A little while ago, the notion of RSS highjacking grabbed the headlines and feed publishers everywhere where living in sheer agony, waiting for their reader count to drop, their faithful listeners to be piped smut through the magic of fraudulent CNAME records and sneaky mod_rewrites. Looking around, the situation is already problematic and there are many false feeds circulating through directories and indexes, more often than not created by users who were just “trying out” a service by using someone else’s XML source, not realizing they were, by releasing their homebrew feeds in the wild, creating a virtual time bomb.
On the Internet of today, we have means to authenticate communications at different levels. Technically, we can guarantee you are talking to a specific server, a specific website, even a specific person or company by adding some real-life identity checks to the mix. The problem, of course, is that such certificates are difficult or impossible to obtain and that it is just “easier” to do without them, betting on the fact that we or the people around us will never come under attack.
Coming to think of it, though, the situation is preoccupying: with no assurance an email you receive is from me, the website you visit is the one I have written or the feed you are subscribed to faithfully mirrors what I write, how do you know you are in touch with me? And how do I know I am in touch with you? You think you are reading this blog on the O’Reilly network right now but are you really? Or did someone highjack the DNS of your network, presenting you with a page that looks like the O’Reilly network, smells like the O’Reilly network, sounds like the O’Reilly network but is actually stuffed with malicious images, corrupting your QuickTime installation through the magic of buffer overflows?
This sounds like a deleted scene from The Net but is actually a very plausible situation, given how predictable our browsing and updating patterns are for someone who really wants to attack our systems or our network.
If there is one thing I wish for the Internet of tomorrow it is better authentication, more ways to know who really is on the other end of the line. Transparent windows and web feeds can wait.