One of the ways to get a technology service running quickly is to put security concerns on the back burner. Either it's too expensive (in terms of engineering resources), or too complex, or just an oversight. I'd like to see all new services articulate their position on basic security issues (SSL, authentication, cookies, etc.) to give us technology early adopters a better sense for what their approach will be moving forward.
At the very least though, every service should run over SSL. This is super easy to setup, and requires very little engineering effort. There are some systems architecture decisions to be made, including how to host the SSL certificate (preferably on the load balancer). And of course, there is some cost (performance, CPU time) associated with encryption, which could add some load. But otherwise, this is a slam-dunk easy win.
Del.icio.us noted yesterday in their blog that they have changed their APIs to support (in fact, require) SSL. Good move. Again, IMHO they should have done this from the start. Since their APIs are so heavily used, many other software vendors are now scrambling to fix their applications that use their APIs (they've been given 6 months to make the change before del.icio.us shuts down the old site). And now all of us users need to update our apps that leverage those APIs (in my case, I will have to update Attensa, Performancing, Firefox/Del.icio.us extension, and that widget (that I haven't finished yet anyway - ok that's not as big of a deal ;-)
Filed in: api, del.icio.us