Will phishing spoofees like eBay and banks get hip to RSS for the end run?

Will phishing spoofees like eBay and banks get hip to RSS for the end run?

Summary: In preparation for an audiocast interview that I'll be doing with the Anti-Phishing Working Group's chairman David Jevans, we discussed one of the oft-ignored downsides to phishing and how RSS could be the solution. Here's the gist.

TOPICS: Malware
In preparation for an audiocast interview that I'll be doing with the Anti-Phishing Working Group's chairman David Jevans, we discussed one of the oft-ignored downsides to phishing and how RSS could be the solution.

Here's the gist. Because of how bad phishing has gotten,

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Now you get the idea

    David- No, you are not nuts. You have the right idea, but are looking at the wrong tool.

    You and I had this conversation over a year ago when I discussed private email networks with you via the public "@" email system. What you describe here is exactly the idea we discussed, but you are trying to use the RSS infrastructure to handle the traffic - a task that RSS is not built to handle.

    We have built the first of many private email networks that can scale, handle the traffic and provide interactive electronic communications between an organization and people. In fact, eBay's own private email service they just launched is the same idea, but their system needs to interoperate with the other private networks like the ones we have built. That's the future of electronic messaging.

    If you would like to revisit this idea again, I would be glad to chat about our successes and failures over the past year and how we are creating what Esther Dyson calls "Meta-Mail" applications within this communication infrastructure. Businesses that are integrating their voice and data applications are the best example of where we are providing tremendous value with a private email network.
    Paul C.
    • No thanks, I'll take an RSS client

      I'd rather figure out how to make RSS to the trick. I don't want a private email system to check the status of my fedex packages or to receieve private communications from eBay. The last thing I want is more client software. Keep it simple. With RSS, can I can use my "rich" aggregator on my system (any system.. Win/Linux/Mac/PDA/phone,etc) to check all my subscriptions, or, my thin aggregator on the Web when I'm at a public terminal. I want less complextity and fewer proprietary systems. Not more.
      • You are confusing private with proprietary

        Private does not equal proprietary. RSS is an infant compared to what a fully-networked system can do for you. You would be able to check your status via phone, web browser, custom app you build - whatever.

        And this is not client software. In fact, it is all Web-based so that you can use any device that uses the HTTP protocol.

        RSS was meant for a very specific purpose and should not be bastardized (like SMTP has) to go beyond its use. Instead, new systems that utilize an already-existing protocol like HTTP make it much simpler.
        Paul C.
  • Immediate Notification with XMPP

    Why keep polling a feed when you can be informed as soon as the information is available? One popular approach is to send the data over the Extensible Messaging and Presence Protocol (XMPP, aka Jabber), as is done by providers such as PubSub.com. There's even an Internet-Draft showing how to do it with Atom data (to which tthe various RSS flavors can be translated using simple XSLT): http://www.ietf.org/internet-drafts/draft-saintandre-atompub-notify-02.txt
  • We've implemented one-to-one RSS - it works fine

    We provide collaborative tools to working groups and committees in standards organizations. We used to rely on email notification whenever a new document was added to a repository, a ballot opened, an action item was assigned, etc. However, for the reasons you cited along with the tendancy for email to be lost in the noise or filtered by corporate spam filters, we added personalized RSS feeds to the mix.

    Members can subscribe to a "My RSS" feed that aggregates all of the notifications from all of the committees to which they belong or subscribe to separate feeds from each committee. The feeds require authentication.

    We're very happy, as are our customers, with the subscribe and poll approach as an alternative to email notification.

    Based upon our experience, I expect to see secure, one-to-one RSS feeds become a common alternative to email notification.

    David White
    Kavi Corporation
    • Will not scale

      RSS was not built for one-to-one communications. And even when you try to use it that way, it will be impossible to scale.

      Plus, it offers no way for the person to communicate back with the sender - a key part of "communication" that email does very well.
      Paul C.
  • Netflix does personal RSS feeds already

    You can get an RSS feed from a variety of sources on Netflix, including public (upcoming releases) and personal (your movie queue). There is no security on the personal queue feed (anyone can use the same URL0 but there is no personally identifiable data in it anyway. Doesn't prove that you can do it securely, but it does prove you can scale.
  • RSS feeds and privacy

    David, I know of one application where there are potentially hundreds of thousands of users with personal RSS feeds. It is up and running, and you'll never guess who's behind it. Microsoft's Bungie division offers gamers a personal RSS feed of their stats from recent games played in Halo 2 on XBox Live. Of course this feed is public, if you know the correct URL. Many gamers want to share the information for bragging rights, so privacy is not a concern. No personal information is included in the feed.

    In a phishing situation, the communication is one-way from the company to the customer, and privacy is not always required. Email itself is no private. What the e-commerce site wants their users to do is to be able to receive a message asking them to log in and update their account information. Handling this with a customized RSS feed is elementary. And the phishers can't control the feed unless they hack the RSS server. The e-commerce site simply has to ask all their users to subscribe to an RSS feed to receive communication from the company. Most emails from e-commerce sites requesting this right now are from unmonitored email addresses (ie. no responses will be read), so switching to RSS would not impact the communication channels. So the first thing a user has to do when they sign up with the company is to subscribe to their own RSS feed with the RSS reader of their choice. Then the company would send a Response Requested message over the feed (perhaps containing a link or a some other code) to return to the company. At this point, the e-commerce site knows that the customer can receive messages, and the customer knows they can receive them. If the RSS URLs are complex enough, no one can guess them, so the illusion of privacy is the same as when reading email.

    So I think that everything you're suggesting is possible David. It just takes the right people with the right technology to do it.
    • A polling nightmare

      The only way the customer knows if anything exists is to have their RSS aggregator software continuously poll the feed for updates.

      So instead of a user polling their own email server (their expense) to get their notes, they now have to poll 100 different points to get their updates? Not very efficient and I cannot believe that many organizations will want to take on that type of load.

      And moving to a central site that aggregates feeds once, then moves them to a client is not going to solve the "audience of one" issue, since the central aggregating service will still have to poll numerous times to get every client's update. Unless the RSS standard is modified to deliver a packet full of items for many clients, but now RSS is being bastardized like SMTP has to use MIME to do things that SMTP was not meant to do.

      Interesting thoughts....
      Paul C.
  • What about Education?

    Secure one-to-one RSS is an excellent way for faculty to manage
    on-line and/or distance learning. It could be combined with
    one-to-many feeds to create communications channels that
    would be secure and free of phishing and spam.

    ~Steve Sloan, IT Consultant, San Jose State University
    Steve Sloan