It’s clear that RSS has moved out of the “will it be the next big thing?” stage and will play an important role in the future of information delivery. So, I think it’s vital that we continue looking at RSS from a security standpoint. After all, email started off being the killer app, but thanks to spam and viruses it’s no longer a reliable player.
So far most of the problems the RSS community has foreseen aren’t with RSS itself but with how RSS feeds are displayed, since most aggregators rely on an embedded web browser. Any security problems in the browser could be exploited by an RSS feed, which is why aggregators such as FeedDemon strip potentially harmful HTML before displaying a feed.
But what are the security issues that are specific to RSS? Developers such as myself are so used to looking at the benefits of technology that we often fail to see the risks, so I have to wonder if there’s something we’re missing. I’d rather admit my naïveté now than find out about some overlooked security issue down the road, when RSS is much more widely used (and my paranoid self thinks this is doubly important given that many governments are looking for an excuse to “protect” us from information).
Quite honestly, though, my biggest concerns aren’t security-related at all. I’m more concerned about RSS being used as a tool for disinformation. We’ve seen plenty of examples of mass media being used to spread lies and half-truths, and there’s no reason that RSS won’t fall prey to this. In some ways we’re protected by the fact that the blogosphere can “fact-check your ass,” but keep in mind that many of the big players are already approaching aggregator developers such as myself offering to pay to have their feeds included. A tempting offer, but the risk is that we’ll end up with the same situation that infects today’s mass media, where the big voices are heard (and re-heard) all over the place, while the smaller – but equally vital – voices aren’t heard unless you search for them.
So I ask again: what are we – or, what am I – missing?