January 25th, 2005
Will phishing spoofees like eBay and banks get hip to RSS for the end run?
In preparation for an audiocast interview that I’ll be doing with the Anti-Phishing Working Group’s chairman David Jevans, we discussed one of the oft-ignored downsides to phishing and how RSS could be the solution.
Here’s the gist. Because of how bad phishing has gotten, users won’t open any e-mail that portends to come from one of the financial institutions or e-commerce sites with which they do business. If, for example, one of the most common spoofees — eBay — had to send an urgent correspondence regarding a potential security problem to buyers or sellers that use its site, almost everyone of them would suspect they’re being phished and would delete the e-mail without ever opening it. Phishing has killed e-mail as an effective tool for commerce-enabled sites to engage in sensitive, confidential communications. So, I asked Jevans why the Really Simple Syndication protocol (RSS) couldn’t be used as an end-run around the e-mail infrastructures to keep customers in touch with these various institutions. For example, eBay’s site could have prominent signage that it’s setting up an RSS channel for such communications and then link to instructions for how to access that channel with an RSS aggregator.
After suggesting this to Jevans, he said that it might work well for one-to-many communications (one RSS channel, many subscribers to it), but asked the obvious question of how this would solve the one-to-one problem. For example, what if eBay had to contact only some of its customers. My answer: Why not have a separate feed for every customer? This is the same thinking that went into another idea I had — overnight shippers setting up separate RSS feeds for every package they handle. This way, I can subscribe to packages I’m sending or receiving, and my RSS aggregator (Newsgator, etc.) alerts me to changes in each package’s status. To keep a lid on the number of RSS feeds a shipper must run, the RSS feed for each package would expire a few days after the package arrives.
Use of RSS in such a one-to-one fashion does raise other questions, however. For example, can existing RSS-enabled systems reasonably scale to this level of service, and what would it mean for networks including the Internet? Also, what happens if malware finds its way onto users’ systems? Could it, unbeknownst to the user, change the settings of an RSS subscription to poll a malicious feed — and what can be done (such as securing the RSS client) to prevent that from happening? Finally, could widespread use of this approach be the backdoor towards flipping all existing e-mail solutions on their ear, turning them from SMTP-based store-and-forward systems to RSS-based alert-poll-and-retrieve systems (alert my mail server of an RSS feed that has something for me, poll that feed, and retrieve the message)? Running e-mail this way would make it very difficult for spammers to cover their tracks.
Am I nuts? Let me know in our TalkBack section.
