Loading ...
Sorry, an error occurred while loading the content.

Re: [aggregators] Slightly OT: Ask Yahoo to enable RSS authentication for groups

Expand Messages
  • Julian Bond
    sdorfman.rm Tue, 28 Feb 2006 06:34:43 ... I ve reached the conclusion that private RSS feeds that require authentication is a bad
    Message 1 of 6 , Mar 6, 2006
    View Source
    • 0 Attachment
      sdorfman.rm <sdorfman@...> Tue, 28 Feb 2006 06:34:43
      >Sorry for the slight off-topic-ness of this post, but I'm trying to get
      >Yahoo to enable RSS
      >authentication so I can keep up with several yahoo groups (that don't
      >allow non-members
      >to view messages) via RSS instead of email. If you'd like to see Yahoo
      >add this feature,

      I've reached the conclusion that "private" RSS feeds that require
      authentication is a bad idea. The problem is that RSS is frequently
      consumed by spiders, robots and other automated apps and then
      re-purposed. This re-purposing often results in the items then appearing
      in a public feed with no authentication. So even though you serve up the
      feed securely you really have no idea what happens to it later. An
      example of this was a feed that was dropped into Newsgator by a user. it
      later turned up in Newsgator's public search. This is not a refelection
      on Newsgator necessarily and I know they do try and keep HTTP-Auth
      protected feeds out of their public database.

      In theory this should be no different from HTTP-AUTH protected web
      pages. But in practice the RSS community is much less careful about
      respecting privacy than the relatively smaller community of people that
      write automated apps to access html pages.

      The point here is that if we write aggregators we should try to be
      careful about respecting feeds that should be private. In practice, this
      can be hard. And as a feed provider you shouldn't assume that your
      private feed will stay private.

      Which is all a long winded way of saying that if you want a feed from a
      Yahoogroup, then make the group open. What is the group owner trying to
      hide anyway?

      --
      Julian Bond E&MSN: julian_bond at voidstar.com M: +44 (0)77 5907 2173
      Webmaster: http://www.ecademy.com/ T: +44 (0)192 0412 433
      Personal WebLog: http://www.voidstar.com/ skype:julian.bond?chat
      *** Just Say No To DRM ***
    • Bill Kearney
      ... I disagree. ... Automated apps wouldn t have the auth keys. Thus the feed would never get seen by them. ... The existance of the RSS feed URL can t be
      Message 2 of 6 , Mar 11, 2006
      View Source
      • 0 Attachment
        > I've reached the conclusion that "private" RSS feeds that require
        > authentication is a bad idea.

        I disagree.

        > The problem is that RSS is frequently
        > consumed by spiders, robots and other automated apps and then
        > re-purposed.

        Automated apps wouldn't have the auth keys. Thus the feed would never get
        seen by them.

        > This re-purposing often results in the items then appearing
        > in a public feed with no authentication. So even though you serve up the
        > feed securely you really have no idea what happens to it later. An
        > example of this was a feed that was dropped into Newsgator by a user. it
        > later turned up in Newsgator's public search. This is not a refelection
        > on Newsgator necessarily and I know they do try and keep HTTP-Auth
        > protected feeds out of their public database.

        The existance of the RSS feed URL can't be assumed to stay private. That
        something else might possess the URL doesn't compromise the contents.

        > In theory this should be no different from HTTP-AUTH protected web
        > pages. But in practice the RSS community is much less careful about
        > respecting privacy than the relatively smaller community of people that
        > write automated apps to access html pages.

        I don't think this is any different than any other computer program.
        E-mail, for example, does nothing to prevent simple forwarding, let along
        cut/paste. Nor do web pages. Feeds aren't any more or less 'respecting' in
        this regard.

        > The point here is that if we write aggregators we should try to be
        > careful about respecting feeds that should be private. In practice, this
        > can be hard. And as a feed provider you shouldn't assume that your
        > private feed will stay private.

        If it's behind an http auth you've reason to assume that unless the user
        also republishes their username/password combo it'll remain safe for the
        first pass.

        > Which is all a long winded way of saying that if you want a feed from a
        > Yahoogroup, then make the group open. What is the group owner trying to
        > hide anyway?

        I likewise disagree on this point. It's tragically disappointing that yahoo
        has not come to grips with this problem. That they cannot offer their list
        members the option of using RSS for their lists shows they really don't get
        RSS.

        -Bill Kearney
      • Nick Dynice
        Jeremy Zawodny is asking for suggestions on how to bring Yahoo Groups up to date on his blog. http://jeremy.zawodny.com/blog/archives/006541.html ... never get
        Message 3 of 6 , Mar 31, 2006
        View Source
        • 0 Attachment
          Jeremy Zawodny is asking for suggestions on how to bring Yahoo Groups
          up to date on his blog.
          http://jeremy.zawodny.com/blog/archives/006541.html

          --- In aggregators@yahoogroups.com, "Bill Kearney" <ml_yahoo@...>
          wrote:
          >
          > > I've reached the conclusion that "private" RSS feeds that require
          > > authentication is a bad idea.
          >
          > I disagree.
          >
          > > The problem is that RSS is frequently
          > > consumed by spiders, robots and other automated apps and then
          > > re-purposed.
          >
          > Automated apps wouldn't have the auth keys. Thus the feed would
          never get
          > seen by them.
          >
          > > This re-purposing often results in the items then appearing
          > > in a public feed with no authentication. So even though you serve
          up the
          > > feed securely you really have no idea what happens to it later. An
          > > example of this was a feed that was dropped into Newsgator by a
          user. it
          > > later turned up in Newsgator's public search. This is not a
          refelection
          > > on Newsgator necessarily and I know they do try and keep HTTP-Auth
          > > protected feeds out of their public database.
          >
          > The existance of the RSS feed URL can't be assumed to stay
          private. That
          > something else might possess the URL doesn't compromise the
          contents.
          >
          > > In theory this should be no different from HTTP-AUTH protected web
          > > pages. But in practice the RSS community is much less careful
          about
          > > respecting privacy than the relatively smaller community of
          people that
          > > write automated apps to access html pages.
          >
          > I don't think this is any different than any other computer program.
          > E-mail, for example, does nothing to prevent simple forwarding, let
          along
          > cut/paste. Nor do web pages. Feeds aren't any more or
          less 'respecting' in
          > this regard.
          >
          > > The point here is that if we write aggregators we should try to be
          > > careful about respecting feeds that should be private. In
          practice, this
          > > can be hard. And as a feed provider you shouldn't assume that your
          > > private feed will stay private.
          >
          > If it's behind an http auth you've reason to assume that unless the
          user
          > also republishes their username/password combo it'll remain safe
          for the
          > first pass.
          >
          > > Which is all a long winded way of saying that if you want a feed
          from a
          > > Yahoogroup, then make the group open. What is the group owner
          trying to
          > > hide anyway?
          >
          > I likewise disagree on this point. It's tragically disappointing
          that yahoo
          > has not come to grips with this problem. That they cannot offer
          their list
          > members the option of using RSS for their lists shows they really
          don't get
          > RSS.
          >
          > -Bill Kearney
          >
        Your message has been successfully submitted and would be delivered to recipients shortly.