Saturday, January 15, 2005, 8:52:39 PM, you wrote:
> On 15 Jan 2005, at 8:28 pm, David Powell wrote: >> 11.1 Verifying the Authenticity of Self Links > Can someone explain the attack model here? The worst that I can see > happening is that when you try to subscribe to my feed, you end up > subscribed to someone else's. How does this harm anyone but me? Feed id's are optional, so software is likely to use the feed location to identify feeds. So if a user subscribes to a feed with a faked "self" link, then they will see the initial entries of the faked document, merged with future entries from the real feed, which could be used to misrepresent the author of the real feed. It probably isn't a significant attack. If a user is vulnerable to subscribing to a fake feed, then redirecting the user to a genuine feed is the nicest thing the attacker could do. -- Dave
