Is it dangerous to subscribe to RSS feeds?
Dave, I have read alot about RSS and XML feeds, and I daily use a RSS aggregator to subscribe to and read some feeds of interest to me.
My question is: Is there a security risk in using RSS feeds? I don't believe that my anti-virus programs scan my RSS, and I am not familiar enough with how the XML feeds work to know if it could pose any kind of security risk, i.e., viruses, spyware, hostile computer takeovers, etc.
I forwarded your question to a couple of the smartest people I know, guys that are mired in the innards of RSS, Greg Reinacker (Chief Technology Officer at RSS aggregator Newsgator.com) and Bill French (Co-founder of enterprise blogging tool developers MyST Technology Partners).
Greg answered first:
For starters, passing malicious CSS/HTML within an RSS feed is generally benign. Most aggegators (including all NewsGator products) either a) strip the content down to a "safe" subset of HTML that they will render, or b) render the content within a browser like IE that already has certain security precautions built-in. There are some potential issues with content appearing to come from your local machine in some cases, and thus be considered more trusted than internet content, but in most situations this isn't a factor.
More likely culprits are enclosures - because you can "deliver" a virus or other malicious code via a feed. However - the way our tools (and most others) work is they download the file, and save it to your disk...so any existing anti-virus and other tools can deal with it the same way they would deal with a manual download from the web.
So bottom line - there are potential issues, but most mature aggregation tools will deal with these in a sensible way, reducing the risk to roughly the same risk you get by browsing web sites.
Bill responded to this observation with:
Yep - that's the hope, and for the most part, the case. Now, if we can assume that Microsoft will be sensible concerning security, life will be good ;-)
There is a degree of security with anything that drops content into your local file system. But I think companies like VeriSign (and the media) tend to over-hype the risks because they stand to benefit greatly from such behavior.
Is there a risk? - Absolutely. Is it significant? Probably not, especially if you're picking strong technologies to deliver the content (NG, My.Yahoo, Bloglines), and reputable sources that publish the content.
And let's not forget that there are many business and military requirements where the definition of "security" varies. Distributing RSS over HTTPS is something we provide for some customers - employees appreciate this - they can access lots of information without logging into the VPN (a particularly troublesome issue at many companies with rigid security requirements).
Thanks, Bill and Greg!
I really want to highlight something Bill said here too: if you only subscribe to reputable RSS feeds from legitimate agencies and writers, your risk should be quite minimal. Being on the Web at all is a bit of a risk, of course, but the RSS feed from "WeHackYourPatheticPC.com" is doubtless more risky than the Wall Street Journal or British Broadcasting Corporation!
A quick Web search highlights the following quite interesting and relevant article too, offering yet more thoughts on this topic: Security: The Missing Ingredient in Buzz About RSS.
Hope that helps answer your question!
More Useful Blogs and Blogging Articles:
✔ Get my shopping cart plugin to work with WordPress?
We've put in a shopping cart for a client that's not working, and we need some help! The cart is currently using the...✔ Embed an audio player on a blog or web page?
I have some mp3 audio files I've recorded and would like to have people who visit my site be able to listen to...✔ Can I write a guest review for AskDaveTaylor.com?
Hi Dave. I'm a big fan of your site and love that you're doing so many reviews now. I've noticed, however, that there...✔ Change author on WordPress blog post?
I have two accounts set up for my WordPress blog and I'd like to be able to have all my posts from a...✔ How do I restructure my Wordpress blog without losing SEO?
I have a wordpress blog that was using categories in the url structure like this: /category_name/post_name/ Then I had read somewhere that if...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
I do have a comment, now that you mention it!
Check This Out Too...
Look for Answers
All Our Categories
Apple iPad Help
Articles and Reviews
Auctions and Online Shopping
Blogs and Blogging
Building Web Site Traffic
Business and Management
Computer and Internet Basics
d) None of the Above
Google Gmail Help
Google Plus Help
Industry News and Trade Shows
iPhone and Cell Phone Help
iPod, Sony PSP and MP3 Player Help
Kindle Fire Help
Mac OS X Help
Pay Per Click (PPC) Advertising
Search Engine Optimization (SEO)
Shell Script Programming
Tech Support Video Help
The Writing Business
Twitter, LinkedIn and Social Network Help
Unix and Linux Help
Video Game Tips and Help
Windows PC Help
Find Me on Google+
ADT on G+