Dave, I have read alot about RSS and XML feeds, and I daily use a RSS aggregator to subscribe to and read some feeds of interest to me.
My question is: Is there a security risk in using RSS feeds? I don’t believe that my anti-virus programs scan my RSS, and I am not familiar enough with how the XML feeds work to know if it could pose any kind of security risk, i.e., viruses, spyware, hostile computer takeovers, etc.
I forwarded your question to a couple of the smartest people I know, guys that are mired in the innards of RSS, Greg Reinacker (Chief Technology Officer at RSS aggregator Newsgator.com) and Bill French (Co-founder of enterprise blogging tool developers MyST Technology Partners).
Greg answered first:
For starters, passing malicious CSS/HTML within an RSS feed is generally benign. Most aggegators (including all NewsGator products) either a) strip the content down to a “safe” subset of HTML that they will render, or b) render the content within a browser like IE that already has certain security precautions built-in. There are some potential issues with content appearing to come from your local machine in some cases, and thus be considered more trusted than internet content, but in most situations this isn’t a factor.
More likely culprits are enclosures – because you can “deliver” a virus or other malicious code via a feed. However – the way our tools (and most others) work is they download the file, and save it to your disk…so any existing anti-virus and other tools can deal with it the same way they would deal with a manual download from the web.
So bottom line – there are potential issues, but most mature aggregation tools will deal with these in a sensible way, reducing the risk to roughly the same risk you get by browsing web sites.
Bill responded to this observation with:
Yep – that’s the hope, and for the most part, the case. Now, if we can assume that Microsoft will be sensible concerning security, life will be good
There is a degree of security with anything that drops content into your local file system. But I think companies like VeriSign (and the media) tend to over-hype the risks because they stand to benefit greatly from such behavior.
Is there a risk? – Absolutely. Is it significant? Probably not, especially if you’re picking strong technologies to deliver the content (NG, My.Yahoo, Bloglines), and reputable sources that publish the content.
And let’s not forget that there are many business and military requirements where the definition of “security” varies. Distributing RSS over HTTPS is something we provide for some customers – employees appreciate this – they can access lots of information without logging into the VPN (a particularly troublesome issue at many companies with rigid security requirements).
Thanks, Bill and Greg!
I really want to highlight something Bill said here too: if you only subscribe to reputable RSS feeds from legitimate agencies and writers, your risk should be quite minimal. Being on the Web at all is a bit of a risk, of course, but the RSS feed from “WeHackYourPatheticPC.com” is doubtless more risky than the Wall Street Journal or British Broadcasting Corporation!
A quick Web search highlights the following quite interesting and relevant article too, offering yet more thoughts on this topic: Security: The Missing Ingredient in Buzz About RSS.
Hope that helps answer your question!