Evan Martin (evan) wrote in lj_dev,
Evan Martin

rss and security

Via email:
On Wed, Nov 26, 2003 at 09:10:46PM -0800, Dare Obasanjo wrote:
> Do you guys have any response to some of the issues pointed out in the
> post below
>    [long scary link]

I really don't appreciate the implication "of they implemented this
ghetto authentication mechanism knowing full well that most aggregators
don't support it".  I think one of the fundamental rules of internet
etiquette is to assume ignorance/laziness unless you have a good reason
to believe otherwise.

It was actually quite a shock to come from the world I'm most familiar
with (open source) into the world of "blogging" and atom because of the
massive amounts of flaming involved.  (I've never interacted with Dave
Winer, but man, people sure seem to hate him a lot!)  I pretty much
stopped reading the Atom list because almost every thread degenerated
into personal accusations.  Maybe that's how things get done in this
culture, but please be gentle with us; we'd like to cooperate but we're
still foreigners.

The simple fact is that LJ was made long before Brad (for what it's
worth: I can't really vouch speak for him, but I can guess pretty well)
was even aware of aggregators.  I don't personally know the details of
how HTTP auth works (can you auth at one point on the site and have that
passed around with every subsequent request?  can you auth through a
nice web form or do you need that browser popup?), but I think it'd fair
to assume that LJ used cookies for authentication because that's what
everyone else did and for better management-- for example, the "permanent
login" option allows the cookies to persist beyond browser sessions;
instead of keeping passwords around in the client cookies, we keep
around session ids that expire.

When RSS was added (to be more blunt: LJ was retrofitted for RSS),
support for protected entries wasn't really thought through, because (as
you are probably aware) aggregators didn't support LJ specially.  (To be
honest, though, I don't think any of us really follow aggregators
carefully; I've heard of yours, but I don't think I've ever seen it or
known anyone who uses it.  It's Windows-based, right?  I don't think
most of the core LJ developers even have access to machines running
Windows.) The fact that RSS feeds include protected entries when the
proper cookies are provided is mostly a side effect of the cookie login
information being handled centrally.

I'm sure it'd be a nice feature if RSS Bandit supported LJ protected
entries (and if you ask really really nicely I'm sure some dev could
even add support for HTTP auth), but as you point out the whole system
would be a hack.  Even if we were using HTTP auth, every person using
your aggregator would need their own account on LJ anyway so they could
be added to friends lists to see protected entries.  Ew!

The sad fact is that (to my knowledge) there isn't a good/usable
cross-site security model that would make this be anything but a hack.
LJ's security model tends to exclude others because when it was created,
there weren't really others to interoperate with.  I'd love it if such a
system existed (and we even scribbed out on the plane to the first Atom
meeting some notes on how such a system might be made that was secure
*and* transparent to the users) but after seeing the amount of squabbling
over what (at least to me) seemed like trivial issues, I've gone back to

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded