do not even use the enclosure tag. The enclosure
tag is essentially used to link to file types, things
like images, word documents, mp3 files, power point
presentations, and executables and can be thought of
in similar terms to email attachments.
The fact that RSS can be used to distribute
these file types has opened a myriad of doors to users
of the syndication standard, but also has created cause
for concern.
Most people do not feel that the risk
is significant because people "choose" the
content that they receive, and while it might make the
distribution of malware, viruses and spy applications
via RSS less prevalent, their is still the inherent
risk of a infected file being distributed.
The problem is one of both technology
and lack of education.
The danger lies in the fact that many RSS readers,
news aggregators, or pod-catchers automatically download
the information contained in the enclosure field regardless
of its file type or source.
Most RSS developers acknowledge the risks
associated with the enclosure field, but few have had
the forethought to include filtering, screening or authentication
capabilities and many automatically download enclosures.
Nick Bradbury of Bradsoft/NewsGator seems
to be proactive, designing FeedDemon with security in
mind. FeedDemon uses an editable safelist of file types
as well as allowing users to monitor what files are
automatically downloaded. FeedDemon also contains hard-coded
warnings related to specific file types.
Developers of ByteScout took a different
approach to the handling of enclosure files, ByteScout
does not automatically download anything without user
intervention for each download.
Unfortunately, not all RSS readers, aggregators
and podcatchers consider the possible security implications
associated with RSS feeds and podcasts, some will automatically
download enclosures without warning or any thoughts
of security. Be sure to examine how your RSS reader
handles files contained in the enclosure field of an
RSS feed.
With the increased use of RSS and podcasting,
the security risks increase with it. Their is cause
for concern, however proactive users and conscientious
developers can easily subvert the risk by taking precautions
seriously. Computer viruses and malware are cause for
legitimate concern, there is ample time and action that
can avert potential problems.
About the Author:
Sharon Housley manages marketing for FeedForAll http://www.feedforall.com
software for creating, editing, publishing RSS feeds
and podcasts. In addition Sharon manages marketing for
NotePage http://www.notepage.net
a wireless text messaging software company.
**********************************************************
This article may be used freely in opt-in
publications and websites, provided that the resource
box is included and the links are active. A courtesy
copy of the issue or a link to any online posting would
be greatly appreciated send an email to sharon@notepage.net
.
Additional articles available for publication available
at http://www.small-business-software.net/free-website-content.htm
**********************************************************
|
