Comments on: More RSS Stuff (I’m still not convinced) http://www.securitycurve.com/wordpress/archives/426?utm_source=rss&utm_medium=rss&utm_campaign=more-rss-stuff-im-still-not-convinced Fri, 10 Sep 2010 11:39:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Ed http://www.securitycurve.com/wordpress/archives/426/comment-page-1#comment-32 Ed Thu, 10 Aug 2006 12:14:34 +0000 http://securitycurve.com/wordpress/?p=426#comment-32 Micheal, Well, I'll buy that. I think there are a few factors: RSS readers are more diverse than web browsers; for example, just looking at traffic statistics, most web browsers seem to be either firefox or IE (on various platforms, but still those two), whereas there are at least 10 different RSS readers in play (SharpReader, RSS Reader, Bloglines, etc.) So, probably at least one or two of those clients are implementing functionality that's dangerous according to the paper. But I guess my point is that I don't think the problem is RSS itself - it could be a vector for nastiness in the way that SPI describes - but not because of an inherent problem in RSS, but because of the way it's implemented... By analogy, the recent bugs in IE pointed out by HD Moore make browsing more risky, but because of the browser implementation, not because of an inherent problem with HTML. I think the same is true of RSS... Anyway, I guess this is a controversial opinion, but as always I reserve the right to be totally wrong. :-) -E Micheal,

Well, I’ll buy that. I think there are a few factors: RSS readers are more diverse than web browsers; for example, just looking at traffic statistics, most web browsers seem to be either firefox or IE (on various platforms, but still those two), whereas there are at least 10 different RSS readers in play (SharpReader, RSS Reader, Bloglines, etc.) So, probably at least one or two of those clients are implementing functionality that’s dangerous according to the paper.

But I guess my point is that I don’t think the problem is RSS itself – it could be a vector for nastiness in the way that SPI describes – but not because of an inherent problem in RSS, but because of the way it’s implemented… By analogy, the recent bugs in IE pointed out by HD Moore make browsing more risky, but because of the browser implementation, not because of an inherent problem with HTML. I think the same is true of RSS…

Anyway, I guess this is a controversial opinion, but as always I reserve the right to be totally wrong. :-)

-E

]]> By: Michael R. Farnum http://www.securitycurve.com/wordpress/archives/426/comment-page-1#comment-31 Michael R. Farnum Wed, 09 Aug 2006 20:00:49 +0000 http://securitycurve.com/wordpress/?p=426#comment-31 I agree with your last paragraph except for "I don't think it's likely that it'll be a common attack vector in general." As common and popular as blogs are, I can easily see it becoming an attack vector for someone trying to create a botnet. Many people spend a lot of time blog hopping, just looking for some cool new blogs. The free blog services facilitate that hopping with the usual bars at the top of the screen. With so many people who have no idea what they are doing throwing togtether blogs and not controlling comments, you may have a very easy way for bad guys to infect machines. And you can't always depend on the blog provider to stop it for you. I agree with your last paragraph except for “I don’t think it’s likely that it’ll be a common attack vector in general.” As common and popular as blogs are, I can easily see it becoming an attack vector for someone trying to create a botnet. Many people spend a lot of time blog hopping, just looking for some cool new blogs. The free blog services facilitate that hopping with the usual bars at the top of the screen.

With so many people who have no idea what they are doing throwing togtether blogs and not controlling comments, you may have a very easy way for bad guys to infect machines. And you can’t always depend on the blog provider to stop it for you.

]]>