Is it dangerous to subscribe to RSS feeds?Dave, I have read alot about RSS and XML feeds, and I daily use a RSS aggregator to subscribe to and read some feeds of interest to me. My question is: Is there a security risk in using RSS feeds? I don't believe that my anti-virus programs scan my RSS, and I am not familiar enough with how the XML feeds work to know if it could pose any kind of security risk, i.e., viruses, spyware, hostile computer takeovers, etc. I forwarded your question to a couple of the smartest people I know, guys that are mired in the innards of RSS, Greg Reinacker (Chief Technology Officer at RSS aggregator Newsgator.com) and Bill French (Co-founder of enterprise blogging tool developers MyST Technology Partners). Greg answered first: For starters, passing malicious CSS/HTML within an RSS feed is generally benign. Most aggegators (including all NewsGator products) either a) strip the content down to a "safe" subset of HTML that they will render, or b) render the content within a browser like IE that already has certain security precautions built-in. There are some potential issues with content appearing to come from your local machine in some cases, and thus be considered more trusted than internet content, but in most situations this isn't a factor. More likely culprits are enclosures - because you can "deliver" a virus or other malicious code via a feed. However - the way our tools (and most others) work is they download the file, and save it to your disk...so any existing anti-virus and other tools can deal with it the same way they would deal with a manual download from the web. So bottom line - there are potential issues, but most mature aggregation tools will deal with these in a sensible way, reducing the risk to roughly the same risk you get by browsing web sites. Bill responded to this observation with: Yep - that's the hope, and for the most part, the case. Now, if we can assume that Microsoft will be sensible concerning security, life will be good ;-) There is a degree of security with anything that drops content into your local file system. But I think companies like VeriSign (and the media) tend to over-hype the risks because they stand to benefit greatly from such behavior. Is there a risk? - Absolutely. Is it significant? Probably not, especially if you're picking strong technologies to deliver the content (NG, My.Yahoo, Bloglines), and reputable sources that publish the content. And let's not forget that there are many business and military requirements where the definition of "security" varies. Distributing RSS over HTTPS is something we provide for some customers - employees appreciate this - they can access lots of information without logging into the VPN (a particularly troublesome issue at many companies with rigid security requirements). Thanks, Bill and Greg! I really want to highlight something Bill said here too: if you only subscribe to reputable RSS feeds from legitimate agencies and writers, your risk should be quite minimal. Being on the Web at all is a bit of a risk, of course, but the RSS feed from "WeHackYourPatheticPC.com" is doubtless more risky than the Wall Street Journal or British Broadcasting Corporation! A quick Web search highlights the following quite interesting and relevant article too, offering yet more thoughts on this topic: Security: The Missing Ingredient in Buzz About RSS. Hope that helps answer your question!
Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon
Categorized:
Blogs and RSS Feeds
(Article 4165)
Tagged: Previous: How do I get more traffic to my blog? Next: Does MSN Search work with RSS web feeds? Subscribe!
Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.
Rather amazingly, there are no comments on this article yet.
I have something to say, now that you mention it, but ...
I do have a comment, now that you mention it!
|
 
Search
Find just the answers you seek from among our 2300+ free tech support articles by using our Lijit search engine.
Help!
Subscribe to
Ask Dave Taylor! 
Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.
Articles and Reviews
Auctions and Online Shopping Blogs and RSS Feeds Building Web site traffic Business and Management Cell Phones and Mobile Phones CGI Scripts and Web Site Programming Computer and Internet Basics d) None of the Above HTML and CSS Industry News and Trade Shows Mac OS X Help MySpace, Facebook, Twitter and Social Network Help Pay Per Click (PPC) Search Engine Optimization Shell Script Programming Sony PSP, MP3 Players, Etc. The Writing Business Unix and Linux Help Video Game Tips and Help Windows Help
Recent Entries
Book Links
|
Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.
![[whiteboard marker tray]](/Graphics/marker-tray.gif){kind=small}
