Industry guru Dave Taylor offers free tech support on a wide variety of technical and business topics, including HTML, Apple iPhone, online advertising, Cascading Style Sheets, Web design, management, Unix, Linux, search engine optimization, online dating, Mac OS X, shell script programming and Microsoft Windows.

Is it dangerous to subscribe to RSS feeds?

Dave, I have read alot about RSS and XML feeds, and I daily use a RSS aggregator to subscribe to and read some feeds of interest to me.

My question is: Is there a security risk in using RSS feeds? I don't believe that my anti-virus programs scan my RSS, and I am not familiar enough with how the XML feeds work to know if it could pose any kind of security risk, i.e., viruses, spyware, hostile computer takeovers, etc.


Dave's Answer:

I forwarded your question to a couple of the smartest people I know, guys that are mired in the innards of RSS, Greg Reinacker (Chief Technology Officer at RSS aggregator Newsgator.com) and Bill French (Co-founder of enterprise blogging tool developers MyST Technology Partners).

Greg answered first:

For starters, passing malicious CSS/HTML within an RSS feed is generally benign. Most aggegators (including all NewsGator products) either a) strip the content down to a "safe" subset of HTML that they will render, or b) render the content within a browser like IE that already has certain security precautions built-in. There are some potential issues with content appearing to come from your local machine in some cases, and thus be considered more trusted than internet content, but in most situations this isn't a factor.

More likely culprits are enclosures - because you can "deliver" a virus or other malicious code via a feed. However - the way our tools (and most others) work is they download the file, and save it to your disk...so any existing anti-virus and other tools can deal with it the same way they would deal with a manual download from the web.

So bottom line - there are potential issues, but most mature aggregation tools will deal with these in a sensible way, reducing the risk to roughly the same risk you get by browsing web sites.

Bill responded to this observation with:

Yep - that's the hope, and for the most part, the case. Now, if we can assume that Microsoft will be sensible concerning security, life will be good ;-)

There is a degree of security with anything that drops content into your local file system. But I think companies like VeriSign (and the media) tend to over-hype the risks because they stand to benefit greatly from such behavior.

Is there a risk? - Absolutely. Is it significant? Probably not, especially if you're picking strong technologies to deliver the content (NG, My.Yahoo, Bloglines), and reputable sources that publish the content.

And let's not forget that there are many business and military requirements where the definition of "security" varies. Distributing RSS over HTTPS is something we provide for some customers - employees appreciate this - they can access lots of information without logging into the VPN (a particularly troublesome issue at many companies with rigid security requirements).

Thanks, Bill and Greg!

I really want to highlight something Bill said here too: if you only subscribe to reputable RSS feeds from legitimate agencies and writers, your risk should be quite minimal. Being on the Web at all is a bit of a risk, of course, but the RSS feed from "WeHackYourPatheticPC.com" is doubtless more risky than the Wall Street Journal or British Broadcasting Corporation!

A quick Web search highlights the following quite interesting and relevant article too, offering yet more thoughts on this topic: Security: The Missing Ingredient in Buzz About RSS.

Hope that helps answer your question!



Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon    

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments
Rather amazingly, there are no comments on this article yet.

I have something to say, now that you mention it, but ...
Starbucks coffee cup I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you for all your efforts on this Web site by buying you a cup of coffee!

I do have a comment, now that you mention it!











Remember personal info?


Please note that I will never send you any unsolicited email. Ever.

While I'm at it, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site.








Ask Dave Taylor: The iPhone App: Advertisement



Follow me on Twitter @DaveTaylor

Search
Find just the answers you seek from among our 2300+ free tech support articles by using our Lijit search engine.


Help!





Subscribe to
Ask Dave Taylor!

Add to Google Reader
Add to My Yahoo!
Subscribe in NewsGator Online

RDF   XML

Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.


Recent Entries
Book Links
© 2002 - 2010 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.

[whiteboard marker tray]
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.