Hacker News new | comments | show | ask | jobs | submit login
XAuth – a Terrible, Horrible, No Good, Very Bad Idea (hueniverse.com)
40 points by dotBen 2718 days ago | hide | past | web | 9 comments | favorite

Other terrible, horrible, no good very bad ideas include toolbars that fly out on page load and pop ups that ask you to read some message that i completely ignored while I tried to hit the 12x12px 'X' button in its top right corner.

Otherwise, great article. I need to remember to click that new Safari 'Reader' button.

Yeah, I added the site to adblock after I saw that popup. Not cool. If I like your blog, I'll remember to promote it on my own. Now all I remember about the blog is that the author is a douche that reads too many "you should follow me on twitter" articles.

In case you read comments before stories, no, this is not the xauth you're likely thinking of.

Really? Which one were you thinking of?

Heh, I guess what "you're likely thinking of" depends on your frame. I haven't thought of that xauth in years ... never occurred to me that someone might decide all of a sudden to start bashing it today.

Although I agree with Eran, in the interest of balance let me also link to John Panzer (of Google, but writing independently) who tries to address some of Eran's concerns:


Even Googlers agree with Eran, xauth is just a temporary solution, the real solution should go into the browser, maybe with a API that is xauth compatible. Mozilla is already working on those ideas.

edit, from another googler: http://www.google.com/buzz/dclinton/RcW6X3EjKj1/John-Panzers...

> John Panzer's take on the XAuth project is pretty much spot-on. It's not that XAuth is what anyone wants for the ultimate answer in this space. > Rather, XAuth is a short-term way of pushing for any momentum in this direction.

> There are a number of companies leading it, btw:

> MySpace: http://xauthdemo.myspace.com/

> Microsoft: http://xauthdemo.mslivelabs.com/

> Yahoo: http://developer.yahoo.net/blog/archives/2010/04/xauth_oauth...

> Etc., etc. (Eran suggested this was Google-led, which didn't quite strike me as accurate, given that Yahoo, Microsoft, MySpace, etc., were all as involved as Google was.)

> For more background on XAuth, I did a round-up of the various announcements and responses during the XAuth launch:: http://www.google.com/buzz/dclinton/CYgLcs24yqP/

Oh dear. Computing sometimes has naming conflicts, but choosing 'xauth' as your authentication scheme when there's already an authentication scheme named xauth?

> Security guy 1: xhost is deprecated. use xauth.

> Security guy 2: xauth? But that's reliant on whoever controls a single domain.

> Both: ???

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact