We’ve been experimenting with security options for RSS feeds for our intranet product. However, we found that there weren’t many resources or guidelines for how encryption or authentification should be handled (either in feeds or in readers/aggregators).
Private RSS Feeds: Support for security in aggregators
I did some testing and came up with the following results for HTTPS/SSL encryption and HTTP Authentification in various RSS readers:
|NetNewsWire||Yes||Yes (through URL)|
|FeedDemon||Yes||Yes (through URL)|
|Radio Userland||Yes||Yes (through URL)|
HTTP authetification alone isn’t sufficient to create true private feeds, as the password is sent as clear text. However, when HTTP authentification is combined with SSL, it becomes a usable security mechanism.
After posting my results in Yahoo Groups: Aggregators, I got several helpful responses from the developers of RSS readers. The consensus seemed to be that there were two problems. First, that not enough people use private RSS feeds to make it worth worrying about. And second, that there are no good resources for testing.
In response to the first problem, that not many people use private RSS feeds, I have two counter-points. By the very nature of private RSS feeds, it is difficult to know how many there are - people don’t advertise them. More importantly, there is a catch-22 here. People won’t produce private RSS feeds until they know the RSS readers support the security features.
As for the second problem, that there are not good testing resources, following my post in the Aggregators group, Danny Ayers has taken to expanding the testing results and created a permanent page dedicated to reporting Aggregator features like these.
For the sake of the developers, we’ve created four RSS feeds for testing purposes:
|Plain old RSS (no authentification or SSL)||no||no|
|RSS with SSL, but not HTTP Auth||yes||no|
|RSS with HTTP Auth, but no SSL||no||yes|
|RSS with both SSL and HTTP Auth||yes||yes|
|username/password for the HTTP auth-protected feeds is: testuser/testpass|
In the end, we found that there was enough support to proceed with feeds protected with both SSL and HTTP authentification. That said, many of the RSS readers only supported HTTP authentification by putting the username/password in the URL. Ideally there would be a more secure method for storing the password. Note to the makers of NewzCrawler: please support SSL, or I’ll have to use another reader, and I like yours.