OK, so there was some fiery banter over the weekend (half of which got lost because of the server restore) about my picking on SPI - or more specifically my picking on Caleb's comments to the press - about the potential for significant malware that utilizes RSS (at least in the near-term). Anyway, I thought I'd follow up on that and pass along a link that SPI sent around to a whitepaper that they've put together that further outlines their position on this. The whitepaper, "Feed Injection in Web 2.0" makes for an interesting read, but I'm still not getting it entirely. As far as I can tell, the point of the paper seems to be:
It seems to me like the first two bullets are sort of the point of syndication: somebody creates content for others to view - that content might include client-side functionality (scripts.) The third bullet - while both true and interesting - is also equally true of web content, flash, email, and all sorts of other communication methods. So why is it unique to RSS?
Anyway, not to stir back up the bee's nest, but I'm still not convinced that there's anything unique to RSS that makes it more dangerous than other protocols/communication vectors; I don't think it's more likely to facilitate malware, I don't think it's more likely to engender end-user attacks, and I don't think it's likely that it'll be a common attack vector in general. But that's just my two cents...
Posted by Ed at August 9, 2006 11:19 AM | TrackBackI agree with your last paragraph except for "I don't think it's likely that it'll be a common attack vector in general." As common and popular as blogs are, I can easily see it becoming an attack vector for someone trying to create a botnet. Many people spend a lot of time blog hopping, just looking for some cool new blogs. The free blog services facilitate that hopping with the usual bars at the top of the screen.
With so many people who have no idea what they are doing throwing togtether blogs and not controlling comments, you may have a very easy way for bad guys to infect machines. And you can't always depend on the blog provider to stop it for you.
Posted by: Michael R. Farnum at August 9, 2006 03:00 PMMicheal,
Well, I'll buy that. I think there are a few factors: RSS readers are more diverse than web browsers; for example, just looking at traffic statistics, most web browsers seem to be either firefox or IE (on various platforms, but still those two), whereas there are at least 10 different RSS readers in play (SharpReader, RSS Reader, Bloglines, etc.) So, probably at least one or two of those clients are implementing functionality that's dangerous according to the paper.
But I guess my point is that I don't think the problem is RSS itself - it could be a vector for nastiness in the way that SPI describes - but not because of an inherent problem in RSS, but because of the way it's implemented... By analogy, the recent bugs in IE pointed out by HD Moore make browsing more risky, but because of the browser implementation, not because of an inherent problem with HTML. I think the same is true of RSS...
Anyway, I guess this is a controversial opinion, but as always I reserve the right to be totally wrong. :-)
-E
Posted by: Ed at August 10, 2006 07:14 AM