Does RSS pose an information security problem?

I don’t want people to get RSS versions of my website’s webpages, saving them and maybe comparing them with a diff checker and then maybe find what I have deleted or added – for practical and maybe also legal reasons.

Does RSS pose an information security problem?
Not necessarily regarding sensitive information, but just giving power to business competitors to find mistakes and changes and then exploiting these to do damage to a rival business?

No more than just posting the same information online in the form of a web page. RSS is just going to be another format of the same content. Competitors could just scrape public web pages and build their own RSS feed with that.

The old adage goes, if you don’t want people to have the info, don’t post it online. :slight_smile:

1 Like

I want people to have the info, just don’t track any change I make in it, not even of a single letter.

I have already disabled what’s called revision creation and I have also deleted all old revisions besides the last one, so now the last action would be to prevent RSS I guess.

Do you claim that disabling RSS won’t help because some competitor may create a tool that tracks each and every webpage of my website and scans the website continuously for changes and reporting them?
In theory, that’s possible but I don’t think any competitor will ever do this as the costs most probably outweigh the benefits.

When you posted something in the web it stays there forever. Even google is caching old sites. So all your efforts are useless. Even without RSS it’s no problem to check the changes you did on your websites content if someone wants to.

I don’t think that’s 100% accurate. For example, some webpages didn’t have enough time to be crawled by Google, let along be cached (especially in websites with mild to moderate crawling budget).

Yes, my case is about pages that have just been posted.
Even on the same day of posting them I still want to prevent competitors to track their updates/changes and I think disabling RSS is the only way to do so, isn’t it?

Dont publish the page until you’re ready to publish it then.

You cant say “it wont have enough time to be crawled” when you dont control the crawlers. Maybe they’re feeling frisky today. Maybe your site happens to be next on their crawl list juuuust as you hit that button.

The Wayback machine, peoples local browsers that have just left a tab open, cache intermediaries around the world… anything can hold a copy of the page you put up there.

1 Like

I think it’s not that simple; I will publish it when I think it’s ready but I can always have mistakes and updates. It’s quite like telling me don’t publish a post in this forum until you think it’s ready but edits could always occur.

A website can be crawled after one minute, one hour, one day, etc. as you well know.
I think that currently my website is still crawled quite slowly (once a day) and that generally websites are crawled slower today then as they were pre year 2019 but this can always change for a website of course.

But anyway please let’s keep this discussion about RSS.

The word ‘crawl’ applies equally to your webpages and RSS feeds.

How can that be? A human following any change in my website with RSS gets a notification almost the same time I have done the change. A crawler? Maybe.

A human can go to the RSS feed at any microsecond of the day, not just after a notification has reached them.

The MICROSECOND you push the button, anyone in the world, human or crawler, can read it. And any microsecond after that, a human or a crawler could read it again, and notice changes.

You seem to be laboring under the belief that you somehow control the timing of things not in your control. We’re just trying to get you to recognize that you DONT, and CANT.

There is no such thing as ‘information security’ when you publish something public. You can edit something, but you cannot guarantee noone will ever notice the change.

In the context of RSS, I can turn off RSS to make human noticing of changes very unlikely.

Google crawls millions of websites every day. Your website is only one and can be quickly crawled.

It is not and people are telling you it is not.

You made your website relevant to this discussion in the first sentence of the original post.

Read what RSS actually is. Unlike communication protocols such as email, there is nothing about RSS that causes notification to occur. Notification of changes in a RSS feed are provided by software that monitors (crawls) RSS feeds. RSS entries have a timestamp but there is no feature that provides notification.

A person (or a computer) could store a copy of your website and do that every minute. When there is a difference between a current copy and a previous copy, they could compare the two versions. The computer can do the comparisons accurately in less than a second. The only question is if it is worth doing.

Most developed countries have copyright laws and laws such as that to protect their designs and data and such. Companies pay lawyers much money to enforce the laws. Countries like China ignore the laws. Companies in countries such as the USA are very concerned about countries using their designs and other things. If there were easy solutions then that could save companies much money. There are not easy solutions.

It is not and people are telling you it is not.

Please quote me fully next time:

Even on the same day of posting them I still want to prevent competitors to track their updates/changes and I think disabling RSS is the only way to do so, isn’t it?

By that I meant to ask if turning off RSS is the only thing I can do on my side to reduce the chance of other users from tracking changes in my website.

You made your website relevant to this discussion in the first sentence of the original post.

In the context of RSS.

Read what RSS actually is. Unlike communication protocols such as email, there is nothing about RSS that causes notification to occur. Notification of changes in a RSS feed are provided by software that monitors (crawls) RSS feeds. RSS entries have a timestamp but there is no feature that provides notification.

I read already. I didn’t use an RSS reader for years, but it is indeed updating about changes in content just after they occur. Only to that I meant.

@bendqh1,

Many people in the business world share your concerns about RSS feeds. They worry that competitors may use them to monitor changes on their websites. This issue is not limited to RSS feeds alone. It is a broader concern that stems from the intersection of content management and the public nature of the internet.

The essence of RSS is to simplify content delivery and ensure that your audience can stay updated with minimal effort. Your RSS subscribers are immediately informed whenever you update your website. However, this immediacy is not just limited to RSS; it’s a common trait of the online world.

I’ve tried to limit historical data visibility on my site by turning off revisions and removing old ones. Yet, the moment anything goes live on the web, maintaining control over who sees or shares it is a tall order. Concerning competitors keeping tabs through RSS, it’s crucial to recognise that plenty of other tools can serve the same purpose. Web crawlers can effortlessly track site changes without needing an RSS feed.

Your point about the cost and effort involved in such monitoring operations is well-taken. However, the investment in tracking tools could be justified as strategic for entities with enough at stake.

The power of RSS in keeping your audience engaged and making your content readily accessible is a critical aspect that can’t be overstated. It’s not just about pushing content; it’s about fostering a strong connection with your audience. Therefore, the focus shouldn’t be on restricting RSS or other content dissemination tools but on how we manage what information we make public. By strategically planning our content releases and being mindful of what we share, we can effectively mitigate the risks of unwanted tracking.

While information security concerns in a competitive landscape are valid, addressing them might be more about intelligent content strategy than limiting access to that content.

Acknowledging that once something is online, controlling it becomes significantly more challenging suggests a shift in how we approach content management and release might be in order.

So, maybe the conversation should be more about how to share information strategically rather than how to keep our RSS feeds under lock and key.

Regards,
Michael Swan

1 Like

Anyone can see the entire post. Therefore my intent for quotes here is to just provide the context for my comments.

My response is the same regardless of how much is quoted.

Using RSS feeds on your site can present potential information security issues, especially if your data could be used to harm your business or if you face competition. If your RSS feed includes sensitive data or information that you don’t want to share publicly, then this could become a security issue. It is good practice to exclude sensitive information from the RSS feed.

I believe my quote was taken farther out of context by partially quoting it.

I hope you don’t take offense to the question, but how could someone do what you mentioned with something you’ve published and therefore consider safe enough to expose to the internet and the global public?

I mean, I don’t know what you do, but for example, an error in a technical description wouldn’t seem like something that could harm a business rival. What error could be so important as to go to such lengths?

I’m not trying to uncover business secrets, I’m just curious about the level of caution with an essentially harmless tool.

Hello, I didn’t quite understand what you meant to ask me…