28. Januar 2005

[ English ]

Subscribing to Password-Protected RSS-Feeds in Bloglines

A couple of days ago, Andy Boyd asked a question about how to password-protect RSS-Feeds and handle the subscribtions to them. I knew that some Desktop Aggregators, including RSS Bandit, which I use, can handle .htaccess protection but Andy explained to me that he was looking for a webbased aggregator.

So I went to find out if it is possible to work with password-protected feeds in Bloglines. I figured out that it is, by using URL-based authentification.

It works this way: You subscribe to the feed in Bloglines, passing the username and password in the URL in this form:


Note that this is just a simple form of security: The username and password are sent in plain text and can be read by someone intercepting your connection. Also watch out that you are not publishing your OPML from Bloglines as other people will then get access to the protected feed! You should set access to the feed to "private" (you will see this option on the second page of the subscription process) to prevent the feed and thus your password from showing up in your public Blogroll. (Thanks Beate!)

In the meanwhile Andy has found out that this also works in Newsgator Online.

[Update] Please read the security considerations in the comments before using this way of subscribing to feeds!


Two points:

1. ".htaccess protection" is not an authentication method. It is one of Apache's way to configure authentication for a resource. There are various options, e.g. basic authentication and digest authentication (which, by the way does not transmit plain text passwords. It is not really secure either, but much better than basic authentication). I am sure one can configure authentication protocols via htaccess that are not compatible with popular feed readers. So, I guess one cannot really say RSS Bandit can handle .htaccess authentication, but rather list the specific authentication protocols it can handle.

2. The URL authentication scheme you mention is a bit problematic. I actually hope it will cease to exist entirely soon ;) Microsoft disabled support for it in it's WinInet and Urlmon API's last summer after it had been misused extensively for phishing attacks. So any Software that uses one of the two API's will by default not support this URL syntax (i.e. all .Net applications). I also smell a security problem here (although, in all fairness, bloglines might have thought about this and implemented a secure version): Probably this URL is saved unencrypted somewhere on bloglines servers. If that is the case, there is a problem: Saving passwords in plain text anywhere should just generally be one of the first things to avoid from a security point of view. The way Newsgator implements this gives me more faith that they have thought about this properly: username and password are entered via extra fields, and are then hopefully only saved in an encrypted format. Extra bonus: No problem with publishing your OPML file with that way.

David am 28.01.05 14:57 #

Thanks David! I was actually hoping for somebody more technical than me to come along and add to my post.

You also reminded me of something I forgot to put in the post: I do not know at all what Bloglines does with the feeds you subscribe to. It may well be possible that they are added to their catalogue of feeds (which is available to all users) - I haven't checked that. So please use this way of subscribing to private feeds very carefully! It is always better to keep your password private than entering it into publicly available web-based services, no matter how trustworthy they are!

Martin Röll am 28.01.05 15:17 #

RSS Bandit supports both SSL & HTTP Authentication (Basic/Digest).

Dare Obasanjo am 28.01.05 21:58 #