RSS: Safe At Any Feed? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:39 PM

RSS: Safe At Any Feed?

When Microsoft laid out its plans last week for building RSS into Longhorn, it didn't say anything about how it might secure the automated feeds.

When Microsoft laid out its plans last week for building RSS -- Real Simple Syndication -- into Longhorn, it didn't say anything about how it might secure the automated feeds.

Nor has really anyone, said Gartner research director John Pescatore, the research firm's resident security analyst.

"What inevitably happens with any new protocol, especially the ones with the word "simple" in them, is that developers try to come up with a way to easily communicate data," said Pescatore. "Only at the end do they say, 'let's sprinkle some security on it.' RSS is like that."

But with Microsoft's move to integrate RSS into the Windows operating system, and build it into Internet Explorer, still the dominant browser, the idea that hackers and scammers will turn to RSS gains some credence.

"RSS in the operating system and IE likely means that more people will be saying 'let's start looking for vulnerabilities,'" said Pescatore.

The problem with RSS is two-fold. First, it's a versatile format that can deliver multiple kinds of content, including HTML, audio files (such as the all-the-rage podcast feeds), and even executables of a sort. "RSS can even more things that are like executables, such as JavaScript," said Pescatore.

RSS security -- or insecurity -- is hardly new. A possible way to deliver malicious code and spam via the protocol was highlighted two years ago by Mark Pilgrim, a writer of several technical and programming books, such as "Diving Into Python."

"RSS, by design, is difficult to consume safely," Pilgrim wrote in a blog entry. "And now that RSS is moving into the mainstream, the design decisions that got it there are becoming more and more of a problem."

Pescatore agrees, but only up to a point. "What you'll see in the Longhorn generation products that integrate RSS," he said, "is a whole lot of other security mechanisms that can be used to secure RSS. It could be secured using SSL, for instance, or over IPsec through SharePoint. The idea isn't new: set up a secure connection, then run the insecure protocol over that connection."

The second problem with RSS as Microsoft envisions it is that the Redmond, Wash.-based company plans to provide an API and specialized database to make RSS feeds available to desktop applications from Microsoft's and other developers. Hackers and phishers are fascinated with vulnerabilities within the Windows operating system because of its dominance, and go to great lengths to uncover them and/or write exploits against them.

"I don't know that RSS gets [a hacker or phisher] any more than what e-mail gives them now," said Pescatore. He admitted, however, that the hands-off nature of RSS -- an application, whether browser, reader, e-mail client, or other tool automatically pulls contents from the RSS feed when new is made available -- may give it some advantage over e-mail, particularly for scam artists planting spyware on systems to hijack identities.

There has been some talk of securing RSS. In May, for instance, VeriSign chief executive Stratton Sclavos said plans were in the works at the Mountain View, Calif.-based security firm to provide feed, content, and identity management products for RSS and Atom (a competing syndication format) feeds. Although VeriSign has not detailed these plans -- and didn't respond to calls Monday -- Sclavos said then that these upcoming tools would help prevent RSS from being abused by spammers and phishers, and exploited by other Internet-based threats.

But efforts to, for example, authenticate and verify that an RSS feed is legit, and/or not spewing malicious code, are embryonic at best, and rely on existing schemes, such as SSL and HTTP authentication.

But even if security of sorts is implemented, Pescatore's not optimistic.

"If it gets built, someone will try to make a hole in it," said Pescatore. "That's the world of security."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll