

PubSubHubBub Security Concerns - mbrubeck
http://www.xn--8ws00zhy3a.com/blog/2009/11/pubsubhubbub-security-concerns

======
curio
It sucks that comments aren't enabled on that post. You can see the responses
from the community (including Brett Slatkin one of the authors) on the Google
Group for PuSH:

[http://groups.google.com/group/pubsubhubbub/browse_thread/th...](http://groups.google.com/group/pubsubhubbub/browse_thread/thread/b3d376b6778974b9)

------
derefr
It seems that the all of these problems could be eliminated by giving every
client, feed server, hub and actual feed a UUID, and swapping them in a
handshake. (A feed having the same UUID would be a necessary, but not
sufficient, condition to consider it the same as another feed; it would still
compare the URLs.) This would reduce the actual message transmission, in cases
of mistaken identity, to a few (16-32) bytes each time. Then, clients,
servers, or hubs which repeatedly return incorrect responses to identity
queries would just have to be throttled.

------
serhei
Oh dear... time to get news.yc to render international URLs properly.

