Private RSS Feeds & Feed Readers
June 12th, 2008 | Published in Misc | 5 Comments
We’re planning an event here at Well.ca, a secret event. But that’s not what this post is about. To organize and send out invites for this event I suggested we use MyPunchBowl. I haven’t done much with it, but it looked half decent and I’ve heard good things about it.
There was one problem with MyPunchBowl, you were unable to add multiple hosts to an event. Alex emailed support@mypunchbowl.com asking for a solution. That’s the last I heard about it till now.
I happen to use Bloglines, and I have a search in Bloglines for any posts on “Well.ca”. I was a bit surprised tonight when I came across a RSS entry that contained Alex’s email to support@mypunchbowl.com and the subsequent responses. It appears that MyPunchBowl uses Sproutit Mailroom for their support emails, which has an RSS feed of support emails. Someone has subscribed to this RSS feed in Bloglines and was found by my search for “Well.ca”.
When you add a feed to Bloglines, you can mark the feed as “Private” or “Public”. The interesting thing is that marking a feed as “Private” means (from Bloglines): “Private subscriptions don’t show up in blogrolls and you will not be listed as a public subscriber. However, the feed and all its posts will remain available to the public via Bloglines and Ask.com Blog & Feed Search”.
I don’t like putting stuff I want to keep private into RSS feeds and this confirms my feelings.
As a side note, the RSS feed in question can be accessed directly if you have the URL. Maybe I’m being paranoid, but I don’t think this information should be so open.
June 13th, 2008 at 4:59 am (#)
Hi,
like you subscribe to all posts on well.ca i subscribe to all posts on events
Thats how i stumbled on to your this post. I am part of the team that built purpletrail.com an online event planning service. Early days for us. Was wondering if you could give it a test drive and let me know what you think of it.
Also on the privacy of RSS feeds..i think too many services have enabled RSS without thinking through the public nature of them. We have often been asked to provide RSS feeds for event updates and have resisted so far for exactly the same reason. Cause once its a feed you dont have control over who sees it.
In another of our products http://www.taskbin.com we did provide RSS feeds for the groups tasks but allowed the group admin to revoke the feeds at any point of time.
June 13th, 2008 at 9:14 am (#)
To be fair, you actually can add multiple hosts, it just wasn’t displayed very prominently. I suggested that they allow the event admin to add more hosts in the same place where you can manage guests, and they agreed that this was a good idea (you probably already read that!)
I definitely was annoyed to see my e-mails pop up in bloglines, though.
June 13th, 2008 at 11:24 am (#)
Anuj, I agree with you that too many places have RSS feeds…it does seem to be a a fairly big buzzword.
I did some reading on authentication and RSS feeds. There are 3 options available (from my quick search):
* Security through obscurity — Don’t make it easy to find or guess
* Permission based - Bloglines does have an RSS extension to stop it from searching feeds. It still leaves it open if you find the feed.
* HTTP Auth - Most blog readers support this by specifying the user/password in the URL.
Something to think about.
June 17th, 2008 at 4:56 pm (#)
Hi guys,
This is Charles from Sproutit. I appreciate your post on RSS feeds and their security holes. I just wanted to clear up a few misconceptions.
First, when Sproutit first launched, we ONLY supported secure feeds using HTTP Auth (as clong suggested), because we did not want to make feeds insecure. What we found was that contrary to common knowledge, almost no popular feed readers support secured feeds. A small percentage of our users used the feature because of this; most just thought it was broken.
Last year we added RSS feeds that include security through obscurity. The url is not guessable (it requires a passcode at the end), and there is a button in the Mailroom that will reset the feed passcode so that if you do get an exposed feed, you can close off the hole.
Unfortunately this is not real security and we say so on our help files. But it is the state of RSS today. If you want to make RSS safe for private info, please contact your favorite feed reader (I’m looking at you every-web-based-feed-reader-on-the-planet) and ask them to add support for HTTP Auth.
Thanks,
-Charles
June 17th, 2008 at 7:42 pm (#)
Thanks Charles for responding.
To clarify, I didn’t mean this post to be against Sproutit, I do believe you guys have a neat piece of software. From a first glance, better then our current software at Well.ca. This post was more against the lack of RSS security, it is something that needs to be supported or solved another way.
I think you should look into adding the Bloglines extension (to stop them from searching a feed) to your RSS. It should stop a situation like this where someone is able to determine the RSS feed based on Bloglines searches.