Loading Profile...
Full RSS feeds introduced (incl. private messages!) - potential security risk?
I recently received an email from Pownce telling me about a couple of new features, among them the introduction of RSS feeds for all messages, both public and private. Apparently the feed URL is secured only through adding an additional 8 character password, meaning that should anyone ever get their hands on the RSS feed URL, they would be able to read all my messages.
Even though for someone like me who still does only receive a fraction of the email notifications and could thus use this new feature as an alternative to be notified of new messages this might appear like a great feature at first, I find it a bit, say careless to offer such an option, as now it is potentially possible to read all my messages without having to log in.
Am I being paranoid here or would any of You agree that I just might have a valid point?
Thanks for Your opinions on the matter!
Even though for someone like me who still does only receive a fraction of the email notifications and could thus use this new feature as an alternative to be notified of new messages this might appear like a great feature at first, I find it a bit, say careless to offer such an option, as now it is potentially possible to read all my messages without having to log in.
Am I being paranoid here or would any of You agree that I just might have a valid point?
Thanks for Your opinions on the matter!
Follow this discussion to get notifications on your dashboard.
-
Inappropriate?Yes, we're very aware of this and we've followed a fairly standard method of obfuscating the URL of the feed to keep your information private. Each person has a 'secret key' which only they can see. This key is used as part of the URL for your RSS feeds. You can see your key here when you're signed in: http://pownce.com/settings/secret_key/
If you're extra concerned about your privacy, you can reset that secret key at any point. That will change the URLs to your feeds. -
Inappropriate?Yes, I know, that key is what I referred to as the "8 character password". "Key" is probably the proper term. :-)
Well, I didn't know that one can change the key anytime, that does of course add a bit to the side of security. Maybe a regular change every three months or so would be a good idea despite having to update the URL in all RSS readers etc. as well.
All in all I guess it comes down to this handy formula:
Usefulness > potential security risk
Maybe I've been listening to too much "Security Now" podcasts recently... ;-)
Thanks for the quick reply, Daniel!
P.S.: Missed You in Amsterdam last week! -
Inappropriate?You're right, it comes down to that equation. One thing I could imagine would be to have the option of disabling personal feeds for your account... so security-conscious/paranoid people could disable it for themselves.
I actually wasn't in Amsterdam with Leah and Kevin. I'll be in London and Limoges next week for a couple of conference though. -
Inappropriate?Well, I'd have to say that even though the chances of illegally retrieving the feed URL when it's not in use are rather slim, considering the fact that said URLs always follows the same syntax might make the option to disable them completely a worthwhile addition.
I know that security-consciousness is a lost art in the world of Web 2.0, but it's usually the lesser of two evils. Mind You, I'm not one to disable JS and cookies or use 256bit keys for everything and what have You - I'll leave that to the truly paranoid, the watchdogs of net security.
Oh, and I knew You weren't there, just meant that it would have been fun. Because it was. You know. Fun and stuff. :-) Still, I hope You'll enjoy Your own personal trip through our old continent.
Cheers! -
Inappropriate?I agree that this "feed" could be a possible security/privacy risk. With that said, this is the risk we take using applications like this. I always assume that everything I say will be seen by another person. The "changing the key" feature is a good solution for the time being.
However, I wish that I could make a feed of the notes I send out that aren't private (such as things I send to all of my friends on pownce). I know it kind of goes against what pownce is all about (controlling what content is seen/sent to users), but I would love to have a feed that one could add to a webpage or a profile on another social network.
I’m almost satisfied
EMPLOYEE
