RSS: Safe At Any Feed?

When Microsoft laid out its plans last week for building RSS -- Real Simple Syndication -- into Longhorn, it didn't say anything about how it might secure the automated feeds.

Nor has really anyone, said Gartner research director John Pescatore, the research firm's resident security analyst.

"What inevitably happens with any new protocol, especially the ones with the word "simple" in them, is that developers try to come up with a way to easily communicate data," said Pescatore. "Only at the end do they say, 'let's sprinkle some security on it.' RSS is like that."

But with Microsoft's move to integrate RSS into the Windows operating system, and build it into Internet Explorer, still the dominant browser, the idea that hackers and scammers will turn to RSS gains some credence.

"RSS in the operating system and IE likely means that more people will be saying 'let's start looking for vulnerabilities,'" said Pescatore.

The problem with RSS is two-fold. First, it's a versatile format that can deliver multiple kinds of content, including HTML, audio files (such as the all-the-rage podcast feeds), and even executables of a sort. "RSS can even more things that are like executables, such as JavaScript," said Pescatore.

RSS security -- or insecurity -- is hardly new. A possible way to deliver malicious code and spam via the protocol was highlighted two years ago by Mark Pilgrim, a writer of several technical and programming books, such as "Diving Into Python."

"RSS, by design, is difficult to consume safely," Pilgrim wrote in a blog entry. "And now that RSS is moving into the mainstream, the design decisions that got it there are becoming more and more of a problem."

Pescatore agrees, but only up to a point. "What you'll see in the Longhorn generation products that integrate RSS," he said, "is a whole lot of other security mechanisms that can be used to secure RSS. It could be secured using SSL, for instance, or over IPsec through SharePoint. The idea isn't new: set up a secure connection, then run the insecure protocol over that connection."

The second problem with RSS as Microsoft envisions it is that the Redmond, Wash.-based company plans to provide an API and specialized database to make RSS feeds available to desktop applications from Microsoft's and other developers. Hackers and phishers are fascinated with vulnerabilities within the Windows operating system because of its dominance, and go to great lengths to uncover them and/or write exploits against them.

"I don't know that RSS gets [a hacker or phisher] any more than what e-mail gives them now," said Pescatore. He admitted, however, that the hands-off nature of RSS -- an application, whether browser, reader, e-mail client, or other tool automatically pulls contents from the RSS feed when new is made available -- may give it some advantage over e-mail, particularly for scam artists planting spyware on systems to hijack identities.

There has been some talk of securing RSS. In May, for instance, VeriSign chief executive Stratton Sclavos said plans were in the works at the Mountain View, Calif.-based security firm to provide feed, content, and identity management products for RSS and Atom (a competing syndication format) feeds. Although VeriSign has not detailed these plans -- and didn't respond to calls Monday -- Sclavos said then that these upcoming tools would help prevent RSS from being abused by spammers and phishers, and exploited by other Internet-based threats.

But efforts to, for example, authenticate and verify that an RSS feed is legit, and/or not spewing malicious code, are embryonic at best, and rely on existing schemes, such as SSL and HTTP authentication.

But even if security of sorts is implemented, Pescatore's not optimistic.

"If it gets built, someone will try to make a hole in it," said Pescatore. "That's the world of security."