Secure Syndication Misconceptions

Joe Gregorio

My Secure Syndication article and greasemonkey script has now been up for a week. It's received a lot of attention and I'd like to clear up some of the misunderstandings I've seen.

This is just for RSS.
Not true. While I concentrated on RSS in the article this will work just fine for Atom, or for that matter, as I point out in the article, any old web page. It doesn't even need to be syndicated.
Atom has it's own mechanism
Not true. This one is my own fault. If you read the article you get the impression that Atom has the same capabilites, but just delivered using XML Encryption. That is not the case. The Atom Format specification only defines how to apply XML Encryption to the whole feed document, which would require the aggregator to be able to decrypt the feed, and that was the situation we wanted to avoid. There is nothing in the Atom specification that specifies how to encrypt just part of the 'content'.
Greasemonkey has bugs so the whole idea is wrong.
Yes, bugs have been found in Greasemonkey, and it appears that some of the impetus came from people looking at how secure Secure Syndication was. I very much appreciate the effort that has gone into that review, and I am glad that those issues have been found and are being resolved, but none of the problems found so far have been flaws in the basic premise, but instead are bugs in Greasemonkey. Which leads to the next misconception.
This is only for FireFox/Greasemonkey
Not at all. Opera now supports user scripting and I have found at least three different projects to bring user scripting to IE. The JavaScript used is very basic and should be able to be ported to all those enviroments. I used Greasemonkey because it was the fastest way to get this system up and running. I could have just as easily created a FireFox extension to do the same thing, it just would have taken me longer.
"I could have just as easily created a FireFox extension to do the same thing, it just would have taken me longer." -- Or you could just have used the compiler...

Posted by Ankit on 2005-07-22

  Does the compiled FireFox extension have the same vulnerabilities that Greasemonkey has?

Posted by Joe on 2005-07-22

I checked around a bit, and the short answer is no, the compiled extension does not have the same vulnerabilities.

The whole problem is with the Greasemonkey api, more specifically with GM_xmlhttpRequest. But the compiled extension does not include the api, so any script that uses it will not work.

The current version of Greasemonkey (0.3.5) also disables all the api funcions as a security measure.

Posted by Ankit on 2005-07-22

A new version of Greasemonkey is coming VERY SOON that restores the API functions and fixes the security vulnerabilities.  (No, you can't have it.)

Posted by Mark on 2005-07-23

comments powered by Disqus