Protected RSS feeds, web-based news aggregators, and user convience
Jun 6th, 2006 by Karen
Sometimes you sit down and plan something only to discover that all the desired traits make things impossible under current technologies. This seems to be the case for our ongoing internal blog projects. These blogs (and their RSS feeds) are password protected because the content on them is really part of our intranet. In order to view them from an non-library IP address people have to authenticate using the computer username and password. Additionally, we do the authenticate over SSL in order to make sure the username and password are encrypted.
This all is sound in theory except for one big problem. None of the current web-based news aggregators (Bloglines, Rojo, etc) support authenticate RSS feeds over SSL. So essentially people can’t subscribe to the RSS feeds unless they use a desktop aggregator, which none of them have or want to have. Sigh… Its a vicious chicken/egg cycle that has had my head spinning for a week. At the moment the organization is faced with a decision, make our private internal blogs no longer private or make people use a desktop aggregator. If we make the private blogs public we need to make sure that there isn’t content there we don’t want external people to see. If we choose to force people to use a destop news aggregator then we need to find one that is cross-platform/browser compliant that we are willing to support. I’m not particularly looking forward to the discussion/decision. I really wish that we could have the best of all worlds but with technology the way it is it isn’t going to happen. So all we can do is make the best choice we can for right now and revisit the issue when technologies change.
This has been an ongoing problem for us. One internal blog contains lots of sensitive information, so password protection is a requirement. But it also contains lots of time sensitive information, so RSS would be the ideal way to keep up with the content. But no dice. Everyone has to remember to check the blog regularly by actually visiting the site. Same thing with a distance ed class I’m teaching this summer. The site had to be sealed up tight, so no usable RSS for the students.
On another internal blog, in order to facilitate RSS subscriptions, we essentially hid the blog by not providing any hyperlinks to our site, thus preventing the search engines from finding it. Of course, we then had to stress to everyone how important it was that they not publish the link anywhere. But on the plus side, it’s a lot easier for everyone to keep up to date on this one.
Karen;
Did you know that you can embed the username and password into the URL of the feed? The format is: http://username:password@restofURL
You’ll just want to make sure you mark the feed as private so as to not let others see your subscription and therefore the URL.
I’ve done this with several private feeds without problems. Then again, I’ve not told those that set up the feeds I’m doing it either so I don’t know if I’m violating any policies by doing this.
Michael
Embedded the username and password only works if the url is a http:// url not an https:// url. Since my feeds both regular a username and password and are accessed via ssl (https://) this won’t work.
Whoops, missed that bit. Good point. If you find a solution please let us all know.
Noticed that Bloglines published an updated spec for privacy opt-out:
http://www.bloglines.com/about/specs/fac-1.0
Niall Kennedy went to Microsoft and posted about specifically working on this problem (his post about this was subsequently removed).