

XAuth – a Terrible, Horrible, No Good, Very Bad Idea - dotBen
http://hueniverse.com/2010/06/xauth-a-terrible-horrible-no-good-very-bad-idea/

======
aaronbrethorst
Other terrible, horrible, no good very bad ideas include toolbars that fly out
on page load and pop ups that ask you to read some message that i completely
ignored while I tried to hit the 12x12px 'X' button in its top right corner.

Otherwise, great article. I need to remember to click that new Safari 'Reader'
button.

~~~
jrockway
Yeah, I added the site to adblock after I saw that popup. Not cool. If I like
your blog, I'll remember to promote it on my own. Now all I remember about the
blog is that the author is a douche that reads too many "you should follow me
on twitter" articles.

------
tedunangst
In case you read comments before stories, no, this is not the xauth you're
likely thinking of.

~~~
_pius
Really? Which one were you thinking of?

~~~
krakensden
Ahem: <http://www.x.org/archive/X11R6.8.1/doc/xauth.1.html>

~~~
_pius
Heh, I guess what "you're likely thinking of" depends on your frame. I haven't
thought of _that_ xauth in years ... never occurred to me that someone might
decide all of a sudden to start bashing it today.

------
dotBen
Although I agree with Eran, in the interest of balance let me also link to
John Panzer (of Google, but writing independently) who tries to address some
of Eran's concerns:

[http://www.abstractioneer.org/2010/06/xauth-is-lot-like-
demo...](http://www.abstractioneer.org/2010/06/xauth-is-lot-like-
democracy.html)

~~~
papachito
Even Googlers agree with Eran, xauth is just a temporary solution, the real
solution should go into the browser, maybe with a API that is xauth
compatible. Mozilla is already working on those ideas.

edit, from another googler:
[http://www.google.com/buzz/dclinton/RcW6X3EjKj1/John-
Panzers...](http://www.google.com/buzz/dclinton/RcW6X3EjKj1/John-Panzers-take-
on-the-XAuth-project-is-pretty)

> John Panzer's take on the XAuth project is pretty much spot-on. It's not
> that XAuth is what anyone wants for the ultimate answer in this space. >
> Rather, XAuth is a short-term way of pushing for any momentum in this
> direction.

> There are a number of companies leading it, btw:

> MySpace: <http://xauthdemo.myspace.com/>

> Microsoft: <http://xauthdemo.mslivelabs.com/>

> Yahoo:
> [http://developer.yahoo.net/blog/archives/2010/04/xauth_oauth...](http://developer.yahoo.net/blog/archives/2010/04/xauth_oauth_and_yahoo_openid.html)

> Etc., etc. (Eran suggested this was Google-led, which didn't quite strike me
> as accurate, given that Yahoo, Microsoft, MySpace, etc., were all as
> involved as Google was.)

> For more background on XAuth, I did a round-up of the various announcements
> and responses during the XAuth launch::
> <http://www.google.com/buzz/dclinton/CYgLcs24yqP/>

------
nailer
Oh dear. Computing sometimes has naming conflicts, but choosing 'xauth' as
your authentication scheme when there's already an authentication scheme named
xauth?

> Security guy 1: xhost is deprecated. use xauth.

> Security guy 2: xauth? But that's reliant on whoever controls a single
> domain.

> Both: ???

