Although RSS (Real Simple Syndication) has been around for a while now, it is isn't until IE7 and Firefox2 actually made it easier to read RSS feeds that hackers have been thinking of exploting this technology to deliver malware. This said, feed-hacking is not a particularly new threat.
Whilst it is fairly easy for users to simply subscribe to syndicated news and content feeds, the security problem here is that readers simply pull in the content from the source without first checking to see whether it might contain malicious code.
To this there are a few solutions that can be looked at:
1. Use proactive defense mechanisms such as Kaspersky Antivirus 6.0. For every http request, the AV engine traps and redirects the request assuming responsibility of fetching the request. Once retrieved, the TCP AV instance scans the delivered data. If
the data is 'clean' it then passes the data back to the browser and from there-on gets cached accordingly. It might sound that this in turn might create a TCP stack overhead however this is the idea of pro-active defense in that the item is scanned BEFORE it hits the hard disk. The dependence here is: How efficient is the AV scanner when it comes to detection rates.
2. Get RSS readers to scan for dangerous content and ignore/strip out "unsafe tags". The dependence here will be the 'intelligence' of readers in this regard.
Secure RSS
When we refer to "secure RSS" we are pointing at three things:
Authentication, Authorisation and Encryption of the data transmitted.
# Authentication means that a subscriber to an RSS feed can't read the content without entering a username and password (or a smart card or some other proof of identity). The authentication process enables companies to restrict information to certain employees and allows premium content to flow only to paying customers.
# Authorization is a separate step. After authentication, a central server determines whether the person who's logged on is actually entitled to a given RSS feed. An employee who used to be authorized might have been fired, for example,
or a subscriber who paid 12 months ago might need to renew.
# Encryption prevents unauthorized parties from "sniffing" RSS content as it passes across the Internet. Once a particular user is authenticated and has been found to be authorized, it's relatively easy to encrypt an RSS feed using the well-understood HTTPS protocol.
So, in addition to having an adequate antivirus solution, linking to feeds that are sent over https with username/password combinations will provide for the above. For this though there are but a handful of products that support both security features.
Two of them would be RSSBandit and RSSOwl both freeware and opensource.
One other possible solution comes from Atom. Atom provides support for XML Encryption Syntax & Processing. The only problem here is that Atom isn't finished.
"Unfortunately, many of the applications that receive [feed] data do not consider the security implications of using content from third parties and unknowingly make themselves and their attached systems susceptible to various forms of attack," Robert Auger, formerly of SPI Dynamics
Referenced material:
http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely
http://www.whitehatsec.com/home/resources/presentations/files/whitehat_top_hacks_06_F.pdf
http://www.xml.com/pub/a/2005/07/13/secure-rss.html?page=last&x-showcontent=off
http://www.w3.org/TR/xmlenc-core/ Reference: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3619221
