moderated RSS feeds for private groups? #suggestion


 

Colin,

If the RSS feeds are retrieved over HTTPS then there's no more
security risk than any member's password being compromised.
Huh?

HTTPS does nothing to authenticate that the person using the URL even has an account at Groups.io, much less is a member of the specific group.

A member-specific token (hashed) helps somewhat by preventing non-members from obtaining a valid token merely by visiting the group's home page.

But if a member forwards or posts the tokenized URL somewhere then it is game over. First someone would have to detect that the URL is being misused, and then there would need to be a means to repudiate the token.

Both are possible*, but detecting that there is misuse is by far the more challenging. Even if the perp does something so blatant as posting the group's messages on a public blog it can be a considerable length of time before someone stumbles upon that fact.

Shal
*An URL with an embedded token is in fact the means by which Flickr implements the "Guest Pass" feature, and those tokens can be repudiated. It is also the means by which the former Yahoo! Groups implemented an ability for members to retrieve message attachments from the site without being logged in. I think Google Photos' Shared Album feature works similarly, and I think there are many other examples of quasi-private sharing by means of a secret (tokenized) URL.

However, except Yahoo Groups, the examples I can think of are all situations where the person creating the "share" link is the owner of the shared content. This is not the case with the messages of a Groups.io group.


Duane
 

On Tue, Mar 23, 2021 at 02:22 PM, Colin 't Hart wrote:
If the RSS feeds are retrieved over HTTPS then there's no more security risk than any member's password being compromised.
I was thinking more of miscreant members using the feed for nefarious purposes.  I had that happen on a Yahoo group, even without an RSS feed.  I just don't want to make it any easier for them.

Duane


 

If the RSS feeds are retrieved over HTTPS then there's no more security risk than any member's password being compromised. Not adequately vetting a new member is more of a risk.

/Colin


Duane
 

On Tue, Mar 23, 2021 at 08:24 AM, Colin 't Hart wrote:
Please, please, please. I have too many groups I'd like to follow :-)
Please DON'T.  I don't need any more security risks.  The bad guys already cause enough problems.

Thanks,
Duane


 

Any chance we can get RSS feeds for private groups? This would require embedding some sort of token into the RSS feed URL.

Please, please, please. I have too many groups I'd like to follow :-)

Thanks,

Colin