« War + Marketing = iPod?
Prevayler: Hope or Hype? »

Secured RSS/Atom Feeds

I’ve been spending a lot of time looking at the best options for getting authenticated RSS and Atom feeds with a free reader. Here are the factors to consider:

  • HTTP
    Standard protocol for the web. All information is sent “in the clear”, so a snoop can see what you are looking at with no effort. 99% of all feeds use this, so every reader out there supports it.

  • HTTPS
    Standard secured protocol for the web. All information is encrypted, so a snoop can’t see anything useful if he monitors your connection. Unfortunately, the encryption is going to slow everything down. Only a handful of readers support this.

  • Basic Authentication
    Common way to require username + password to access information. Unfortunately, when you type the password it is sent without any encryption, so a snoop can see your password with no effort. The only way to mitigate this problem is using it over HTTPS so that the password is naturally encrypted for you. This is a viable solution for non-Windows servers.

    Several readers support basic authentication, but not when combined with HTTPS. If you don’t combine the two, you haven’t got a secure solution.

    I should mention that some readers claim basic authentication support if you will pass the username and password along in the url like this: http://foo/rss?username=bob&password=secret . This is, frankly, a ridiculous thing for any server to allow and be called secure. The password is now in plain sight from your browser history to a proxy server to the destination server and any snoop along the way. Don’t bother.

  • Digest Authentication
    Windows Servers use this to require username + password when tied to an Active Directory infrastructure. The password is not sent in the clear, so using it with HTTP is okay, unless the stuff you’re going to look at needs to be secured as well.

    Very few readers I’ve found can handle this.

  • NTLM Authentication
    Windows Servers uses this to require username + password when tied to a domain infrastructure. This is a hard nut to crack because the NTLM spec isn’t publically available. This is theoretically even more secure than Digest, and the password is also never revealed. Using this with HTTPS is probably the most secure your information can be on a Windows Server.

    Since this is the big brother to Digest, usually only the (very few) readers who can handle Digest also handle NTLM.

There are a couple of lists of “which readers can do what” out there, but my own experience has proven to be at odds with the officially publicized capabilities. I have tried SharpReader, Bloglines, NewsGator Online, RSSOwl, BottomFeeder, FeedReader, intraVnews (which is not free), and a couple of others I don’t remember offhand.

And the winners of secured feeds are…

Interestingly, the forthcoming RSSOwl 1.1 is supposed to handle Digest/NTLM as well, so I’ll be keeping an eye out for it when it is released in the near future. It may well become the defacto free reader for authenticated feeds until everyone else catches up.

Addendum (March 4): Greg of NewsGator fame had a couple of firewall suggestions that seemed to do the trick for HTTP, but not HTTPS. I’ve added NewsGator Online to the list above accordingly. I’ll keep poking around to see if I can get it to work via HTTPS as well.

This entry was posted on Thursday, March 3rd, 2005 at 12:00 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Responses to “Secured RSS/Atom Feeds”

  1. James Robertson Says:
    March 3rd, 2005 at 15:02

    I’ve tested BottomFeeder against secured and unsecured sites, using both Basic and Digest auth. What problems did you have?

  2. Mark Woodman Says:
    March 3rd, 2005 at 15:37

    I’ve since un-installed BottomFeeder, so I can’t give the exact error message any more. I was unable to get to a feed secured with Digest authentication on an IIS 6.0 / Windows 2003 Server box. (This is what I used for the testing the various combinations above.)

  3. Greg Reinacker Says:
    March 4th, 2005 at 08:02

    NewsGator Online can support Basic and Digest, with or without HTTPS. It can actually support NTLM/Kerberos as well, but this will typically not succeed with most firewall policies.

  4. TommyA Says:
    June 13th, 2005 at 05:06

    With ‘http + basic’ wouldn’t the username & password get passed as the HTTP Referrer if the user follows any links in the articles.

  5. Venkatesh Says:
    September 14th, 2006 at 07:42

    How to give username and password for secure rss feeds.
    _________________________________________________________
    https://gmailusername:password@gmail.google.com/gmail/feed/atom/
    I want to read the mail headers of my gmail account thru rss or atom feed as gmail allows to use this .
    this feed requires the username and password ,though those are incorporated in the url itself.
    there are lot of aggregators and rss feeders which uses this url but still the username and password requires .
    I want to do the same thru java url and url connection.
    If the url is given directly on the browser bar then it will ask for the username and password again and give the xml response in the browser page.
    My concern is how to give the username and password for the same thru code.ie)urlconnection .
    I have found one gdata api which is for blogger and calendar,i am try ing the same ,but authentication exception i got while running since this feed url requires username and the password .
    The url to be posted [added in the GDATA Source]https://www.google.com/accounts/ClientLogin
    The content of the URL Posted service=mail&Passwd=password&Email=gmailusername&accountType=HOSTED_OR_GOOGLE&source=exampleCo-exampleApp-1
    In Http_Ok
    Got the input stream after launching the url with the parameters [added in GDATA]
    com.google.gdata.util.AuthenticationException: Unauthorized
    at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:480)
    at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:458)
    at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:452)
    at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:430)
    at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:441)
    at com.google.gdata.client.Service.getFeed(Service.java:458)Service Exception while getting the feed

    at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:677)
    at com.google.gdata.client.Service.getFeed(Service.java:497)
    at Headers.readCalendar(Headers.java:33)
    at Headers.main(Headers.java:58)
    Exception in thread “main” java.lang.NullPointerException
    at Headers.main(Headers.java:59)
    The code is taken from the http://code.google.com/apis.
    Please help on this ,it is urgent .i can give more points for this ,but i have only 250 available with me .

  6. Mark Woodman Says:
    September 14th, 2006 at 13:51

    Venkatesh,

    This page may help:
    http://code.google.com/apis/accounts/Authentication.html

    Otherwise, I suggest you ask on the GDATA discussion group:
    http://groups.google.com/group/google-help-dataapi