[funsec] Blog Questions

Fergie fergdawg at netzero.net
Thu Oct 26 16:24:18 CDT 2006


RSS is (unfortunately) only currently designed for convenience,
not security.

Yes -- I know -- it will come back to bite us collectively. I've
been saying this for a while.

JP: There are several existing "flavors" of RSS, including ATOM,
RSS. 0.9x and 1.0 (partial article), and RSS 2.0 (full article).

Blogger, for example, offers on ATOM or RSS 2.0.

Believe it or not, I would suggest starting with the RSS Wikipedia
entry, follow the links, and read the spec for each.

 http://en.wikipedia.org/wiki/RSS_%28file_format%29

Cheers,

- ferg


-- "Dude VanWinkle" <dudevanwinkle at gmail.com> wrote:
Greet'ins fellow Funsec'ers,

I recently signed up for my first blog, and as you all may have
guessed its posts are lengthy, opinionated, and meandering.

I was talking to Ryan about setting up an RSS feed, and while I dont
know whether it will be XML or HTML, I do know that I would like a way
to let my subscribers know that the items they receive are 1) from me
and 2) secure. I know there are many bloggers on this list so I
thought I would try and pick your brains on blog server side initiated
security.

1: Is there any way to put a cert on the feed and sign all posts
published to the readers? It would be cool if I could push out the
public key when people first subscribed and then encrypt the content
when posting; having the RSS Client decrypt and verify the source with
one swail foop.

2:Is there any way to send plain text rss feeds? This would lessen the
attack vectors to subscribers just in case I got drunk and decided it
would be funny to push out a thunderbird or outlook express exploit on
the post.

Anyways, I am in the middle of Ms Dewey'ing for answers but i thought
this also might make an interesting thread, so dammit, I am hitting
the send button and there is nothing any of you punks can do to stop
me!!

-JP<who is feeling a little too empowered by his blog>


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the funsec mailing list