Authentication and RSS

RSS has grown up on the public Internet and it seems that authentication will be problematic when it moves into the Intranet.  On Intranets expect to find the following authentication mechanisms:

  1. NTLM
  2. kerberos
  3. Digest
  4. Forms based
  5. Basic (usually combined with SSL)

Only the last of these mechanisms can be assumed (with any confidence) to work with most desktop RSS readers and often web based readers often don’t even support that. 

The essential issue is that the web pretty much assumes that we can cope with all of these authentication mechanisms because all access is interactive, but with RSS it needs to be automatic and transparent.  The following issues spring to mind:

  1. NTLM – so far as I know is only supported by IE 7  and the Vista RSS platform and very few servers,  but if you are a Microsoft shop and are only connecting to SharePoint 2007 then this may work for you
  2. Kerberos – same as above, but probably even more demanding
  3. Digest – hardly ever used in my experience, either on client or servers, but I may be wrong and has the disadvantage that your username and password will need to be stored somewhere on the client, and many enterprise security policies don’t allow that
  4. Forms based – very popular server side, but no chance of supporting this in everyday RSS readers.  I have seen a hack which involves browsing to a web page from within the RSS reader, authenticating, getting the cookie and then synchronising your feeds.   VERY VERY messy
  5. Basic with SSL – very widely used, supported by most readers and RSS servers, but has the disadvantage that your username and password will need to be stored somewhere on the client, and many enterprise security policies don’t allow that

This leaves us with a problem.  If you are a Microsoft shop you might get away with a combination of 1,2 and 5.  If not then it looks like it’s time to start lobbying your security policy makers to allow Basic over SSL and local (encrypted) credential storage.

Steve Richards

I'm retired from work as a business and IT strategist. now I'm travelling, hiking, cycling, swimming, reading, gardening, learning, writing this blog and generally enjoying good times with friends and family

3 Responses

  1. Anonymous says:

    Steve, would you join me in demanding Basic over SSL for our company’s RSS on Discussions, etc.? Double logn just puts off most users 🙁

  2. Anonymous says:

    I have started to lobby already without much success. It seems it’s very difficult to get anyone to take interest in taking an action that requires a debate relating to security policies.

    Maybe it’s a requirement that security professionals needs to be very inflexible, otherwise they would rarely achieve anything, I have personally considered every discussion with security a negotiation, hopefully with a win win outcome, but it’s not always easy to get the negotiation started.

  3. Anonymous says:

    Security should be part of rather than against Information Management. Too much of it destroys what is purports to protect. RSS is about spreading information; what is the point of producing corporate information and preventing its publication!? I am very security-minded but also passionate about the publish/subscribe paradigm. Recently I find that I’m getting somewhere in my Corporation. Could it be a mirage?

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: