Free Website Content - Security and RSS
RSS is growing at a lightening speed. What
was once only known as a "techie tool", RSS is
becoming a tool that is continuously being used by the general
population. Along with the good comes, the not so good.
And while some have mentioned the emergence of RSS spam,
where content publishers dynamically generate nonsensical
feeds stuffed with keywords, the real concern relates to
security. While an annoyance to the search engines, spam
in RSS feeds pales in comparison to the possible security
concerns that could be in RSS' future.
Security Implications Related to RSS.
As RSS gains momentum security fears loom large.
As publishers are quickly finding innovative uses for RSS
feeds, hackers are taking notice. The power and extendibility
of RSS in its simplest form is also its achilles heel. The
expansion capabilities of the RSS specification, specifically
the "enclosure" field which has launched the podcasting
phenomenon, is where the vulnerabilities lie. The enclosure
field in itself is not the problem, in fact the majority
of RSS feeds do not even use the enclosure tag. The enclosure
tag is essentially used to link to file types, things like
images, word documents, mp3 files, power point presentations,
and executables and can be thought of in similar terms to
email attachments.
The fact that RSS can be used to distribute
these file types has opened a myriad of doors to users of
the syndication standard, but also has created cause for
concern.
Most people do not feel that the risk is significant
because people "choose" the content that they
receive, and while it might make the distribution of malware,
viruses and spy applications via RSS less prevalent, their
is still the inherent risk of a infected file being distributed.
The problem is one of both technology
and lack of education.
The danger lies in the fact that many RSS readers,
news aggregators, or pod-catchers automatically download
the information contained in the enclosure field regardless
of its file type or source.
Most RSS developers acknowledge the risks
associated with the enclosure field, but few have had the
forethought to include filtering, screening or authentication
capabilities and many automatically download enclosures.
Nick Bradbury of Bradsoft/NewsGator seems
to be proactive, designing FeedDemon with security in mind.
FeedDemon uses an editable safelist of file types as well
as allowing users to monitor what files are automatically
downloaded. FeedDemon also contains hard-coded warnings
related to specific file types.
Developers of ByteScout took a different approach
to the handling of enclosure files, ByteScout does not automatically
download anything without user intervention for each download.
Unfortunately, not all RSS readers, aggregators
and podcatchers consider the possible security implications
associated with RSS feeds and podcasts, some will automatically
download enclosures without warning or any thoughts of security.
Be sure to examine how your RSS reader handles files contained
in the enclosure field of an RSS feed.
With the increased use of RSS and podcasting,
the security risks increase with it. Their is cause for
concern, however proactive users and conscientious developers
can easily subvert the risk by taking precautions seriously.
Computer viruses and malware are cause for legitimate concern,
there is ample time and action that can avert potential
problems.
About the Author:
Sharon Housley manages marketing for FeedForAll http://www.feedforall.com
software for creating, editing, publishing RSS feeds and
podcasts. In addition Sharon manages marketing for NotePage
http://www.notepage.net
a wireless text messaging software company.
**********************************************************
This article may be used freely in opt-in
publications and websites, provided that the resource box
is included and the links are active. A courtesy copy of
the issue or a link to any online posting would be greatly
appreciated send an email to sharon@notepage.net
.
Additional articles available for publication available
at http://www.small-business-software.net/free-website-content.htm
**********************************************************
|
