RSS Security Deadline - 1

Vulnerabilities Must Be Fixed Before IE 7 and Vista Come Out

As we here at eWEEK Labs evaluate the next generation of Web browsers, operating systems, collaboration tools and other interactive applications, one feature keeps popping up again and again—namely, integration with RSS feeds.

RSS integration pretty much already has become a must-have feature for a whole host of products. Not having RSS integration is almost like not being able to use the Web at all.

And I can see why many developers and businesses are flocking to support RSS. In addition to their popularity as the delivery method of choice for core Web 2.0 products, such as blogs and podcasting, RSS feeds have great potential for reliably delivering a wide assortment of content, files and even applications.

But during the last year or so, many people have been asking an important question: Is RSS secure?

Its vital that this question be answered in the next few months—before Microsoft releases its Internet Explorer 7 browser, which makes it much easier for novices to subscribe to RSS feeds, and before it releases Vista, which has RSS support built in. Both releases will have malware purveyors looking for ways to exploit the products RSS integration.

Looked at in its simplest form, theres nothing about RSS that should make it hard to secure. Based on XML and using standard Internet transmission techniques, RSS can tap all the authentication and encryption technologies that are used to secure any Web-based content.

However, RSS could become a major avenue of transmission for the bad stuff—namely, spam, Trojans and spyware.

Many other Web 2.0 technologies are already dealing with their own forms of spam, with one recent report stating that a very large percentage of blogs on the Web today are actually spam blogs, or splogs.

On a one-to-one basis, spam through RSS is hard to pull off, since a user receiving lots of spam through a feed will simply unsubscribe fr-om that feed. However, the increased use of feed--aggregating sites makes it more likely that enterprising spammers will figure out a way to deliver their wares interspersed with legitimate feeds. Automated aggregating tools based on search terms are even more likely to be exploited by spam.

RSS almost will certainly face spam problems, although, in my opinion, not to the level that e-mail currently does. The much bigger security concern when it comes to RSS is the use, or misuse, of the RSS enclosure tag.

The enclosure tag, which enables podcasting and videocasting, makes it possible to deliver files through a feed. And the way this is implemented in RSS is very flexible—an RSS feed doesnt care what the file type is. A file linked in an enclosure can be an MP3 audio file, an MPEG video file or even (insert ominous music here) an executable.

There really isnt anything stopping someone from delivering malware such as viruses or spyware through an RSS feed enclosure tag. Some will say that this is unlikely to happen, as people will know from the feed where the content is originating. But recent experiences with malware delivered through Web sites show that getting bad content onto legitimate sites isnt a problem for the bad guys.

So far, we havent seen many cases of RSS being used as an avenue for security attacks. But once RSS is an integral part of the Microsoft browser and operating system, all that is bound to change.

So what should be done? Should businesses plan to ban RSS subscriptions? Should the RSS standard be changed to make it less attractive to hackers (and also less useful for everyone)?

I dont think so. Many in the RSS community have been discussing these problems for a while now, and aggregators and tool vendors are taking steps to make it easier to detect unusual feed activity. And the last thing we want to do is cripple the functionality of such a promising technology.

So RSS feeds arent completely secure. But then again, what Internet-based technologies are?

Its pretty much inevitable that there will be security problems involving RSS feeds. But as long as users, vendors and the RSS community are vigilant, RSS wont become a security problem itself.

Contact Labs Director Jim Rapoza at