To clarify, I didn’t mean this post to be against Sproutit, I do believe you guys have a neat piece of software. From a first glance, better then our current software at Well.ca. This post was more against the lack of RSS security, it is something that needs to be supported or solved another way.

I think you should look into adding the Bloglines extension (to stop them from searching a feed) to your RSS. It should stop a situation like this where someone is able to determine the RSS feed based on Bloglines searches.

This is Charles from Sproutit. I appreciate your post on RSS feeds and their security holes. I just wanted to clear up a few misconceptions.

First, when Sproutit first launched, we ONLY supported secure feeds using HTTP Auth (as clong suggested), because we did not want to make feeds insecure. What we found was that contrary to common knowledge, almost no popular feed readers support secured feeds. A small percentage of our users used the feature because of this; most just thought it was broken.

Last year we added RSS feeds that include security through obscurity. The url is not guessable (it requires a passcode at the end), and there is a button in the Mailroom that will reset the feed passcode so that if you do get an exposed feed, you can close off the hole.

Unfortunately this is not real security and we say so on our help files. But it is the state of RSS today. If you want to make RSS safe for private info, please contact your favorite feed reader (I’m looking at you every-web-based-feed-reader-on-the-planet) and ask them to add support for HTTP Auth.

Thanks,
-Charles

I did some reading on authentication and RSS feeds. There are 3 options available (from my quick search):
* Security through obscurity — Don’t make it easy to find or guess
* Permission based - Bloglines does have an RSS extension to stop it from searching feeds. It still leaves it open if you find the feed.
* HTTP Auth - Most blog readers support this by specifying the user/password in the URL.

Something to think about.

I definitely was annoyed to see my e-mails pop up in bloglines, though.

like you subscribe to all posts on well.ca i subscribe to all posts on events

Thats how i stumbled on to your this post. I am part of the team that built purpletrail.com an online event planning service. Early days for us. Was wondering if you could give it a test drive and let me know what you think of it.

Also on the privacy of RSS feeds..i think too many services have enabled RSS without thinking through the public nature of them. We have often been asked to provide RSS feeds for event updates and have resisted so far for exactly the same reason. Cause once its a feed you dont have control over who sees it.

In another of our products http://www.taskbin.com we did provide RSS feeds for the groups tasks but allowed the group admin to revoke the feeds at any point of time.