Five days ago I proposed my article: Secure Web Feed Protocol, to the PST05 conference. Two days after I came around 15 things you can do with RSS. Two of these applications got my attention:

1. Collect your email from all your email accounts in your RSS reader
   Stay updated on someone’s schedule
2. I thought: these ideas are wonderful! What about the security of these services? Could they use SWFP? There is what I found.

1. Google is supposed to have tested a RSS feed service for Gmail in their GoogleLabs in 2004. I can not confirm if the service is always available because I do not have any Gmail accounts and I can not sing-in for one. This service put new incoming messages of a Gmail account into a RSS feed. Then if you subscribe to that feed you will see your new Gmail messages directly into your web feed reader. What an excellent idea! However, I was surprised to found that they used SSL to create a secure channel between the feed and the feed reader.

In the section 5 of the SWFP article I explained why I think that using SSL to secure a web feed is not the good strategy to adopt. It is for this reason that I was surprised to discover that they tried to use SSL to secure the inbox web feeds. JC suspected that they did not create it for this purpose but for another application called Google Notifier. I think he is right.

I do not know what was the real purpose of this test but the result is the same: the idea of using RSS feeds to check your mail is interesting. However, using SSL does not seem to be the good strategy to adopt. Not all stand alone feed readers support SSL. If you do not wish to enter the login and password of the private feed each time you want to check for new messages, you will need to do something like that:

https://USERNAME:[email protected]/gmail/feed/atom

This solution is even worse than not encrypting the web feed at all. With this string an intruder could sing-in into your account then check, delete or send messages with your Gmail account. It is far worse than only having access to the unencrypted inbox content.

This is a beautiful idea that could be handled by the Secure Web Feed Protocol. Now check out the second application of RSS feed that could use SWFP.

2. This time we are sharing our calendar with our friends and family using a service called RSS Calendar. When you add something to it all your friends and family will have access to your calendar’s changes. Is that not beautiful? Yeah it is. What about the security of this other service?

You could wish that the planet know that you are going to Mont Washington the 20 Mai 2005. But what if you only wish that your friends and family know it? There is no privacy feature in the service for the moment.

I think that the implementation of the Secure Web Feed Protocol could be really interesting in this case too. Only the people you choose would be able to read your calendar. I like the idea.

You are now thinking: how could the implementation of SWFP could be done in such services? The only thing that will change with what I discussed in the article is the way you will distribute the asymmetric keys

Technoratie: [swfp] [secure] [web] [feed] [gmail] [rsscalendar] [rss]

This legitimate question has been asked by Daniel Lemire after his reading of the SWF protocol. There is my answer to his question. I added it as the section 7 of my SWFP paper.

The question is hard to answer because it depends on many factors. I’ll compare the two methods together and try to show you the differences between the two protocols.

Usually SSL is used to authenticate the server to the client and, optionally, the client to the server. With the cost of authentication certificates (about 100£ each), the normal clients can’t afford these authentication certificates. It’s why SSL is mainly used to authenticate servers.

Our goal is especially to authenticate the readers to the server. It’s a reason why using SSL as a secure channel and an authentication protocol is not so useful: because the implementation cost is too high; like the revised version of SWFP at section 5.

This is the big difference between SWFP and SSL: their goals.

A solution could be to use HTTP over SSL (HTTPS) with HTTP Authentication. HTTPS would provide the secure channel and HTTP Authentication would provide the authentication mechanism. The problem with this solution is that some feed readers only implement HTTPS, others HTTP Authentication and few implement both. Another problem with this solution is that who says HTTP Authentication also says login and password. In SWFP the authentication is inherent to the system. It’s made with the public key of the legitimate reader present in the secure database of the server. The authentication steps of the reader to the server are transparent to him. I think that this transparency feature is an important one because it simplify the process and brings non-expert users to use it. Only the simpler things, in appearance of, are widely used.

Two types of feed readers are available: the web applications like Bloglines or the standalone software like Omea Reader. Both principles, HTTPS with HTTP Authentication and SWFP, could be implemented in standalone software and the implementation time, cost and difficulty are probably comparables. However, I think that SWFP would be much more easer to implement in web applications. Why? To use HTTPS with HTTP, the web applications would need to create the secure channel themselves with the feed’s server. By example, Bloglines itself would need to create the secure channel with each private feed server. I don’t think that it’s imaginable. However, with SWFP nothing like that would be necessary because the encrypted feed is viewable by anyone who needs it, even web applications. If I check the FeedBurner stats of my blog: 30% of my readers use Bloglines. I think that it’s considerable and that we need to take this fact in count.

Another problem with the HTTP Authentication solution is that it’s not an optimal solution to our problem. If a user is subscribed to many private feeds then he’ll need to enter, each time, a login and password to check the feeds. Personally I don’t think that this is viable. Think about the pain such a situation would engender… nobody would subscribe to such feeds.

Finally one of the beauties of web feeds is that you can archive them for future readings. The problem with the HTTPS solution is that you didn’t really have the choice to archive the encrypted or the unencrypted content. But such a choice is possible with SWFP.

Technoratie: [swfp] [https] [authentication] [security] [feed]

The last weekend an idea passed through my mind: “It seems that more companies are using content syndication technologies to broadcast their news or information to their employees”. Then I started to write a protocol to take this fact in count. It’s called: SWFP, Secure Web Feed Protocol.

“SWF is a protocol to ensure the secure broadcasting of web feeds’ content over a local network or the Internet. The protocol ensures the encryption of the feeds and the distribution of their encryption symmetric keys.”

It was supposed to be the draft of an idea, something to post here. Finally it revealed to be an article of 12 pages. I worked on it this week and came with this first draft:

View: SWFP: Secure Web Feed Protocol [PDF file]

If you have any question about this paper, don’t hesitate to contact me. If you find flaws in the protocol or modifications to suggest send them to me, they’ll be warmly welcome. I also invite you to leave your comments about this paper here, on this post.

Technoratie: [feed] [security] [protocol] [encryption]