ReadWriteWeb

Today's the day - the "Oauthpocalypse" - that Twitter users and developers (well, mostly developers) have been anxiously awaiting. It's the day that Twitter will begin using OAuth rather than basic authentication for third-party applications, a move that has implications for both users and developers alike.

At 8 a.m. today, Twitter shut down basic authentication forever and, if your Tweetdeck or other Twitter app doesn't work, there's likely something you can do - update.

The OAuth 2.0 draft specification is out there. The efforts of the group working on the specification are paying off in the form of an IETF working group submission. One thing is clear, there is a natural tension in following the processes of IETF and the hyper-innovation cycle of web standards that are now powered by the growth of social media.

In this world, keeping up with all the work in the community itself is a feat in itself. As proven recently, even aligning the naming of standards in our small community (xAuth, XAuth) proves challenging enough. With that said, we'll share we what we've learned about this version and what work has been incorporated into it.

You may or may not be excited by the acronyms OAuth and IMAP/SMTP, but the combination of them all together is very exciting news. Google Code Labs announced this afternoon that it has just enabled 3rd party developers to securely access the contents of your email without ever asking you for your password. If you're logged in to Gmail, you can give those apps permission with as little as one click.

What does that mean? It means mashups based on the actual emails in your inbox. If you've given a 3rd party app secure access to your Twitter account, then you'll be familiar with the user experience. The first example out of the gate is a company called Syphir, which lets you apply all kinds of complex rules to your incoming mail and then lets you get iPhone push notification for your smartly filtered mail. Backup service Backupify will announce tomorrow morning that it is leveraging the new technology to back up your Gmail account, as well.

The issues of cloud/SaaS security have been on my mind since the late 90s when I was working on my first global intranet/extranet project. Personally, I've never been terribly concerned with the more lower-level technical details of network architecture, transport protocols or with tedious policy writing; you need good security experts to cover these areas properly. I've always been drawn to the more forgivably human downsides to the whole SaaS/Cloud concept like this one: How on earth do you prevent password sharing?

I've been thinking that the solution may be so obvious, so ubiquitous, that it's just difficult to see past our own fears: What if we could improve the security of our cloud-based applications by handing over our authentication processes to the social media networks?

It's been just about a year now since Twitter started using OAuth as a solution for connecting with third-party applications, but to this day we still find situations where we are asked to enter our user name and password.

At LeWeb today, Ryan Sarver, Twitter's Director of Platform, took the state during the morning session. He stressed that Twitter needs the developer ecosystem if it wants to continue to grow. Sarver also announced that Twitter will give all developers access to the full firehose feed in early 2010. In addition, Twitter will also soon launch a new developer site, increase the rate limit for services that use OAuth and launch a new API for browser-less apps.

In a world where content is king, Boxee has found a way to give entertainment producers the royal treatment. After a successful App challenge and calculated rollouts of its Mac, Windows and Linux releases, internet television platform Boxee is launching into private beta with a new and improved look. ReadWriteWeb got an early look at the product and found out how the company plans to increase its growing user base.

Last week's flurry of Twitter DM spam from hacked or phished accounts wasn't the first instance of that and won't be the last.

As long as people are willing to trust their Twitter log-in information to third parties - and don't look carefully at URLs before they log into websites - and as long as a small number of bad actors want to pee in the social media swimming pool, this kind of thing will continue happening.

MySpace just announced that its users will now be able to sync their status updates with their Twitter feeds. MySpace users will be able to send their status updates on MySpace directly to Twitter and will also be able to import their Twitter updates to their MySpace feeds. This is currently just a beta product, but MySpace will roll this service out globally over the coming weeks.

Last Friday was a hot day in Sebastopol, California. Eran Hammer-Lahav rolled into town hours after finding out that there was a security hole in his pet project for the last few months, a new way to use Twitter to log in to third party sites using the OAuth protocol instead of user names and passwords. Working as the Open Web Evangelist at Yahoo, Hammer-Lahav was relieved to have been told about the hole so he could help fix it. When he arrived in Sebastopol at a small event of industry leaders called Social Web FOO Camp, he talked with friends and colleagues about it.

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too.