You have permission to publish this article electronically
or in print, free of charge, as long as the bylines are
included. A courtesy copy of your publication would be
appreciated - send to firstname.lastname@example.org.
Title: RSS Security
Word Count: 537
Author: Sharon Housley
Article URL: www.submityourarticle.com/articles/easypublish.php?art_id=2665
The article is preformatted to 60CPL.
Copyright 2005 Sharon Housley
RSS is growing at a lightening speed. What was once only
known as a "techie tool", RSS is becoming a tool that is
continuously being used by the general population. Along
with the good comes, the not so good. And while some have
mentioned the emergence of RSS spam, where content
publishers dynamically generate nonsensical feeds stuffed
with keywords, the real concern relates to security. While
an annoyance to the search engines, spam in RSS feeds pales
in comparison to the possible security concerns that could
be in RSS' future.
Security Implications Related to RSS.
As RSS gains momentum security fears loom large. As
publishers are quickly finding innovative uses for RSS
feeds, hackers are taking notice. The power and
extendibility of RSS in its simplest form is also its
achilles heel. The expansion capabilities of the RSS
specification, specifically the "enclosure" field which has
launched the podcasting phenomenon, is where the
vulnerabilities lie. The enclosure field in itself is not
the problem, in fact the majority of RSS feeds do not even
use the enclosure tag. The enclosure tag is essentially
used to link to file types, things like images, word
documents, mp3 files, power point presentations, and
executables and can be thought of in similar terms to email
The fact that RSS can be used to distribute these file
types has opened a myriad of doors to users of the
syndication standard, but also has created cause for
concern. Most people do not feel that the risk is
significant because people "choose" the content that they
receive, and while it might make the distribution of
malware, viruses and spy applications via RSS less
prevalent, their is still the inherent risk of a infected
file being distributed.
The problem is one of both technology and lack of
The danger lies in the fact that many RSS readers, news
aggregators, or pod-catchers automatically download the
information contained in the enclosure field regardless of
its file type or source.
Most RSS developers acknowledge the risks associated with
the enclosure field, but few have had the forethought to
include filtering, screening or authentication capabilities
and many automatically download enclosures.
Nick Bradbury of Bradsoft/NewsGator seems to be proactive,
designing FeedDemon with security in mind. FeedDemon uses
an editable safelist of file types as well as allowing
users to monitor what files are automatically downloaded.
FeedDemon also contains hard-coded warnings related to
specific file types.
Developers of ByteScout took a different approach to the
handling of enclosure files, ByteScout does not
automatically download anything without user intervention
for each download.
Unfortunately, not all RSS readers, aggregators and
podcatchers consider the possible security implications
associated with RSS feeds and podcasts, some will
automatically download enclosures without warning or any
thoughts of security. Be sure to examine how your RSS
reader handles files contained in the enclosure field of an
With the increased use of RSS and podcasting, the security
risks increase with it. Their is cause for concern, however
proactive users and conscientious developers can easily
subvert the risk by taking precautions seriously. Computer
viruses and malware are cause for legitimate concern, there
is ample time and action that can avert potential problems.
About the Author:
Sharon Housley manages marketing for FeedForAll
www.feedforall.com software for creating, editing,
publishing RSS feeds and podcasts. In addition Sharon
manages marketing for FeedForDev www.feedfordev.com
an RSS component for developers.