On private RSS feeds

For those of you who are wondering what my recent Google Reader shared item comment was all about, here you go. I’ve explained it over IM twice, and I think it deserves a proper blog post:

We all like having RSS-feeds for everything, right? That way we can catch up with the world in one place.

So Facebook have RSS feeds for friends’ status updates, notes, and shared posts. These feeds look something like And all the feeds have the same key.

Yes, we’d rather they used HTTP-Digest password authentication, but not many RSS readers support that, and you’d never give anyone that feed url, right?

Well, no. If I read something cool in one of these Facebook-feeds in Google Reader and I share it with my Google Reader friends, they’ll all get the full feed URL. Now they can read all my friends’ status updates, notes, and shared items.

One of my Facebook friends might be paranoid, and writing about very personal stuff on Facebook. As a Facebook user, he could have set his privacy settings so that only his friends can read his notes. However, now all my Google Reader friends can too.

In this case, this isn’t a big problem, because there’s very little interesting content on Facebook, and hopefully no trade secrets. Obviously these problems apply to services besides Facebook and Google Reader, but these are good examples. Also a friend of mine shared his key recently ;-)

But it gets worse, Google Reader has a feed directory and feed discover page. Searching it reveals lots of such ID, key combinations. And generally Googling reveals 30-odd such pairs that have leaked onto the general Internet.

So. If you are implementing RSS feeds with private data in them, please don’t use an in-URL key. Rather submit patches to all your favourite feed-readers adding support for HTTP-authentication (and in the case of Google Reader, maybe don’t use it for private feeds).

I'm a Google Reader convert

My blog hasn’t had much to say recently, but now that I’m feeling pressured by University assignments, I think it’s time to get back into one-post-per-day mode :-)

I remember once trying Google Reader, just after it launched, and very quickly deciding that I couldn’t stand it, and I’d stick to Liferea.

Recently, however, Liferea has been giving me trouble. It’s been incredibly unstable, and I’d often forgot to run a transparent proxy on my laptop when in restrictive environments, so it’d miss lots of posts and generally be un-happy. The instability I fixed by exporting an OPML list, wiping the configuration, and re-loading, but that was a ball-ache to do. While I was bitching about this, Vhata pushed me to try Google Reader again.

I was pleasantly surprised. It works well, and I didn’t find it oppressive. That doesn’t mean it’s perfect, I’d like to see the following things improved:

  • Duplicate post detection (i.e. planetified & origional posts, liferea does this)
  • Performance
  • Favicons (or something similar, to make it more clear where a post comes from)
  • On that note, maybe configurable colour borders for important feeds?
  • Automatic refreshing (i.e. “r”)
  • More viewable area
  • A key press for opening a post in a backgrounded new tab “v” changes your focus to the new tab, which is against the principles of tabbed browsing.

Some cool things it does that lifera doesn’t:

  • Clicking on a folder shows you the all the posts from the feeds in that folder
  • river of posts” view, which lets me get through my reading a lot faster
  • preloading images for posts that I haven’t got to yet (this contributes a fair whack to the reading speed, given the slow interwebs in ZA)
  • Shared items
  • Access from multiple machines (OX, X-forwarding worked, but this is neater)
  • Doesn’t crash (sorry lifrea…)

I’m converted. Google Reader really is good.

/me gets on with reading feeds…

Syndicate content