silverorange labs

Thanks for setting up these test-feeds. That helps a lot in trying to add this functionality to SharpReader.

I just tried the https url in SharpReader, and it loaded fine for me. If you got an error-message or stacktrace when you tried it, please email that to me so I can try and figure out why it did not work for you. Thanks!

For an easy way to _produce_ secure RSS feeds, take a look at MySmartChannels (available as a free service at http://myst-technology.com). It supports all RSS versions as well other types of secure feeds (e.g., OPML, smart tags, Post-it Software Notes, Klipfolio klips, MyST-ML, and others). You can use all permutations of authenticated/not authenticated and http/https and can even apply security rules on an item-by-item basis so different users see different views of the same feed, depending on their credentials.

(I helped develop MySmartChannels, so I’m quite biased of course, but it's still worth a look. ;-)

<i>HTTP authetification alone isn’t sufficient to create true private feeds, as the password is sent as clear text.</i>

<p>This is true of HTTP Basic Authentication. HTTP Digest Authentication does not send the password as clear text.

Gary: yes, but if you also care about the privacy of the content then SSL is required to encrypt it. Since SSL encrypts the entire HTTP request it will also protect the Basic Auth password.

Nathan: Yes, if you must have a strong guarantee, the SSL is the way to go. There are scenarios where a weak guarantee is adequate. For example, if you are charging for a feed, you might not care if a pirate with a packet sniffer reads your feed on occasion. In this case, HTTP Digest Authentication is a cheap and easy way to go.

I agree. Most of our clients authenticate users over http.

BTW, I just installed Newzcrawler and password protected a RSS feed with our product AuthentiX (http://www.flicks.com/prod.htm#authnx) . Newzcrawler works like a dream. I tried BottomFeeder but it choked on the authentication.

NewzCrawler 1.5.1 or better does support SSL (http://www.newzcrawler.com/forum/viewtopic.php?t=51).

I'm working through the issue with BottomFeeder - I'm trying to send this request:

GET /local/solabs/rsstest/httpauth/rss_with_auth.xml HTTP/1.1
Host: labs.silverorange.com
User-agent: BottomFeeder/Development
Accept: */*
Authorization: Www-authenticate: Basic realm=rsstest
dGVzdHVzZXI6dGVzdHBhc3M=
Connection: Keep-Alive

and getting an auth failure. I'm unclear on what's wrong.

Ok, I actually looked at the relevant RFC. I now have it working....

I am not sure if anyone had thought of this yet but you can download the wget utility from cygwin or, if you are using UNIX, just install it. WGET supports all possible http configurations including ssl and authentication.

The basic idea is that you can schedule a job to retrieve the private RSS file regularly to your local hard drive and then point your favorite rs reader to that file.

If there is enough interest I can post instructions on my personal blog.

I added some RSS readers according to your test. I can find it on http://blog.converter.cz/index.php?m=200310#286 - it is in czech language only. But I think that it is not a problem for you :-) For all that: Ano = Yes, Ne = No :-)

No 'I' but 'You' (in start of the second sentence).

Thanks for setting up these feed tests!
Recently I get it work with RSS Bandit also (http://www.rssbandit.org)

As of version 0.9.3, SharpReader also supports HTTP Authentication - either thru the url or thru an authentication dialog

https://secure2.silverorange.com/rsstest/httpauth/rss_with_ssl_and_auth.xml does not work anymore. Did you changed the login credentials?

rss_with_ssl_and_auth.xml no longer requires HTTP authentication

Whoops, I thought I posted here ages ago. I guess not /taka slaps head.

Awasu supports https and authenticated feeds - all four of your test feeds work fine with us.

I have yet to find an aggregator that works with digital certificates to authenticate the user over an SSL connection. NewsGator claims to support this but I haven't got it to work yet. Is anybody working in this area?

Just an FYI - There's no such word as authentification. It's authentication and identification. Good review none-the-less! (probably no such word as none-the-less ;))

intraVnews supports authentication and has been tested with the above feeds.

The tests do not cover the situation when the RSS feed uses a self-signed or private CA (FeedDeemon seemingly being the only reader that passes). FeedDemon requires the private CA, or self-signed cert, to be imported as a trusted root CA, but works after this has been done.

intraVnews!

Just tried it for the first time. It's the only aggregator that I can get to work with my corporate syndication feeds that are protected by Windows authentication.

Tried NewsGator and NewzCrawler on the same feeds and got "401 Unauthorized" however I set up the authentication.

NewsGator definitely supports windows authentication...if you're running into problems, send a note to support at newsgator.com and someone can help you out.

Steven,

This page is a wonderful resource, but I'd like to make a suggestion. At least one aggregator, FeedReader, appears to ignore the https:// specification and instead tries to fetch the given resource using http://. Because your HTTPS links also serve identical content when fetched with HTTP (such as http://secure3.silverorange.com/rsstest/httpauth/rss_with_ssl_and_auth.xml -- note that I changed the https to http), one will erroneously conclude that FeedReader supports SSL, which as far as I can tell it doesn't.

It may take a few server setting twiddlings to adjust this, but I recommend that you change your https links to *require* SSL, and serve 404s or obviously erroneous content if requests are received for them over HTTP.

Thanks again!

RssReader supports authentication, but not https

Any reason a plain http post (as opposed to get) param over ssl could not be used?

Hello,
I am new to the Rss feed technology. This page is a wonderful resource for all of us. As you provide the link for "RSS with SSL, but not HTTP Auth". I also want to do same in my feed. Whats the step you follow to work the link rss feed to work properly. As when i try to add https url in the feeddemon i got the error message - "The newfeed url could not be auto-discovered. This site may not have a newsfeed, or it may not support auto-discovery of its newfeed."

Hi,

Your tool is of interest as a screening device to limit spam. Your security system could be applied to comment-feeds: A blog-feed might be public, but the comment-feed could be by subscription-selection.

There's an anti-spam conference that you may be interested in: <a href="http://technorati.com/tag/spamsummit" rel="tag">spamsummit</a>. More discussion. Good luck with your projects.

Hello! Anyone use this links for tests? No one of them seems to work anymore properly.
I get these errors:
1. No SSL, but HTTP auth: invalid credentials, auth. required
2. SSL, but no HTTP Auth: HTTP 404: not found
3. SSL and HTTP Auth: HTTP 404: not found

Can you fix it, please?

TorstenR, the test feeds are working again. I was not aware they were still being used. We'll leave them there indefinitely since they appear to be a useful resource.

Hey cool! Yes it is a very useful resource and now it works again, thanks! It really helps to track down security/auth. issues sometimes reported by our aggregator user.

I am a newbie to RSS and PodCasting and am fairly HTML/XML/RSS illiterate. So I'm wondering if someone can explain what the user experience is for accessing a secure RSS feed behind a corporate firewall via an aggregator (text) or via something like iPodder. How exactly do I set up the username and password in the aggregator or in iPodder?

We started using RSS a few months ago (11/2004) and it's already changed how we do business. We stopped sending weekly newsletters to our business partners, and instead tell them to check our RSS feeds if they want updates.

Great article: A Primer for Publishers & Content Providers
http://www.eevl.ac.uk/rss_primer/

And yes, our RSS feeds are password protected. The information isn't super sensitive, but when you know exactly who the user is, you can do some interesting things. For example, you have a news feed and the customer is in your "international region". You can tailor the RSS contents just for that user.

Our feeds are all XML-based views from Lotus Domino. User authentication, XML views, "reader" security... it's all baked-in... and this made it incredibly simple to make user specific content for RSS.

ppl,

I tried all the given RSS links with various security configurations within Acrobat 7 professional. And they all work like a charm!

www.customreader.com

A brandable "secure" rss aggregator with enclosure support with full online statistical control.

Anyone use RSS authentication for personalizing content? Doing some research for work related implementation. . .

pdflover, how did you use Acrobat 7 Pro for RSS ?

my group is doing a thesis about RSS Security.. we are trying to filter rss feeds from possible unwanted contents such as spywares.. is this possible? tnx

I am curious if anyone has found an RSS aggregator that supports encryption/decryption beyond SSL.

Hi,

I am testing the 4 test links with Readers installed in my pc. They work.
But when i try to test http authentication test links with online readers like myyahoo, bloglines, newsgator online, they dont work. Some show the feeds but dont ask for username and pwd. Others throw, "No feed found". Can any body tell me the reason for this.

Thanks

RSS Xpress supports also both SSL and HTTPauth.
Official website: http://www.rssxpress.net
And thank you Steven for this very interesting web page!

Does RSS Xpress intends to support HTTPS, please? I tested it today and it fails to conect to our secure servers.

I just tested with RSSReader. I am a newbie - so an testing RSS readers for clients. My results,

Worked fine for both :

Plain RSS
RSS with HTTP Auth, but no SSL

But with either one with the SSL - it give an error : Wrong Feed URL

Im looking for a RSS desktop aggregator with HTTP Digest Authentication support.
any ideas?

Hello ALL, ya this page is invaluably a good informative one..i am also new in RSS .I have a simple question about RSS client authentication..

See, when a client is a BROWSER, it can send BASIC/DIGEST authentication...
But i am wondering how does a RSS READER, is gets authenticated ? coz ITS NOT A BROWSER..right ?

so when we click from any RSS cleint, to a protected RSS page,it asks for a uname/pssword. and the RSS server keeps this info as a CACHE...So next time the RSS client(NOTE:NOT A BROWSER) it doesn't ask him for username/password.
HOW THIS IS HAPPENING..I AM REALLY CAN UNDERSTAND....

COZ,every time the RSS client has to pass some token or any god damn thing(cookie,authentication header,session id) to the RSS server..But it cant do so,coz IT IS NOT A BROWSER...
Then how it works ?

I clone people's feeds to my site so that I can display adds with them. I'd like to display some feeds that require authentication. Can you please explain how to do this?

You clone people's feeds to your site to display adds with them???

It's calling scraping and is theft!

I am new to RSS so I apologize if I am missing something really simple.

I am trying to use the test RSS with HTTP auth/no SSL and the username/password do not seem to work. I have even tried testing the URL at http://feedvalidator.org/ and it still fails. I enter the URL in the form HTTP://username:password@domain.name/rest/of/path.xml

What am I missing?

Never mind. After further digging it seems that none of the RSS clients I had tried sofar supports HTTP auth passedin the URL. All four links work.

Thanks for keeping this valuable resource online!

What's wrong with building your own authentication string:

base64_encode(user_id . sha1(password . 'randomstring');

add this to the end of the .rss?auth=...

Include Thunderbird along with the browsers. Including these in your test list would inspire.

I tend to treat news like email. This comes from subscribing to list serves. So, I prefer to get my RSS and Atom in Thunderbird. I already have one feed that I would like to see secured, and this seems to be an area where some developement would be nice.

Thanks muchly

I clone people's feeds to my site so that I can display adds with them. I'd like to display some feeds that require authentication. Can you please explain how to do this?

LOLing at "authentification".

Great article though, thanks.

Thx for taking up this subject. Far too many readers does not support Secure RSS. It will open the marked for so many new services.

/B.

Akragator (Linux) supports both: HTTPS/SSL and HTTP Auth

Please Guide me.... Is there a way to protect RSS feed and prompt registered users of my site to enter their credentials rather than having one single user / pass (as in the case of HTTP Auth).

thanks in advance. please reply at the earliest....

It appears that SharpReader 0.9.7.0 now supports both methods.

NetNewsWire >3.0 supports both without URL coding. If you click your feed right -> show Info you can set credentials in "Username & Password" section.

I really appreciate the test feeds you provided.