how private are RSS feeds?
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
Depends on your threat model. If you use secure DNS and https for the RSS feed, then these people would know your IP and the IP your connecting to:
- the DNS provider
- the RSS server
- your ISP/ VPN server
Both your ISP and VPN will know you've made a TCP connection to that server at a specified port, but that's it. It's trivial for them to reverse lookup the IP back into a name.
Only the RSS server will know the specific URL you're visiting though.
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
An RSS feed is literally the same as going to the website. A request is being made to the domain and anyone who can see the data between you and the website can see it. If you think you're secure going to the website normally, then an RSS feed would be secure, too.
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
Somebody would have to actively watch you. And properly setup it would still be more private.
You follow a bunch of political sites. Your FBI agent sees your computer connect to the sites. With regular browser he sees each site and how much time you spend there, which articles you pull.
With RSS set to once a day, your computer pulls all the text from all the political sites. No data on which articles you view.
It’s the equivalent of getting several newspapers/magazines by subscription vs ordering specific issues.
The downside is that it probably is a great fingerprint if you go through vpn or tor. But it also could limit your tor/vpn connection time to the shortest time possible.
-
Somebody would have to actively watch you. And properly setup it would still be more private.
You follow a bunch of political sites. Your FBI agent sees your computer connect to the sites. With regular browser he sees each site and how much time you spend there, which articles you pull.
With RSS set to once a day, your computer pulls all the text from all the political sites. No data on which articles you view.
It’s the equivalent of getting several newspapers/magazines by subscription vs ordering specific issues.
The downside is that it probably is a great fingerprint if you go through vpn or tor. But it also could limit your tor/vpn connection time to the shortest time possible.
The downside is that it probably is a great fingerprint if you go through vpn or tor. But it also could limit your tor/vpn connection time to the shortest time possible.
What do you mean? How is it any less private than on the clearnet?
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
The answer is absolutely yes
Keep in mind that RSS is just some XML sent over HTTPS connection. For anyone outside, it will look like gibbirish, they can say you are requesting and getting some things from that particular site but not what it is.
-
System shared this topic
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
Gonna give you a tip.
assume that 99% of anything you access online is visible to your ISP (and therefore your government and police) and the hoster of ther service.
-
The downside is that it probably is a great fingerprint if you go through vpn or tor. But it also could limit your tor/vpn connection time to the shortest time possible.
What do you mean? How is it any less private than on the clearnet?
Adversary just has to look for somebody who requests the exact same news sources.
RSS in theory would be fucking perfect for tor. But all the best development for it occurred before tor got great.
For privacy have a client download from random news sources on the list. Then a new circuit and download another random amount. That would be a perfect way to receive news.
-
How could anyone find out which sites are you following using an RSS feed?
And I mean in a broad way: can the site track you? Can ISP? Network managers?Let's say you want to follow a bunch of political sites that you don't want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it's the same as using any other browser, so not a great way to be private. Am I wrong?
I wouldn't go so far as to say it's literally the same as browsing a website. Your feed reader isn't a full web browser and as far as I know most don't execute javascript. They will still generally fetch images, and fetching the feed itself is just an http/s request, but it may or may not always be a request to the same web server as the website of whatever publication you're subscribing to. So IMO you're already starting from a somewhat better position in terms of data leakage, since the feed isn't loading analytics software or advertiser javascript or any of that stuff which feeds the vast majority of bulk data collection in the private sector.
One downside might be that if you have your feed reader set up to automatically poll for updates regularly, you may forget and it may do that polling on networks you didn't intend to (when your VPN is off or you're on school/work internet).
If you have a specific threat model, or a couple, that you want to guard against, it's much easier to come up with solutions that thwart those exact threats, than just trying to be "as private as possible" all the time (very difficult, all technical solutions have tradeoffs). You could make the requests through tor. You could use a proxy to encrypt your traffic up to a server you control before going out to the various sites. You could use a VPN service. Those all have different tradeoffs, tor exit nodes might be widely blocked, it might be hard to connect to tor period on some locked-down networks, the server host and their ISP can still see some details about your traffic if you run your own proxy or VPN server, but it is another step removed from your local network/isp and the site both tracking you directly by IP, user-agent, etc.
As an aside, RSS-based podcasts are a place where this tends to get interesting since the field is dominated by big distribution services. Assuming HTTPS is in use, most podcasts you might subscribe to can't easily be tracked by your ISP or network admins, since they'll blend in with all the other traffic going to say, acast, libsyn, iheart, whatever, and HTTPS blocks them from seeing the full URL or data in transit, only the domain name from SNI. They can only tell that you downloaded data from a podcast network, not what podcast it was
-
Depends on your threat model. If you use secure DNS and https for the RSS feed, then these people would know your IP and the IP your connecting to:
- the DNS provider
- the RSS server
- your ISP/ VPN server
Both your ISP and VPN will know you've made a TCP connection to that server at a specified port, but that's it. It's trivial for them to reverse lookup the IP back into a name.
Only the RSS server will know the specific URL you're visiting though.
Only the RSS server will know the specific URL you're visiting though.
and the site itself!
-
Adversary just has to look for somebody who requests the exact same news sources.
RSS in theory would be fucking perfect for tor. But all the best development for it occurred before tor got great.
For privacy have a client download from random news sources on the list. Then a new circuit and download another random amount. That would be a perfect way to receive news.
You raise a good point. I think that if an RSS reader could pull from different websites at separate times and either programmatically use the TOR browser /at elast have support for stream isolation along with randomly scheduling when to pull from what website, it should be able to evade most automated measures of surveillance. Timing and correlation attacks are the only ones I can think of other than NSA paying for over 50% if TOR nodes.
-
Only the RSS server will know the specific URL you're visiting though.
and the site itself!
They are one and the same.
-
They are one and the same.
jeez I wasn't reading very carefully. I read that as "Only the RSS reader"
-
An RSS feed is literally the same as going to the website. A request is being made to the domain and anyone who can see the data between you and the website can see it. If you think you're secure going to the website normally, then an RSS feed would be secure, too.
There's a difference: Websites have JS and requests to CDNs. RSS feeds don't.
-
There's a difference: Websites have JS and requests to CDNs. RSS feeds don't.
Why do you think an RSS feed can't sit on a CDN?
-
Why do you think an RSS feed can't sit on a CDN?
What I meant were CDNs such as Google's providing common resources like fonts or JS libraries.
