Between the Lines

Larry Dignan, Sam Diaz, Andrew Nusca

Will phishing spoofees like eBay and banks get hip to RSS for the end run?

By David Berlind | January 25, 2005, 6:02am PST

Summary

In preparation for an audiocast interview that I’ll be doing with the Anti-Phishing Working Group’s chairman David Jevans, we discussed one of the oft-ignored downsides to phishing and how RSS could be the solution.
Here’s the gist. Because of how bad phishing has gotten,�users won’t open any e-mail that portends to come from one of [...]

Topics

Blogger Info

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Here’s the gist. Because of how bad phishing has gotten,�users won’t open any e-mail that portends to come from one of the financial institutions or e-commerce sites�with which�they do business. If, for example, one of the most common spoofees — eBay — had to send an urgent correspondence regarding a potential security problem to buyers or sellers that use its site, almost everyone of them would suspect they’re being phished and would delete the e-mail without ever opening it. Phishing has killed e-mail as an effective tool for commerce-enabled sites to engage in sensitive, confidential communications. So, I asked Jevans why the Really Simple Syndication protocol (RSS) couldn’t be used as an end-run around the e-mail infrastructures to keep customers in touch with these various institutions. For example, eBay’s site could have prominent signage that it’s setting up an RSS channel for such communications and then link to instructions for how to access that channel with an RSS aggregator.

After suggesting this to Jevans, he said that it might work well for one-to-many communications (one RSS channel, many subscribers to it), but asked the obvious question of how this would solve the one-to-one problem. For example, what if eBay had to contact only some of its customers. My answer:�Why not�have a separate feed for every customer? This is the same thinking that went into another idea I had — overnight shippers setting up separate RSS feeds for every package they handle. This way, I can subscribe to packages I’m sending or receiving, and my RSS aggregator (Newsgator, etc.) alerts me to changes in each package’s status. To keep a lid on the number of RSS feeds a shipper must run, the RSS feed for each package would expire a few days after the package arrives.

Use of RSS in such a one-to-one fashion does raise other questions, however. For example, can existing RSS-enabled systems reasonably scale to this level of service, and what would it mean for networks including the Internet? Also, what happens if malware finds its way onto users’ systems? Could it, unbeknownst to the user, change the settings of an RSS subscription to poll a malicious feed — and what can be done (such as securing the RSS client) to prevent that from happening? Finally, could widespread use of this approach be the backdoor towards flipping all existing e-mail solutions on their ear, turning them from SMTP-based store-and-forward systems to RSS-based alert-poll-and-retrieve systems (alert my mail server of an RSS feed that has something for me, poll that feed, and retrieve the message)? Running e-mail this way would make it very difficult for spammers to cover their tracks.

Am I nuts? Let me know in our TalkBack section.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Full Bio
Disclosure
Contact

More from “Between the Lines”

Open source Solaris comes out today (sort of)

Sun promises surprises at today's OpenSolaris launch

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Talkback Most Recent of 10 Talkback(s)

Follow via:: RSS; Email Alert

Now you get the idea

David- No, you are not nuts. You have the right idea, but are looking at the wrong tool.

You and I had this conversation over a year ago when I discussed private email networks with you via the public "@" email system. What you describe here is exactly the idea we discussed, but you are trying to use the RSS infrastructure to handle the traffic - a task that RSS is not built to handle.

We have built the first of many private email networks that can scale, handle the traffic and provide interactive electronic communications between an organization and people. In fact, eBay's own private email service they just launched is the same idea, but their system needs to interoperate with the other private networks like the ones we have built. That's the future of electronic messaging.

If you would like to revisit this idea again, I would be glad to chat about our successes and failures over the past year and how we are creating what Esther Dyson calls "Meta-Mail" applications within this communication infrastructure. Businesses that are integrating their voice and data applications are the best example of where we are providing tremendous value with a private email network.
Paul C.

01/25/2005 08:17 AM
- Reply to
- Flag
No thanks, I'll take an RSS client

I'd rather figure out how to make RSS to the trick. I don't want a private email system to check the status of my fedex packages or to receieve private communications from eBay. The last thing I want is more client software. Keep it simple. With RSS, can I can use my "rich" aggregator on my system (any system.. Win/Linux/Mac/PDA/phone,etc) to check all my subscriptions, or, my thin aggregator on the Web when I'm at a public terminal. I want less complextity and fewer proprietary systems. Not more.
dberlind

01/25/2005 09:03 AM
- Reply to
- Flag
You are confusing private with proprietary

Private does not equal proprietary. RSS is an infant compared to what a fully-networked system can do for you. You would be able to check your status via phone, web browser, custom app you build - whatever.

And this is not client software. In fact, it is all Web-based so that you can use any device that uses the HTTP protocol.

RSS was meant for a very specific purpose and should not be bastardized (like SMTP has) to go beyond its use. Instead, new systems that utilize an already-existing protocol like HTTP make it much simpler.
Paul C.

01/25/2005 01:16 PM
- Flag
Immediate Notification with XMPP

Why keep polling a feed when you can be informed as soon as the information is available? One popular approach is to send the data over the Extensible Messaging and Presence Protocol (XMPP, aka Jabber), as is done by providers such as PubSub.com. There's even an Internet-Draft showing how to do it with Atom data (to which tthe various RSS flavors can be translated using simple XSLT): http://www.ietf.org/internet-drafts/draft-saintandre-atompub-notify-02.txt
stpeter

01/25/2005 10:57 AM
- Reply to
- Flag
We've implemented one-to-one RSS - it works fine

We provide collaborative tools to working groups and committees in standards organizations. We used to rely on email notification whenever a new document was added to a repository, a ballot opened, an action item was assigned, etc. However, for the reasons you cited along with the tendancy for email to be lost in the noise or filtered by corporate spam filters, we added personalized RSS feeds to the mix.

Members can subscribe to a "My RSS" feed that aggregates all of the notifications from all of the committees to which they belong or subscribe to separate feeds from each committee. The feeds require authentication.

We're very happy, as are our customers, with the subscribe and poll approach as an alternative to email notification.

Based upon our experience, I expect to see secure, one-to-one RSS feeds become a common alternative to email notification.

David White
Kavi Corporation
dlwhite46

01/25/2005 10:59 AM
- Reply to
- Flag
Will not scale

RSS was not built for one-to-one communications. And even when you try to use it that way, it will be impossible to scale.

Plus, it offers no way for the person to communicate back with the sender - a key part of "communication" that email does very well.
Paul C.

01/25/2005 01:45 PM
- Reply to
- Flag
Netflix does personal RSS feeds already

You can get an RSS feed from a variety of sources on Netflix, including public (upcoming releases) and personal (your movie queue). There is no security on the personal queue feed (anyone can use the same URL0 but there is no personally identifiable data in it anyway. Doesn't prove that you can do it securely, but it does prove you can scale.
jcassella

01/26/2005 07:01 AM
- Reply to
- Flag
RSS feeds and privacy

David, I know of one application where there are potentially hundreds of thousands of users with personal RSS feeds. It is up and running, and you'll never guess who's behind it. Microsoft's Bungie division offers gamers a personal RSS feed of their stats from recent games played in Halo 2 on XBox Live. Of course this feed is public, if you know the correct URL. Many gamers want to share the information for bragging rights, so privacy is not a concern. No personal information is included in the feed.

In a phishing situation, the communication is one-way from the company to the customer, and privacy is not always required. Email itself is no private. What the e-commerce site wants their users to do is to be able to receive a message asking them to log in and update their account information. Handling this with a customized RSS feed is elementary. And the phishers can't control the feed unless they hack the RSS server. The e-commerce site simply has to ask all their users to subscribe to an RSS feed to receive communication from the company. Most emails from e-commerce sites requesting this right now are from unmonitored email addresses (ie. no responses will be read), so switching to RSS would not impact the communication channels. So the first thing a user has to do when they sign up with the company is to subscribe to their own RSS feed with the RSS reader of their choice. Then the company would send a Response Requested message over the feed (perhaps containing a link or a some other code) to return to the company. At this point, the e-commerce site knows that the customer can receive messages, and the customer knows they can receive them. If the RSS URLs are complex enough, no one can guess them, so the illusion of privacy is the same as when reading email.

So I think that everything you're suggesting is possible David. It just takes the right people with the right technology to do it.
brilang

01/26/2005 10:45 AM
- Reply to
- Flag
A polling nightmare

The only way the customer knows if anything exists is to have their RSS aggregator software continuously poll the feed for updates.

So instead of a user polling their own email server (their expense) to get their notes, they now have to poll 100 different points to get their updates? Not very efficient and I cannot believe that many organizations will want to take on that type of load.

And moving to a central site that aggregates feeds once, then moves them to a client is not going to solve the "audience of one" issue, since the central aggregating service will still have to poll numerous times to get every client's update. Unless the RSS standard is modified to deliver a packet full of items for many clients, but now RSS is being bastardized like SMTP has to use MIME to do things that SMTP was not meant to do.

Interesting thoughts....
Paul C.

01/26/2005 11:12 AM
- Reply to
- Flag
What about Education?

Secure one-to-one RSS is an excellent way for faculty to manage
on-line and/or distance learning. It could be combined with
one-to-many feeds to create communications channels that
would be secure and free of phishing and spam.

~Steve Sloan, IT Consultant, San Jose State University
Steve Sloan

01/31/2005 09:40 AM
- Reply to
- Flag