Yahoo's Open Strategy

Yahoo, of course, would prefer to lock its users into using its services. However, Yahoo has also been a major proponent of OpenID and a lot of the recent announcements around Yahoo Open, SearchMonkey, and allowing more third-party content on Yahoo's sites make us believe that Yahoo might indeed be willing to allow users to bring credentials from other providers to Yahoo. The easier it is to log into a service, the more like you are to use it and to return to it.

Smart Move?

Do you think this would be a smart move by Yahoo? Or should they just throw their weight behind OpenID? Would you be more likely to use Yahoo services if you didn't have to sign up with Yahoo?

• Martin Atkins
• John Bradley
• Johannes Ernst
• Snorri Giorgetti
• Eran Hammer-Lahav
• Dick Hardt
• Mike Kirkwood
• Brian Kissel
• Scott Kveton
• Chris Messina
• Peter Nixey
• David Recordon
• Eric Sachs
• Nat Sakimura
• Luke Shepard
• Joseph Smarr
• Allen Tom

Current members of the OpenID Foundation are encouraged to visit the OpenID Foundation, log in with their respective OpenIDs, and cast votes for up to seven candidates. For those who have not yet joined the Foundation, registration is open, starting at $25 for an individual account.

The elections will remain open until December 24, 2008. The new Board will be announced before December 31, 2008. Board members begin their term on January 1, 2009.

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too.

The Nature of The Problem

The problem was a vulnerability to something called a "Session Fixation Attack." The gist of it is this. Services supporting OAuth let their users pull data into other websites for reuse around the web. In order to do this securely, the 3rd party site has to ask the original site for permission. This might be a new little website asking permission to import your Gmail contacts or to post to Twitter through their site instead of Twitter.com. OAuth was born from the work that Flickr did to create a secure way that other applications could be granted permission to access your photos for printing, editing or posting elsewhere.

The problem arose if an attacker could convince you to complete their request for account permission with your login. At the end of the process they would have access to your account.

Hammer-Lahav explains how this works in detail and offers flow charts in his blog post explaining the technical nature of the problem. For another explanation of this kind of attack see Mitja Kolsek's paper titled Session Fixation Vulnerability in
Web-based Applications (PDF), which was published in 2002. In other words, this is not a new problem - it was just newly discovered to be an OAuth vulnerability.

How It All Went Down

Eran Hammer-Lahav was at FOOCamp when he realized this was a problem that extended far beyond Twitter's implementation. All 30 companies currently offering OAuth were vulnerable. MySpace, Yammer, PhotoBucket. Google, Netflix, Yahoo. Millions of peoples' accounts were at some risk.

If OAuth was software, a fix could be implemented and pushed out to everyone who was using it. But it's not, it's just a standard-based specification implemented out in the wild and no one party is in charge of it. Someone had to do something though, and they had to do it fast.

The first thing Hammer-Lahav decided to do was call up Alex Payne, API lead at Twitter. Though Twitter had done everything right, it was a particular Twitter implementation that revealed the whole problem and it had only been out for a few days. (We thought it a big enough deal that we wrote a whole post about that implementation.)

Twitter shut down the OAuth option for login within 30 seconds of his phone call, Hammer-Lahav says. They did it without explanation, because they were asked to keep quiet about the security problem for one week - in order for all the providers to get a chance to respond before the security problem went public and could be exploited.

Developers cried out that Twitter was shutting down technology essential to their business without warning - and not for the first time. Robin Wauters wrote a post on TechCrunch channeling developer anger over the shut-off. (Lest we imply too much criticism we'll note that we've written very similar stories ourselves.)

Twitter was widely criticized - and they kept their mouth shut, saying only that it was a temporary problem that would soon be resolved. "I can't stress enough how noble Twitter's behavior was yesterday," Hammer-Lahav told us. "Twitter bashing is a sport now and it's a sport that sells ads. Techcrunch wasn't aware of the security threat but it put Twitter in a position where if they were going to talk about it then they would put other companies at risk. We told Twitter that it was going to go public so do your own PR management and they did a good job. The emails sent by other providers to Twitter thanking them for taking that hit have been amazing."

After contacting Twitter, Hammer-Lahav started emailing all 30 companies listed as OAuth providers with Chris Messina's help. Half of them had representatives at FOOCamp, the event he was calling from. He explained the problem to them as he was able to reach people and asked them not to discuss it until next Thursday, one week later. He knew it would be a difficult secret to keep with so many parties involved, including the frustrated developers trying access all of those companies' OAuth APIs.

"At first it took me half an hour to explain the problem," he says. "By the next day I had the explanation down to 30 seconds." Within 12 hours the group discussing the problem knew there was no simple solution - it could require changes by OAuth providers and outside applications that consume OAuth permission in order for everything working again.

The group of OAuth providers formed an email list to discuss the problem and fifty people from 30 companies joined in. Deciding to focus on communicating with the initial service providers was a decision that had to be made. "You have to triage the parties involved," Hammer-Lahav says. Providers needed extra time to deal with the problem because they couldn't just plug the hole or pull the plug easily; FireEagle, for example, only has an OAuth API - there's no other way for the service to function.

OAuth is being advanced by a decentralized community of developers and other parties, but Eran Hammer-Lahav has been its most visible advocate. He's gained years of experience in the trenches fighting for a variety of open standards. He talked to every OAuth provider on the list and volunteered to act as the Community Threat Response Contact. Yahoo, his employer, told him to take as much time and do whatever he needed to deal with the problem. The company put Allen Tom in charge of Yahoo's response and donated Hammer-Lahav's paid time to the community effort. "If I was working for a different company this might not have been possible," he says. "Yahoo! had a whole team of people managing their own response to the situation."

All thirty companies sprung into action to neutralize the security risk and prepare their respective technical responses. Mashery co-founder Clay Loveless and team pushed back other work to pull all nighters and others pitched in as well. Everyone was an equal participant in working together, from single person startups to multibillion dollar companies. "Yahoo and Google put engineers on the line helping people with small startups to review solutions they were going to deploy," Hammer-Lahav says. "Usually the big guys figure it out amongst themselves and leave everyone else to their own devices. This felt like a real community. There was no liability because it was casual advice. Security people are expensive. Some startups don't even have in-house engineers, they are entirely outsourced."

One by one many of the providers shut down their APIs and one by one they implemented solutions.

By Wednesday, one day before the self-imposed period of silence was over, there had to be a lot of pressure built up behind the scenes. Alex Payne, the man in charge of the Twitter API and a guy who is much less grumpy than you'd probably be if you had his job, started getting visibly frustrated. "The view from under this bus is really something," he said on Twitter. "Nobody in the tech press has bothered to contact me for comment on the OAuth issue. Why bother with facts when speculation drives clicks?"

Just after noon on Wednesday, CNet's Caroline McCarthy reported that Twitter and others had pulled OAuth support because of a security problem in the spec. "In the interest of online safety," she wrote, "CNET News has chosen not to make the details of the security hole public." McCarthy was at FOOCamp as well and may have heard about the security issue then, but decided to more or less respect the wishes of the developer community and hold off writing about the issue at all until just before the deadline lifted. If that was the case then she both won accolades from involved parties for her discretion and got a lot of pageviews for jumping deftly on the story after the threat had mostly passed but before others wrote about it.

Minutes after the real story was out, Twitter posted about it on the company blog. Then the official OAuth blog posted about it, linking to McCarthy's post and publicly thanking Twitter for taking all the heat for days. Chris Messina worked fast to update the site and co-ordinate the community response. Then API service provider Mashery, the company that powers OAuth APIs for Netflix and many other companies, posted about it on its blog, assuring customers that the problem was small and under control and thanking Twitter as well. Finally Dave Winer, a web forefather and hardcore Twitter critic, made a post on his blog urging people to lay off Twitter and appreciate the way they were communicating with people about a number of intersecting and difficult technical problems.

One day later, one week after the community responding to the OAuth threat called for a week of silence to come up with a solution - Twitter announced that its OAuth API was back.

That was yesterday and by today almost all of the 30 OAuth providers have OAuth back up and running. There are two different long-term solutions in the works that are being debated on the email list as we speak. Hammer-Lahav says he expects a revised draft of the spec will be ready next week.

And that's how a decentralized community solved a security threat in an open identity spec, quickly. One company (Twitter) took a risk at implementing a new technology advocated by an employee of another company (Yahoo's Hammer-Lahav), then an engineer at yet another company found the beginning of the security hole, then news of the whole problem was sent out to contacts on a Wiki, an email list was formed, companies donated their employees' valuable time to aid in the effort, everyone more or less kept their mouths shut (including the unfairly criticized Twitter) and then everyone worked together to find a solution just in time. I think that's a pretty cool story.

Lessons for the Future

Hammer-Lahav took the lead in responding to this crisis and says he did it with the future of crisis response in open web communities in mind. Creating a template now for the future is only so possible, though. "In a year this same approach isn't going to work because too many businesses are going to depend on the providers," he says. "If we don't find a way to deal with this in the future then companies will remain very cautious about relying on multiple data sources." He says that people want to create a database listing all the parties involved in technologies like this, but prioritizing who gets talked to first will depend on the nature of the threat.

Finally, Hammer-Lahav says that more companies need to empower more employees to step up and take leadership in this kind of situation. The combination of technical, people and process skills is rare but those people need to be found. "It's not sufficient to have only Chris Messina and I as the two people who can do this," he told us. "We need other companies to step up and say there are people in their organization that can support the community. Yahoo said 'you're going to go do this for the community for as long as it takes,' Yahoo was paying me to manage the community threat in a way that was not purely in their self interest."

Can open communities advocating for an open web respond quickly and effectively to inevitable security issues? It sounds easier said than done, but for now we've got at least one very interesting story that says it is possible.

If you try to get rid of every email that ever hits your inbox, if you are required to archive every email you send and receive for work, or if you're like me and just don't care about hundreds of thousands of unread messages in your inbox - then Nudgemail probably isn't for you. But if you use your email inbox like a To Do list and would like to hit snooze on a thread - then you might like the service quite a bit. The email inbox is a big frontier for software development and this is just the latest example of that.

Toeman says that Nudgemail uses SendGrid for secure handling of email and his service never sees the content of your messages. (Disclosure: SendGrid sponsors ReadWriteWeb.) The service is free today and may offer group licensing packages for companies if it catches on.

Related or competing services include Followup.cc, TaskForceApp and IssueBurner. This is clearly not a brand new type of technology, but different services will serve different people well. There's also the fun old classic Futureme.org.

As Yahoo! engineer Eran Hammer-Lahav told us this Summer:

It's pretty clear that email provides a huge potential for extensibility, given the wide range of ways people use it. The inbox is much more than just a place for incoming mail, it is the primary dashboard for many web users - it is how they manage their lives.
So when looking at email as a platform, the opportunities for making it more useful and productive reach most areas of online activities.

Does Nudgemail sound like a productivity hack, as a service, that could be useful to you?

Google Buzz data can be syndicated out to other services using the standard data formats called Atom, Activity Streams, MediaRSS and PubSubHubbub. That couldn't be more different from Facebook. Google has taken open data standards to battle against a marketplace of competitors that are closed and proprietary to varying degrees. This is a very big deal.

Google Buzz was presented as a destination site, but a look at its APIs and developer roadmap indicate that it may actually intend to be a platform - the central hub for a world of distributed social networking. "This is a downpayment on where we're going with the open, social web," Google Open Web Advocate Chris Messina told us.

It's tempting to recoil at the thought of Google powering one more part of our lives online, and our friends' activity streams are a very important part of the online experience now. But if the growing number of data portability and open web advocates the company has hired can do their jobs well - then Google Buzz could be a big force for good.

People will build services on top of analyzing your public Buzz activity. They will build new applications for publishing to Buzz, just like the Twitter ecosystem has today. Planned support for things like the Salmon commenting standard mean that comments left on Buzz could appear out on blog posts around the web, and comments on blog posts could be viewed inside of Buzz when the post links are shared.

The use of full email addresses in @ public replies demonstrated today seems to indicate that it will be a cross-platform messaging service. Facebook users can only message other Facebook users but Buzz users may be able to reply to people using email IDs from other networks. That's hot stuff.

Once Activity Streams consumption, @ messages that look like Webfinger profiles to me and Salmon are in place then Buzz users should be able to read, comment on and message to conversations with people who have never seen Buzz in their lives, simply by subscribing to their feeds. There's huge potential for interoperability here.

Facebook and Twitter will face renewed pressure to publish and consume standardized data feeds as well now. If Buzz is big enough, it could break the dam holding back a flood of standardized data. Where there is standized data, there is scalable network effects, consumer choice, competition and thus innovation.

Buzz's embrace of the open web could make it a very important player in the development of the future.

Update: One critique to take into consideration is this. Google has scooped up a substantial number of formerly independent open web advocates - most recently Chris Messina, who was the leading spokesperson for the Activity Streams standard. See How Chris Messina Got a Job at Google. In that article we included the following argument from Yahoo's Eran Hammer-Lahav, the best-known technologist working to develop and support open login standard OAuth. This perspective is important to consider in thinking about the Buzz announcement and standards.

"This is clearly a big win for Google," Hammer-Lahav told us.

"Messina and Smarr are huge assets in the social web space. My concern is specific to Google. With Messina, Smarr, [inventor of OpenID and more Brad] Fitzpatrick and others all working for Google, focusing on the Social Web, there is less and less incentive for Google to reach out. Google has a strong coding culture which puts running code ahead of consensus and collaboration. Now with so many bright minds in house, they are even less likely to reach out. A week ago, you would have to get at least Google, Plaxo, and Messina (representing the independent voice) to collaborate. This week it's just Google.

"While I am certain that Messina and Smarr will keep their independent voices, and am not suggesting they will 'sell out' or alter their principles, they no longer need to surface many of their ideas out to the community. They can just have an quick internal meeting and ship products."

Is Google centralizing too much of the decision making about the future of an ostensibly decentralized web? Time will tell, but this may be the heart of the battle for the future of the social web.

This week's topic is Data Portability, the ongoing campaign for open data across the Web. We have an amazing group of Data Portability leaders lined up for this call: Chris Saad (Co-founder, DataPortability.org), Daniela Barbosa (Chair, DataPortability.org), Eran Hammer-Lahav (Open Standards Evangelist, Yahoo), and Angus Logan (Technical Product Manager for Windows Live Platform, Microsoft).

Before the call starts, we're interested in what questions you have for the panelists. Please leave a comment on this post and one of the RWW crew on the call (Sean, Marshall and myself) will do our best to ask your question.

UPDATE: the show is now finished, here is the audio:

Download MP3

Twitter released an important new feature to selected developers yesterday that could make it a compelling alternative to the fast growing Facebook Connect system for logging into sites around the web.

Facebook Connect is being adopted rapidly by sites all over the web seeking to let people sign in with a verified identity, some social data and access to publish activity back onto the Facebook Newsfeed. Now Twitter looks to be offering a similar feature and it could be a better implementation of the same idea.

Yahoo's Eran Hammer-Lahav wrote an in depth article about the new "Sign in With Twitter" functionality yesterday. He celebrates the move as particularly adherent to agreed upon standards - no proprietary "special sauce" clouds interoperability as happens with Facebook Connect. He also draws a distinction between Facebook's offering a social layer to websites vs. Twitter's new feature and its work with 3rd party sites and services that are already tightly integrated with Twitter. We're not so sure that second distinction is so important, though. We can imagine this new Twitter feature being implemented far and wide.

The idea is that sites using the new Sign in With Twitter tool will go through a relatively simple process to gain permission to access your data from Twitter. They will see if your browser is already logged in to Twitter, then they will either give you a pop-up window to log in there or they will skip directly to asking Twitter to ask you if you'd like to give access to this new site. You never have to give the new site your Twitter password, but you can give it permission to access private data like Direct Messages and the ability to post in your name.

It seems quite similar to Facebook Connect and Google Friend Connect in a number of ways. It may be more exciting though, because Twitter is a fundamentally different beast.

All social networking services these days want to be "a platform" - but it's really true for Twitter. From desktop apps to social connection analysis programs to services that will Twitter through your account when a baby monitoring garment feels a kick in utero - there's countless technologies being built on top of Twitter.

It's always been that way, Twitter's API is open at its core. Twitter would be nowhere near where it is today without its developer community.

Facebook, on the other hand, not only uses a non-interoperable system of authentication in Facebook Connect - it's also not based fundamentally on openness. It's based on giving access to your information to a limited set of the people you know. No one can see your profile at all without your explicit permission. The company has long held that protecting users' privacy is of the utmost importance. Of course Facebook is still about sharing, it's not completely closed, and it could be toying with and changing our understanding of privacy more than we know.

Is this just an accident? Hammer-Lahav doesn't think so and put it quite well on the OpenID mailing list last fall. "They never made the effort to truly engage the community and understand either specifications [OpenID/OAuth]," he wrote. "Second, for the most part, they reused existing Facebook pieces to create Facebook Connect. Those pieces could have been converted or added support for OpenID and OAuth a long time ago. And third, this is exactly what they wanted to do - these are some of the brightest minds in the industry and they know what they are doing."

The point is, though, that when I give you my Facebook "calling card" using Facebook Connect, that system has a long list of do's and don'ts for what developers can do with the data. It's letting sites borrow the data - not setting data free.

Twitter's version of the calling card should be more developer friendly and it's already more standards adherent, which is another way to say developer friendly. Prove you are who you say you are to Twitter and it will give sites you approve a big open field of your data to work with. In other words, web developers should be able to do a whole lot more for me when I give them my Twitter calling card than if I give them one from Facebook.

At least that's the way I suspect it will unfold in the near term. This battle is far, far from over though and it's an important one to the future of the connected web.

Can yet another organization really make a difference? Some observers seem to be suffering from Organization Fatigue, but we're interested to see what Berners Lee can do. A group dedicated to deep study of the web and the obstacles to its growth sounds like a great idea to us. Not everyone agrees.

The Foundation launched with a three part plan, including:

• Web Science and Research

Studying the web "as an interconnected complex system (that combines disciplines of science, biomedical science, social science, and computer science, for example)" and creating curriculum for other Web Scientists to be trained with around the world.
• Web Technology and Practice

Advancing standards.
• Web for Society

"To learn from people in socially or economically deprived communities how the Web can better serve them." (Nice that it's phrased this way.) Creating programs to extend access around the world.

Concerns

We are a little concerned about a conversation Berners Lee had with the BBC prior to unveiling the Foundation where he argued that there needs to be some way to brand trustworthy websites as trustworthy. That strikes us as either silly or frightening, possibly both.

Web standards guru and blogger Molly Holzschlag sums up what is probably a common feeling of ambivalence about the new Foundation.

I would love to feel optimistic about this, but at this point I've really decided that creating more groups is just adding layers of problems on top of what we're already doing.

On the other hand, if this empowers greater outreach, education and fosters real influence in returning to the core ideals of an interoperable Web for all, then I'm all for it.

Eran Hammer-Lahav, Open Web Evangelist at Yahoo! and party to the founding of another group, the Open Web Foundation, has sharper words for Berners Lee's group.

Seems odd to ask for money, and a lot of
it, with so little detail as to what this organization is about?...We've been asked many times why a new org, and I think it is fair to ask it back. Seems to me that most of this should/could be done within the W3C. If the W3C is no longer able to promote its own mission, it raises the question: should the same leadership be trusted to run a new effort that seems to try and fix what their first effort failed to accomplish?

We are sympathetic to both opinions here. The problems being engaged with are thorny enough that we applaud anyone for trying tackle them - and the inventor of the web certainly brings credentials to the effort. Also, it's not our $5 million so we're not going to lose too much sleep even if the effort goes no where.

What do you think? Does the World Wide Web Foundation website give you hope that the organization will be effective? If these topics are of interest to you, see also the Digital Divide Network.

That's only going to be more true in the future, so if you'd like to have a say in how it all goes down - now's the time to get involved. The OpenID Foundation is one of the leading organizations in the new standards world and it's having its first ever election of community board members this month. Nominations close Monday and the voting begins on Wednesday.

Individuals will have to pay a $25 Foundation membership fee in order to vote, but this author just paid his and is looking forward to pulling the virtual voter's lever. Nominees so far are listed below.

What Are the Issues?

OpenID usability, getting major players to respect incoming OpenID and not just authenticate their own users elsewhere with OpenID, the personal data payload that travels with OpenID and many other difficult questions remain unanswered, despite all the progress the Foundation and other organizations have made in the last year.

A year ago this week we wrote a post saying that OpenID was in serious trouble. One year later, the situation seems to have improved quite a lot. That's thanks not just to the work of the OpenID Foundation, but they deserve a large part of the credit.

The protocol is far from out of the woods, though, and so this election is going to be an important one.

Who's Been Nominated?

So far twelve people have been nominated. Once you register as a Foundation member, you can see the nominees and their position statements. More nominations will likely occur before this weekend is over. Seven of the following twelve total number of people nominated by Monday will get positions on the board. Here's who's been nominated so far.

Johannes Ernst - founder and CEO of startup Netmesh
David Recordon - is from SixApart and is one of the most publicly visible members of the OpenID community
Mike Kirkwood - CEO of iPhone-centric medical patient data service Polka
Eric Sachs - Product Manager at Google
Snorri Giorgetti - OpenID Foundation's European Representative
Eran Hammer-Lahav - Open Web Evangelist at Yahoo! and OAuth lover
Allen Tom - Architect, Yahoo! Membership
Scott Kveton - Current OpenID Foundation Chair and VP Open Platforms at Vidoop
Nat Sakimura - Identity tech wonk from Japan
Brian Kissel - CEO of JanRain, makers of MyOpenID.com
John Bradley - OpenID security wonk
Martin Atkins - an OpenSocial and identity developer

Which seven of those people do you want driving the future of the OpenID Foundation? Register as a member, read their policy statements and you can have your hopes for this important technology paradigm recognized.

Xobni competes with Rapportive (my favorite to date) and Gist, which was recently acquired by Blackberry company RIM. Another service called eTacts (site now down) was recently acquired by Salesforce. Xobni was funded by Blackberry Partners a year ago, but remains independent. Check out the screenshot below to get a feel for how it looks, what it offers and how it's different.