Enjoy Every Sandwich

Thoughts on SQL, XML, .NET and sometimes beer.

Search

Navigation

Blogs

Tools

Validate This Feed

List O'Links

Kent's Other Stuff

Subscriptions

News

Please read these
Notices and Disclamiers

Post Categories

Article Categories

RSS security issues and useful reading

Ken vanWyk had a really interesting post about Security and Blogging on the SC-L that I though was worth sharing.

Over the last couple weeks, I've been reading up on RSS* in my spare time, having only recently been introduced to this neat mechanism--thanks, Dana!.

(FYI, we even put up an RSS feed of updates/announcements on securecoding.org in order to dive directly into it.) One of my concerns, naturally, has been security, especially since stand-alone RSS aggregators are _relatively_ new, and I couldn't recall having seen many vulnerability advisories on them.

After just a bit of googling, I found several real good sources of information, which I'm including here for anyone that's interested. Most of these have been available for a while, but I thought that they were pretty interesting reads anyway. YMMV...

http://silverstr.ufies.org/blog/archives/000480.html - Dana Epp's blog entry, complete with a Powerpoint presentation that provides a very useful overview of RSS and its benefits. It certainly piqued my interest to explore further.
http://www.2rss.com/ - Solid and worthwhile information on the technology and how it works, along with pointers to news feeds, aggregation tools, etc.
http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely - Excellent article by Mark Pilgrim on the security issues of RSS and how to safely code an RSS aggregator. A must-read if you're writing an aggregator, as well as a highly recommended read if you're just interested in the technology.
http://bitworking.org/news/47 - Information on the security of the Aggie RC5 aggregator, but also contains links to more general RSS security issues as well as a link to a test XML file for testing aggregators for common flaws.
http://www.fibiger.org/archives/2003_02.html#000509 - Interesting horror story about one person's experience with an RSS aggregator (Newsgator) within Outlook.

* RSS stands for "RDF Site Summary" or "Rich Site Summary" or "Really Simple Syndication," depending on whom you ask. If you're not familiar with it, check it out. If you spend time reading through various web sites for news, technical info, and other info, then you REALLY should check it out. RSS can be a tremendous time saver.

posted on Friday, February 13, 2004 11:47 AM by ktegels