--- In aggregators@yahoogroups.com, Jeremy Zawodny <jzawodn@...> wrote:
>
> Believe it or not, we got the message a while ago...
>
> But it's a non-trivial change to our infrastructure and one not to be
> taken lightly.
>
> Jeremy

Thanks for replying, Jeremy. I'm glad the message got to the right people.

Perhaps looking at the way livejournal has implemented RSS authentication would
be
helpful. They set it up so "friends only" post could be viewed in RSS feeds.
Their RSS url is
like this:
https://MY_LIVEJOURNAL_USERNAME:MY_LIVEJOURNAL_PASSWORD@www.livejournal.com/
users/MY_FRIEND'S_USERNAME/data/rss?auth=digest

Sniffing the traffic, it looks like Livejournal is using MD5.

The security question:
Is their RSS authentication secure enough? I.e. can I leave my feedreader
refreshing every
30 minutes even when I'm on an open wi-fi connection without fear that my
livejournal
password will be compromised?

I asked this same basic question in an offtopic comment on this slashdot
article:
LiveJournal XSS Security Challenge
http://it.slashdot.org/article.pl?sid=06/01/31/1324257

Someone replied:
http://it.slashdot.org/comments.pl?sid=175728&pid=14607767#14607982
Digest auth (which I assume from the URL is what LJ is using here) uses a
one-time nonce
as a challenge, so capturing your response would not benefit an attacker since
the same
response cannot be replayed. Also, the MD5 hash you're seeing your client send
is based
not only on your password and the nonce but also on the HTTP method being used
and
the URI being requested. Digest auth does have its flaws, but I think it's
secure enough for
this purpose.

I found a good article about private rss feeds here:
http://labs.silverorange.com/archives/2003/july/privaterss

I hope that info helps.
Thanks for listening,
Simon