Is it dangerous to subscribe to RSS feeds?

Dave, I have read alot about RSS and XML feeds, and I daily use a RSS aggregator to subscribe to and read some feeds of interest to me.

My question is: Is there a security risk in using RSS feeds? I don't believe that my anti-virus programs scan my RSS, and I am not familiar enough with how the XML feeds work to know if it could pose any kind of security risk, i.e., viruses, spyware, hostile computer takeovers, etc.

Dave's Answer:

I forwarded your question to a couple of the smartest people I know, guys that are mired in the innards of RSS, Greg Reinacker (Chief Technology Officer at RSS aggregator Newsgator.com) and Bill French (Co-founder of enterprise blogging tool developers MyST Technology Partners).

Greg answered first:

For starters, passing malicious CSS/HTML within an RSS feed is generally benign. Most aggegators (including all NewsGator products) either a) strip the content down to a "safe" subset of HTML that they will render, or b) render the content within a browser like IE that already has certain security precautions built-in. There are some potential issues with content appearing to come from your local machine in some cases, and thus be considered more trusted than internet content, but in most situations this isn't a factor.

More likely culprits are enclosures - because you can "deliver" a virus or other malicious code via a feed. However - the way our tools (and most others) work is they download the file, and save it to your disk...so any existing anti-virus and other tools can deal with it the same way they would deal with a manual download from the web.

So bottom line - there are potential issues, but most mature aggregation tools will deal with these in a sensible way, reducing the risk to roughly the same risk you get by browsing web sites.

Bill responded to this observation with:

Yep - that's the hope, and for the most part, the case. Now, if we can assume that Microsoft will be sensible concerning security, life will be good ;-)

There is a degree of security with anything that drops content into your local file system. But I think companies like VeriSign (and the media) tend to over-hype the risks because they stand to benefit greatly from such behavior.

Is there a risk? - Absolutely. Is it significant? Probably not, especially if you're picking strong technologies to deliver the content (NG, My.Yahoo, Bloglines), and reputable sources that publish the content.

And let's not forget that there are many business and military requirements where the definition of "security" varies. Distributing RSS over HTTPS is something we provide for some customers - employees appreciate this - they can access lots of information without logging into the VPN (a particularly troublesome issue at many companies with rigid security requirements).

Thanks, Bill and Greg!

I really want to highlight something Bill said here too: if you only subscribe to reputable RSS feeds from legitimate agencies and writers, your risk should be quite minimal. Being on the Web at all is a bit of a risk, of course, but the RSS feed from "WeHackYourPatheticPC.com" is doubtless more risky than the Wall Street Journal or British Broadcasting Corporation!

A quick Web search highlights the following quite interesting and relevant article too, offering yet more thoughts on this topic: Security: The Missing Ingredient in Buzz About RSS.

Hope that helps answer your question!

Categorized: Blogs and RSS Feeds (Article 4165, Written by Dave Taylor)
Tagged:
Previous: How do I get more traffic to my blog?
Next: Does MSN Search work with RSS web feeds?

Subscribe!

Never miss another Q&A article! Click to subscribe:

Comments

Rather amazingly, there are no comments on this article yet.

I have something to say, now that you mention it, but ...

I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you for all your efforts on this Web site by buying you a cup of coffee!

I do have a comment, now that you mention it!

How can I fix too little virtual memory in Windows?

How do I install Windows XP in Boot Camp on my Mac?

How do I download photos onto my Apple iPhone?

How do I convert WMA to MP3 audio files in Windows Media Player?

How can I add a Google search box to my site?

How can I put music on my Apple iPod?

How can I get my Nintendo DS to connect to the Internet?

How do I reset my Mac OS X administrator (root) password?

Recent Entries

How can I pair a bluetooth speaker with my MacBook Pro?

Is my copy of Windows 7 "activated" and genuine?

The Scoop on Merchant Services and Credit Card Processing?

How can I change my Windows PC computer name?

Introduction to Google Docs Spreadsheets

Add Po.st Social Media (Facebook, Google Plus) widgets to your blog?

I Need Help!

Even More Help

Apple iPad Help
Articles and Reviews
Auctions and Online Shopping
Blogs and RSS Feeds
Building Web Site Traffic
Business and Management
CGI Scripts and Web Site Programming
Computer and Internet Basics
d) None of the Above
Facebook Help
Google Plus Help
HTML and CSS
Industry News and Trade Shows
iPhone and Cell Phone Help
iPod, Sony PSP and MP3 Player Help
Mac OS X Help
Pay Per Click (PPC) Advertising
Search Engine Optimization (SEO)
Shell Script Programming
Tech Support Video Help
The Writing Business
Twitter, LinkedIn and Social Network Help
Unix and Linux Help
Video Game Tips and Help
Windows PC Help
WordPress Help

film blog - social media / blogging speaking - business blog - Colorado photography - free tech support

© 2002 - 2012 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.

business blog | sitemap | link to us!