In a recent blog post, Greg explains the basic elements needed to secure RSS feeds:When most folks are talking about security with RSS, they tend to mean three things (or any combination of these): authentication, authorization, and encryption. Let's take these topics one at a time.Like Greg, I've been puzzled when people talk about the need to to add security features to RSS. Those features are already there, and in use by services like Spanning Salesforce. RSS, in fact, has sufficient security features to support online banking, ecommerce, and extranet applications today. It's the aggregators that need some work.
The user interface for subscribing to secure feeds leaves a lot to be desired—in every aggregator. When a user accesses a secure feed, he's presented with a sparse dialog box requesting a username and password without even so much as a link to click if he's forgotten his password. And that's if he's using one of the more advanced desktop aggregators like FeedDemon, NetNewsWire, or NewsGator Outlook Edition. The experience is even more byzantine if he's using a server-based aggregator.
Secure RSS is only now beginning to be widely used, so there's still time to make improvements in the way it works. I calll on the aggregator makers—hosted, desktop, and enterprise—to work together to create a standard for more user-friendly RSS security. And until a standard is established, there exists a fantastic opportunity for forward-looking aggregator makers to differentiate themselves with really simple security.
Security of “http:” protocol communications is separate from the content it transports, be it HTML or RSS or some other XML data. Don’t look for anything specific to RSS in http: protocol.