While working on the TypePad and Movable Type AtomPub Exporters (still in progress), programmer Ronald Heft Jr had a problem interacting with the WSSE authentication both use. The problem ended up being in his own code, but it also led to some interesting observations about how the authentication works.

TypePad doesn’t require as secure code.

This is a good reminder that allowing programmers a less secure option, and they will likely take it because they trust you, and have other deadlines.

WSSE authentication is inheritantly insecure.

When Ronald looked in his Movable Type database he found that the passwords were stored in plain text. WordPress remote access development lead Joseph Scott explains that the only way to support WSSE is to store the passwords in plain text on the server, which is one of the reasons why WordPress won’t be supporting WSSE.

If I wasn’t clear my video really is in no way a comment of the MT Pro product — I’ve never tried it. All the Six Apart teams are clearly very talented, so I’m sure it’s a great product. Though I’m pretty sure it won’t live up to “setting social networking free”.

Let’s break it down:

focus more on telling a story

People that know me, know that I’m all about the story that a product tells, and I think their video failed in the very way that he thinks they succeeded. I didn’t see a compelling story about the experience of Movable Type Pro. As my voice-over reflects, I saw a story that looked like any blogging platform and comments.

Both of us are extremely biased at opposites ends of the spectrum, so neither of us will get it right on this one. I would love to know the results of a diverse group of people each separately watching the video and sharing their reactions.

Honestly, we assume that that everyone else on the web will respond by copying great ideas, as they usually do. Hell, we want them to, so that more people can benefit from open communities on the web.

If you are familiar with Anil’s writing, you may end up with the conclusion, like I have, that he is actually obsessed with being first — or that is one of the SIx Apart key messages anyway. Maybe, it all started because he was Six Apart’s first employee. Check out the Movable Type blog, “A WordPress 2.5 Upgrade Guide” [sic] article for a bit of a taste. If you enjoy the flavor, a Google search will lead you across the Web.

Of any software spaces, blogging is one of the richest for borrowing from each other and providing a consistent experience to customers — everyone benefits from this! I’d like to think WordPress has had as many firsts as any blogging platform, but even if that isn’t the case, I’m much more interested in focusing on doing it well. An example is the TypePad iPhone app was an iPhone launch partner, but the WordPress iPhone app is much more popular, has more reviews, and is higher rated, and we are still busy fixing and improving it.

Until then, they’ve created a parody of our video.

So me spending a couple hours playing around with iMovie in my own time (my 1st time using it), somehow becomes the Automattic answer to MT Pro?! And as I mentioned, no link love, no mention of my name (Lloyd Budd) — very, very bad blogger etiquette. Is iMovie that good that Anil thinks it’s a first rate production? I don’t think so, listening to it again, it is clearly the crap job that I remember doing for my own amusement.

without having your it look like another Facebook or MySpace clone

Did I voice-over the wrong video? I’m pretty sure it was their video that started with Digg, Facebook and MySpace. I might have misspoke, but I thought it would be obvious that I was referring to having social features beyond commenting like those platforms.

Our long-held reputation for publishing highly scalable, “Digg-proof” pages.

That is one of Anil’s favorite sound bites. I know Anil can’t seriously be suggesting that a file based “cache” is a whole solution to being highly scalable.

The funny part is that substitute in WordPress and you have at least an equally true assertion, ‘[WordPress's] long-held reputation for publishing highly scalable, “Digg-proof” pages.’ The reason why this sometimes looks not to be true is because of WordPress’s popularity.

I would bet, with no hesitation, that WordPress sites are far more often dugg, and that unfortunately some of those sites dugg, like my own, are on inexpensive, shared hosted environments that aren’t Digg ready.

For most WordPress customers the dynamic, responsive experience is far more important than “Digg-proof”, but for those that do want to prepare for a digg storm, there are high quality plugins like Super Cache and Batcache and many others that suit your specific configuration and needs.

There is no question that WordPress is scalable, fact is WordPress powers far more of the web than Movable Type, both in terms of web pages served and web sites. Fact is Movable Type doesn’t even power Six Apart’s hosted TypePad, and to my great frustration is incompatible in numerous ways — wonder why there is no Movable Type app for iPhone anyone?

remedy some of the missing features in WordPress if you have enough free time to find the appropriate plugins

Talking out the other side of his face, Anil will point out Movable Type’s rich plugin and theme collection. I’m pretty sure, Pro has even been presented as plugins built on top of MT at one time — bundling.

Of course, there is a huge collection, much larger, of WordPress plugins and themes, and I haven’t heard complaints that it’s hard to find the appropriate plugin. The wordpress.org/extend/plugins gives you information about popularity, and the interface will continue to evolve.

This past weekend, during Matt’s “State of the Word” at WordCamp SF 2008 (video will be online soon!), spoke to how that experience will change and how the actually WordPress plugin usage data will directly help WordPress evolve, with top plugins are polished and integrated into WordPress.

prominent independent security researchers do warn, “[T]he abysmal security practices of WordPress plugin developers places the entire Internet at risk”.

Why pick on the plugin developers brother?

That’s on top of WordPress being one of top ten least secure applications around

Each of the most popular blogging and CMS made the list, as does Linux.

the Department of Homeland Security’s data showing WordPress having twelve times as many reported security vulnerabilities as Movable Type

Should I even touch this one? Since Anil discovered that Home Land Security site I think that has become his favorite. I think it’s more telling that the Department of Homeland Security, and many other US government offices use WordPress (conversation).

And Anil’s article is one of the worst security related articles I’ve ever read. No security expert, nor scientific minded person would sign their name on it with it’s broad, sloppy brush strokes.

There is shame. Security was part of Matt’s State the Word. I don’t know anyone in the WordPress community that is happy with our security history, but it’s getting better and so are our developers.

There is appropriate optimism. With each release I see more potential security issues being reviewed and, when genuine, fixed earlier in the release process. The foundation of WordPress is also being improved to make security mistakes more difficult.

No one justifies the security issues because of popularity, but the IBM’s paper does reflect with popularity comes scrutiny. The loudest message from the paper might be that the bad guys have moved their focus from Windows to open source and to the web.

It seems only in the last couple of years has web security come to the forefront of the industries collective mind, and we’re all learning a lot. All three “top ten”, WordPress, Drupal and Joomla are benefiting from each others improvements, and the larger PHP community is helping a lot.

If Movable Type was as popular, and under the same amount of scrutiny, I can’t imagine they would still be storing passwords as plain text.

I’m confident that WordPress’s security record will get better and better!

The great technology rests on top of world-class support, an incredibly talented professional services group, and a media services team that will help your site and your community succeed.

That last link there is a 404, and maybe that is meta irony there. All those links go to Six Apart services, as does one from earlier in Anil’s article “(We’ll even help you design it.)”.

This is probably the largest difference between Movable Type and WordPress. WordPress is community developed and support — world class.

I remember reading Anil’s comment on Josh Catone‘s Read Write Web article “Six Apart Gets Into Microblogging with Activity Streams“. Here Anil didn’t like that WordPress Prologue — actually that’s a great example of someone not getting the idea, the story — but what bothered me was his attitude towards WordPress plugin developers:

There’s also an important distinction that this is a key part of our platform, developed by the core MT team itself. That means that it’s not a PHP script somebody cobbled together on their own to try to make a lifestream, it’s a framework to actually help open up *all* of these services

I read that as disrespectful to independent developers, WordPress or otherwise.

I see the Automattic team as the WordPress guide. WordPress is completely community created and supported. Automattic takes on the big (scalability) problems that the community doesn’t have the resources for like: providing the free WordPress.com service and fuding usability testing of a new WordPress dashboard experience.

We work with our community, not compete with our community. The work Automattic does is open source, released under the GPL.

Though the WordPress Consultants list, wp-pro and WP jobs are pretty good tools, currently, I expect much of the WordPress professionals’ work through personal relationships in the community. I think this is one of our greatest opportunities as a community. If you agree (blog about it) get in touch with Toni.

I mentioned that the work Automattic does is open source, whenever possible (Akismet is an exception). This isn’t the case with Six Apart’s Movable Type. I’ve written at length, “Movable Type 200% Open Source!“, about the missed opportunity.

With the release of Movable Type Pro, I think Six Apart’s current approach is bad for open source and actually dilutes open source. It seems others share my opinion, as on every thread there seems to be an open source advocate upset about MT Pro not being open source.

At first I was excited to see that the open source information was now on MovableType.com’s download page:

But then I realized the game this table plays is that the open source version isn’t good enough for “Bloggers”, only freetards like myself. I’m pretty sure, I’ve also read Six Apart telling people that the open source version isn’t tested or supported (but it’s the same software without some plugins, promise).

First, we set publishing free. Next up, social networks.

Actually, the WordPress community can take that first credit (not that I’m obsessed with 1sts) by creating the most popular installed blogging software, and it being open source. I don’t know about the next up, but there are many contenders, and WordPress and BuddyPress communities would be honored to be among them.

If I wanted to use Movable Type Pro for a social network with that Six Apart’s pricing it would probably be a social network of one. Anyway, without it being open source, it won’t be setting any one free, just making it a little easier to disobey the boss.

And that is why I think, Anil, people are so excited about BuddyPress, because it is among the real possibilities of setting social networking free.

our lead by planning to provide some of these abilities for WordPress in a collection of plugins that you should be able to assemble around Christmastime or so

There are so many reasons why I don’t know whether to laugh or cry.

Anil Dash has been pissing all over the web calling BuddyPress vaporware. See his comments at:

• CNET Webware “Movable Type, WordPress becoming social platforms“
• Mashable, “Six Apart Provides Social Networking Capabilities with Movable Type Pro“

Where I come from, vaporware is a derogatory term. It’s clear that he doesn’t like WordPress BuddyPress being part of the conversation.

BuddyPress isn’t vaporware, a community is developing it today. You can download the code today. It is open source today!

I get emails and IMs from friends that have checked it out and are already grooving on where it is going.

Collection of plugins

That is just a packaging issue, and packaging issues are easy.

Christmastime or so

This coming from a key member of the team that made a press release seven months before the open source flavor of Movable Type — well over a year, if a public bug tracker is an important detail to you. The community will decide when the code is ready to be called a product.

Wow, this is way long. I’ll wrap it up here.

I didn’t find the Movable Type Pro introductory video well done or sincere, hence the parody. Am I really so bad for poking fun at the competition? Does the tension date back to Six Apart not being invited to the Blogger and WordPress dance off?

The Automattic team have always been huge fans of Firefox. My colleagues including Matt, Mike, and Raanan have found time to test the Firefox 3 betas. Asa calls Beta 3  “the beta you can’t resist“. If I didn’t have a baby on the way, and too much exciting work related to WordPress 2.5, and WordPress.com VIP customers, I’d be embarrassed that I haven’t found time yet.

Recently my colleagues noticed that a number of features on WordPress.com weren’t working properly. Mike investigated, and discovered that Firefox 3b3 blocked access to 3rd party cookies. He did an excellent job reporting the issue Bug 417800: 3rd party cookies should be *sent* even when blocked from being *set*:

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9b3) Gecko/2008020511 Firefox/3.0b3
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9b3) Gecko/2008020511 Firefox/3.0b3

Cookie sets should not be accepted from third party sites, but cookies should still be *sent* to third party sites.Bug 324397 was closed by changing the default of network.cookies.cookieBehavior from 0 to 1. Now Third party cookies cannot be set (e.g. within an iframe). I understand and support this behavior.However, pre-existing cookies for that third party are not currently *sent* to that third party. I believe this behavior is incorrect and is an unintended consequence of changing the default “accept cookie sets from third party sites” behavior.

Reproducible: Always

Steps to Reproduce:
1. User goes to example.com and logs in to that site. example.com cookie is set.
2. User goes to a different site: example.NET which contains a “widget” for example.com: an iframe showing example.com content to logged in users.
Actual Results:
Since Firefox 3b3 does not send pre-existing cookies to third party sites, that example.com widget does not work from example.net.

Expected Results:
Firefox should send third party cookies so that the example.com widget works.

Related bugs:
1. Bug 324397: deals with accepting cookie sets from third party sites.
2. Bug 417286: deals with UI for allowing cookie sets from a whitelist of third party sites.

And in a comment:

I don’t believe my proposal would revert the earlier decision to not accept third party cookies. I think my proposal lies between two extremes: never doing anything with 3rd party cookies (current behavior), and allowing anything with 3rd party cookies (old behavior).

For about a week it the ticket didn’t receive much attention, other than from Jo “FBI plant” Hermans, who didn’t acknowledge the pragmatic problems this change caused.

It is hard to know whether a ticket just hasn’t been noticed yet, or if it is being ignored. This situation reminded me of WordPress, like any software projects, challenges in this area, and the importance of your bug triage team and area owners.

After reviewing the bugs, from my layperson’s perspective, I reached out to the always generous Jesse Ruderman, Mozilla Security expert, and he reviewed the ticket, and he suggested that possibly the strongest argument would be to show this behavior not being consistent with the other most popular web browsers — contrary to what the other bugs described. I related this to Mike and Matt.

Like how we, WordPress developers, are incredibly sensitive and jaded about blog spam, Mozilla developers are sensitive to browser spam, so reverting any change like would only come reluctantly.

Matt updated the ticket:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

Even if you clear cookies and block third party cookies, you’ll still likely see pagead2.googlesyndication.com there.

That’s not really the issue though.

Good guys, normal widgets, and many sites use iframes to tie distinct sites together are being punished by behaviour that changed from b2 to b3 and there is no good guy workaround for. The new stats widget in 2.5 shows a beautiful iframe-loaded flash graph in IE6+, Safari, and Firefox through 3b2, but now in b3 it shows a login form. Even if I submit the login and get new cookies (although they already exist), if I navigate away from the page or reload it wants me to login again. (And again.)

I’m most familiar with how this breaks things around WordPress because that’s what I work with every day inside of Firefox, but would it help to find other examples of widgets or functionality broken by this change in b3?

Every project does it, but such a change shouldn’t have passed the first gate for approval mid-beta.

Mike Beltzner, Mozilla.com Director of User Experience, thankfully joined the conversation at this point:

At the very least, we need to revert the change from bug 324397. The foundational assumptions in that bug (that this wouldn’t affect web-compat) turned out to be wrong.

Then Dan Witte, Cookie Area Owner, closed the door:

(In reply to comment #9)
> As mentioned above, Bug 324397 comment #39 says the change in that bug brings
> FF in line with Safari and IE.

it turns out bug 324397 comment 39 isn’t accurate. to help clear up all the confusion around this issue, i’ve posted comparisons between FF, Safari, IE6, and IE7 in bug 417286 comment 14. to summarize:

1) IE6, IE7, and Safari 3′s third-party blocking works only when setting cookies. once a cookie is set, it can be read third-party or not. our feature has always blocked setting and reading.

2) IE6 and IE7 (at least) can use the p3p policy to determine whether to permit setting of a third-party cookie. per comment 9, it appears that Safari can also do this, though i haven’t verified that.

3) all browsers have the ability to block third party cookies in iframes.

…

in the face of the problems this feature has caused, we should revert the default pref, and leave this as an option. since it appears to be reasonably effective (at least moreso than the competition), it would be nice to add this back into the pref panel as a choice, rather than keeping it hidden – but that’s an l10n call for drivers to make. people who want this should use it in conjunction with whitelisting for legitimate sites. (given the amount of confusion around whitelisting, better discoverability of this feature seems necessary – but that’s a different topic.)

The behavior has been reverted. Thank you!

Maybe, you have to be strange like me to enjoy a bug report and solution unfolding, but I really enjoyed reading all of the strong arguments, and my two favorite teams working together.

I actually went to the ticket at this time to figure out what were the next steps to see this issue resolved. I was ecstatic that it is already resolved! My thought was that more examples of web breakages would be necessary and that I would reach out to be mashup and web widget experts like Niall Kennedy.

Jo Hermans, Jesse Ruderman, Daniel Veditz, and Dan Witte present a lot important points on web privacy in the ticket, and it is because of the Mozilla team’s approaches and actions that there isn’t another browser I trust as much for the best privacy and security experience.

I love how Firefox is always on the front line battling for the best experience, and look forward to Firefox 3 and everything else coming out of Mozilla!