How do people think RSS URLs could be secured for use in financial subscriptions?
After listening to Steve and Leo’s Security Now #13 podcast on WPA encryption, I came up with this idea.
Comments are welcome.
This assumes the user logs into a secured site via https and is inside a fully https environment when asking for the cookie.
- Generating a pre-authenticated, random-looking URL when the user requests the query string that will match their data.
Instead of just using https://bigmoney.com/myfeeds?username=myuser&password=mypass or something silly like that, you would generate a URL that goes more like https://bigmoney.com/myfeeds/293k482k2nb2hy43u5j2n2b1g243k455k. This step is just for obscurity and to be able to disable the URL. The server keeps this feed association, and will expire the feed key when the user changes password, at which point they would need to resubscribe.
- A cookie with another key is placed on the feed the very first time (and only the first time) the feed is accessed. All other access attempts with no cookie are rejected forever.
- As the requests come in, the cookie is updated with a new key. The server only accepts up to 3 (configurable) “past” cookies (to allow for interrupted connections), and rejects all other attempts, even with the original cookie. This borrows from the way WPA does temporary key. If you want to use more than one aggregator, go to the your secured site and ask for another URL for the same query string.
I wonder what people think about this approach. Is it easy to break? Is there some better way to do it?