Is Really Simple Syndication Really Secure?
RSS -- Really Simple Syndication or Rich Site Summary -- allows a Web site owner to share content among different Web sites in XML format. It's a quick way to share distributed feeds among a self-selected group of subscribers, but does opening the window to RSS also let in harmful malware and viruses? Some security vendors are beginning to address the threat.
RSS reader software can heighten the potential for intrusion, warn some security experts. IT managers often fail to ensure that their networks are not at risk from the use of RSS feeds linked through Web browsers and e-mail clients.
That oversight can punch a gaping hole in the security barriers. One of the biggest problems for users of RSS reader software, according to Ray Dickenson, senior vice president of data-security firm Authentium, is exposure of their data from cross-site linking.
"RSS is the largest possible market hackers have available. Even Mac and Linux users can be susceptible when surfing," Dickenson told TechNewsWorld.
What Is RSS?
As with much of the terminology behind computer innovations, RSS has multiple meanings that describe the same function of delivering news quickly. RSS usually stands for Really Simple Syndication or Rich Site Summary.
Either way, the term RSS names the technology that allows a Web site owner to share content among different Web sites in XML format. Web publishers can post a link to the RSS feed so users can read the distributed content on the site displaying the RSS link.
RSS allows a computer user with a browser add-on or standalone software reader to find and view information. Computer users can subscribe to specific types of information, such as news categories or product information, all delivered in one viewing window.
RSS technology is an alternative means of accessing the vast amount of information on the Web. Instead of users browsing Web sites for information of interest, RSS pushes that information directly to the users.
Convenience Carries Caution
RSS technology is part of the growing Internet phenomenon known as Web 2.0, which allows computer users to enjoy enhanced connectivity to information and computer services hosted on remote Web sites.
The problem, however, is that Web 2.0's interconnectedness makes it easier for little snippets of information in an RSS feed to slip malware into computers.
"RSS is hot technology. It is very easy to set up RSS feeds. Security takes a back seat to convenience," said Dickenson.
RSS syndication itself is not the culprit. The speed and ease of distribution make RSS an ideal delivery vehicle for malware along with information, he warned.
High-Tech Hiding Places
One of the basic premises of best practices for safe computing, according to Dickenson, is to block dangerous code. However, RSS feeds make it possible for hackers to engage in cross-site scripting using forms on a Web site that users fill in with personal information.
"It is very hard to trace this type of malware back to its source," Dickenson said. "If a user clicks on links while accessing e-mail at same time, cross-site scripts can allow a hacker to peak into files of even Mac and Linux computers."
The potential for cross-site scripts already existed before RSS technology became popular, but RSS gives hackers more ready access, he said.
Service providers and IT managers have to be sure that their security tools are able to deal with these threats, said Dickenson.
RSS technology and cross-site scripting are worrisome factors, acknowledged Paul Henry, vice president, technology evangelism for Secure Computing. RSS has potential for a great attack vector, he added.
"Most RSS readers don't validate the content. Only a handful of the reader products let users specify the types of downloads to permit," Henry explained.
When the cross-site scripting element is factored into the equation, the seriousness of the attack potential is very evident. All someone has to do is put a button for free sign up on an infected Web site. The RSS reader does not check on the contents, he said.
Threat vs. No Threat
However, some security gurus disagree with the view that RSS feeds are the ultimate threat. Andrew Jaquith, program manager for security research at the Yankee Group, countered that RSS is not even close to the largest possible addressable market.
"RSS is still a niche feature used by not more than 10 to 20 percent of users, although that number is bound to increase. General Web surfers are far easier to get to. A far bigger target is the Web mail providers (Gmail, MSN, etc.)," Jaquith said. "This has been a fertile area for security research of late."
While Jaquith agrees that the newness of RSS technology does position it as a source of potentially higher risks, he does not see the threat as being severe enough yet to say the sky is falling. He does see a basis for concern because the new technology reflected in RSS readers is plugged into older technology that already has security flaws.
"The operating systems, browsers and third party packages just haven't been around that long. So they are likely to have had less scrutiny by outside researchers. That, in itself, presents heightened risk," he explained.
Some security vendors are beginning to address the threat posed by RSS technology. One solution is for service providers and network administrators to protect their users from these data dangers.
Dickenson said Authentium's Extensible Service Platform (ESP) for Enterprise addresses that concern by managing antispyware, antivirus and content-filtering solutions. It also integrates other end-point software applications from multiple vendors through a single management interface.
Henry added that Secure Computing's Webwasher product takes a proactive approach that is able to identify RSS threats by analyzing the entire traffic stream entering a computer or network from the Internet. He said Webwasher adds another layer of security on top of the company's reputation-based filtering service.
Matter of Degrees
Jaquith said an even bigger threat than RSS feeds would be the ad networks that are compromised. For instance, imagine a hacker owning a company such as Internet advertiser DoubleClick and installing a rootkit on it.
"That's instant infection for 100 million users. It makes RSS looks like a kid's toy, which, in comparison, it is," he concluded.