hi, plz follow my link to support my seo contest artikel….

MIG Welding Techniques | Respectable Reviews | Training An Older Dog

IMHO, this is the Right Way to do personalization (since aggregators don’t support cookies). The UI on the client end could use some work, but between NGOnline, NGOutlook, NGES, FeedDemon, and NNW, a single company could get a lot done on that front.

I think your concern is partially valid, but only partially. Take the case of a personalized feed of my.earthlink.net (basically an RSS feed of a personalized home page). Any aggregator can implement a heuristic to the affect that if there is only one subscriber to a feed, the aggregator does lazy polling on the feed — that is, the aggregator only polls when the user logs in or starts a new session, and then only keeps polling while the user maintains a session.

If 10,000 my.earthlink.net RSS subscribers all have their personalized URL in Bloglines, Bloglines uses their lazy loading heuristic. If people start to share their personalized feeds, Bloglines determines a lazy loading v. prefetch tipping point (say 10 subscribers to a given unique feed).

In terms of the security concern: here’s my personalized My EarthLink feed. It has my local weather, some stock tickers I follow, my horoscope, and some other random stuff. Fairly boring to anyone but me. Not enough personally identifying information to do much damage, and no way to back out from that URL to a username and password for the actual personalized portal site.

As for your point about messing with tracking — I totally agree. Providers shouldn’t use a unique feed ID to assist in tracking unique subscribers. There are much better ways for that.

-Joe

Looking through your list of subscribed blogs, I found that I am able to read your private del.icio.us feed. Your key is in a plain sight!

Well, I cannot know for sure (may be you intentionally made it public), but it is very likely scenario that people will expose their private feeds using blogroll tools without proper care.

It is classical security failure: none of the parts involved is directly at fault, but their combination is vulnerable.

delicious gave you a key, assuming you will keep it private. Newsgator did not recognize this as a private feed. Ultimately, the problem is in lack of authentication mechanism in RSS. Not that it is technically complex (after all, RSS piggybacks on HTTP, and there are authentication mechanisms for HTTP), it is just there is not much demand for feed security for a number of reasons.

It is also easy to imagine scenario when some smart service builds a combined prioritized feed based on your blogroll and your actual reading preferences. Now, for my paranoid self a plain blogroll is already a big privacy breach, leaking one of those personalized feed URLs would be a total disaster for me!

I am not sure if you want to let this comment through. I certainly would not – as a security researcher I should not believe in “security by obscurity” but my gut feeling is all for it.

On the other hand, you are a blogger with a big audience and investor in an RSS company, so may be my humble comment could help raise awareness about security issues in feed aggregation.