Carl Hutzler’s Blog

Photography, Technology Musings, and other Completely Random Thoughts. Hey, it’s free.

RSS Feeds and Authentication

August 01st, 2006 | Category: Uncategorized

One of my teammates (Stu Brandt) was doing some testing/exploration with RSS the other day in preparation for a project we have going to expose some mail transactions in a “web 2.0″ kind of way. The idea is to allow people access to their mailbox from a web world….like maybe their myaol page or their myyahoo page, their flickr home page, or AIM pages, etc. You get the idea. But you could also imagine people writing desktop apps like an Apple Widget to have the feed or a new browser toolbar, blah, blah.

Anyway, people kind of think of their mailbox as private, so a simple RSS syndication of everyone’s mailbox (while interesting) might piss off some folks. Some people just don’t like other people reading their mail (who would have guessed!). So we have to authenticate these feeds.

Stu was playing with Gmail’s feed for his gmail account (the feed is actually ATOM based just for correctness). During his testing of the gmail feed, he went to a website called Bloglines which is essentially a feed aggregator which allows people to aggregate a bunch of RSS feeds from blogs, news sites, etc into a single page much like MyAOL does. He entered the Gmail URL into the site and found something interesting. The bloglines site displayed someone else’s gmail inbox!

Screenshot

Its not completely obvious what is happening here, but this is what we thought was going on:

Likely the other gmail user (Chavescesures@gmail.com) added their inbox Atom feed to their bloglines screen at some point in time. Bloglines likely has a very well architected and efficient caching system to prevent them from hammering feeds for popular sites and maybe this caching was the issue? But the interesting thing is that their system somehow did not take into account that the same feed URL (in this case it is https://mail.google.com/mail/feed/atom) might result in different results due to authentication and not be something they want to cache. Usually an https would signify that, so I have to admit being a bit confused how bloglines could be broken like this. Or perhaps it is just a big nasty bug in the bloglines system?

Either way, it does give oneself pause as to whether you should ever give your name/password to a third party site for things like this or related. If that site is not secure, neither are you.

1 Comment so far

  1. Larry Seltzer August 1st, 2006 11:03 am

    Perhaps OpenID is a solution for this problem?

Leave a reply

Mexico