RSS is growing at a lightening speed. What was once onlyknown as a "techie tool", RSS is becoming a tool that iscontinuously being used by the general population. Alongwith the good comes, the not so good. And while some havementioned the emergence of RSS spam, where contentpublishers dynamically generate nonsensical feeds stuffedwith keywords, the real concern relates to security. Whilean annoyance to the search engines, spam in RSS feeds palesin comparison to the possible security concerns that couldbe in RSS' future.

Security Implications Related to RSS.As RSS gains momentum security fears loom large. Aspublishers are quickly finding innovative uses for RSSfeeds, hackers are taking notice. The power andextendibility of RSS in its simplest form is also itsachilles heel. The expansion capabilities of the RSSspecification, specifically the "enclosure" field which haslaunched the podcasting phenomenon, is where thevulnerabilities lie. The enclosure field in itself is notthe problem, in fact the majority of RSS feeds do not evenuse the enclosure tag. The enclosure tag is essentially usedto link to file types, things like images, word documents,mp3 files, power point presentations, and executables andcan be thought of in similar terms to email attachments.

The fact that RSS can be used to distribute these file typeshas opened a myriad of doors to users of the syndicationstandard, but also has created cause for concern. Mostpeople do not feel that the risk is significant becausepeople "choose" the content that they receive, and while itmight make the distribution of malware, viruses and spyapplications via RSS less prevalent, their is still theinherent risk of a infected file being distributed.

The problem is one of both technology and lack of education.

The danger lies in the fact that many RSS readers, newsaggregators, or pod-catchers automatically download theinformation contained in the enclosure field regardless ofits file type or source.

Most RSS developers acknowledge the risks associated withthe enclosure field, but few have had the forethought toinclude filtering, screening or authentication capabilitiesand many automatically download enclosures.

Nick Bradbury of Bradsoft/NewsGator seems to be proactive,designing FeedDemon with security in mind. FeedDemon uses aneditable safelist of file types as well as allowing users tomonitor what files are automatically downloaded. FeedDemonalso contains hard-coded warnings related to specific filetypes.

Developers of ByteScout took a different approach to thehandling of enclosure files, ByteScout does notautomatically download anything without user interventionfor each download.

Unfortunately, not all RSS readers, aggregators andpodcatchers consider the possible security implicationsassociated with RSS feeds and podcasts, some willautomatically download enclosures without warning or anythoughts of security. Be sure to examine how your RSS readerhandles files contained in the enclosure field of an RSSfeed.

With the increased use of RSS and podcasting, the securityrisks increase with it. Their is cause for concern, howeverproactive users and conscientious developers can easilysubvert the risk by taking precautions seriously. Computerviruses and malware are cause for legitimate concern, thereis ample time and action that can avert potential problems.


Sharon Housley manages marketing for FeedForAllhttp://www.feedforall.com software for creating, editing,publishing RSS feeds and podcasts. In addition Sharonmanages marketing for FeedForDev http://www.feedfordev.com an RSS component for developers.