Security: The Missing Ingredient in Buzz About RSS

Microsoft's support for RSS (Real Simple Syndication) in its upcoming Longhorn operating system and Internet Explorer 7 browser promises to bring RSS to the masses. Friday's announcement at GnomeDex 2005 generated excitement about new uses for the technology, as well as caution in some quarters about Microsoft's introduction of extensions to RSS.

But what about security? Microsoft's presentations discuss many new uses for RSS, but integrating RSS into the operating system will likely have hackers contemplating new scenarios as well. RSS is currently consumed through a wide variety of news readers, email clients, web sites and browsers. As RSS becomes a standard feature in IE7 and Longhorn, it may become more attractive to malware authors with an interest in delivering malicious code from the Internet onto RSS-enabled desktops.

RSS is an XML format that is widely used to syndicate news from weblogs or news sites. RSS can include HTML tags and many types of content, such as the audio files included in "podcasting" feeds, the current rage among bloggers. The format's versatility also could allow malicious content to be included in feeds and executed by newsreaders or browsers. The possible use of RSS to deliver malware and spam was highlighted by Mark Pilgrim in 2003, and tools have since emerged to help check whether a particular newsreader is securely coded.

The growing use of RSS in the enterprise has heightened interest in RSS security. Some enterprises are experimenting with private feeds with password protection, or even using RSS for document management.

VeriSign is among the companies already developing RSS security products for the corporate market. CEO Stratton Sclavos announced in a presentation in mid-May that VeriSign plans to provide feed, content and identity management products to help prevent RSS and the companion Atom format from being abused for spam, phishing and other security threats.

VeriSign isn't saying much about its plans for RSS products, but obvious possibilities include bundling an RSS feed generator and client that can exchange data securely. VeriSign will be competing with existing RSS service providers such as NewsGator and HexaMail, which each have enterprise RSS offerings.

There have been no high-profile security events yet involving RSS, which may lead to complacency about its security. But many delivery methods for spam, spyware, malware and trojans were difficult to imagine just a few short years ago. Amid the excitement of Friday's announcement, the community of RSS developers and users has an opportunity to discuss those lessons and apply them in securing the future of RSS.