While I don't like how Twitter handled this I don't think they had any choice. I feel like Twitter should have come out as soon as OAuth was disabled and said they were fixing a security issue. Security issues are however very sticky topics. Especially when megacorps like Google and Yahoo! are involved. If Twitter spills the eggs early they run the risk of being excluded from future security news.
As for Oauth. I am also dissapointed with how they handled it. OAuth is an open-spec and as such I expect an level of transparency that was not provided. This is part of the growing pains of adoption and being used in a business centric internet. I had a brief conversation with @chrismessina and @TheRazorBlade and see the reason for their decision. When OAuth services started going down I would have preferred to see a notice that a security fix was being prepared. On the plus side they did notify all known OAuth providers. OAuth is still a young spec and will learn and mature from this event. Adoption of Twitter's OAuth will be hurt by this. Which is sad because I am tired of giving out my password. It does show how much the Twitter developer community cares though. All I heard all day was "Twitter OAuth down!" never "<insert other service here> OAuth is down!". This shows the community is thriving and active and as long as Twitter does not alienate the developers more it will continue to grow. Abraham On Wed, Apr 22, 2009 at 18:58, Alex Payne <a...@twitter.com> wrote: > > We don't consider source registration a "key feature". It's an > incentive we provide to our developers. We wanted to encourage new > developers to look into OAuth. It won't be in beta forever, after all. > > We have to balance the reality of testing a new technology in our > stack with encouraging that technology's adoption. OAuth will provide > the Twitter developer community with a number of benefits, and that's > the direction in which we want to move, even while there are kinks to > work out. > > On Wed, Apr 22, 2009 at 15:37, bwannon <bwan...@gmail.com> wrote: > > > > If beta for you guys means "still in testing, not suitable for > > production use", then why depreciate key features from basic auth like > > source registration before you have a production ready release? > > > > On Apr 22, 3:27 pm, Alex Payne <a...@twitter.com> wrote: > >> http://blog.twitter.com/2009/04/whats-deal-with-oauth.html > >> > >> In short: there's a security issue with OAuth, and the major OAuth > >> providers are working together to patch the vulnerability before > >> information about the issue is publicly released. That information > >> will be available athttp://oauth.net/at midnight, PST. > >> > >> In cooperation with this consortium of other OAuth providers > >> (including Yahoo!, Google, Netflix, etc.), we agreed not to disclose > >> the nature of the vulnerability, nor even that a vulnerability > >> existed, until all members of the group agreed to do so. I apologize > >> for what must have seemed unnecessarily tight-lipped communication > >> around this issue, but please understand that we and the other > >> companies involved are trying to mitigate the impact of this > >> vulnerability as much as possible. > >> > >> Please also note that our OAuth support is in beta, albeit public > >> beta. We have not suggested to developers that they rely solely on > >> OAuth until our support of the standard leaves beta. I know that some > >> companies practice a policy of "perpetual beta", but at Twitter, we do > >> not. For us, "beta" really means "still in testing, not suitable for > >> production use". > >> > >> Thanks for your patience and understanding. > >> > >> -- > >> Alex Payne - API Lead, Twitter, Inc.http://twitter.com/al3x > > > > > > -- > Alex Payne - API Lead, Twitter, Inc. > http://twitter.com/al3x > -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
