Net API Notes for 2020/11/23 - Issue 147 - Happy Thanksgiving

Goodness, look at the time! Can't sleep. I must be overdue for another edition of Net API Notes!

NOTES

AMAZON'S WERNER VOGELS ON DISTRIBUTED SYSTEM EVOLUTION

Published on ACM, Tom Killalea recently sat down with Amazon's CTO, Werner Vogels. The conversation was wide-ranging. When asked if anything had changed to AWS's core tenants, Werner was adamant that the following remain fundamental concepts applicable to distributed systems:

• Decentralized to remove scaling bottlenecks and single points of failure.
• Asynchronous to allow the system to progress under all circumstances, regardless of any one participant's state.
• Autonomous so that individual components can make decisions based on local information.
• Localized in that each component achieves consistency and does not rely on its peers.
• Controlled concurrency in that operations limited or no concurrency control is required.
• Failure tolerant, where failure is assumed to be a normal mode of operation, and components can continue with no or minimal interruption.
• Controlled parallelism to improve performance and robustness of recovery.
• Decomposition of functionality into small components that can be used as building blocks for other services.
• Symmetric to minimize node-specific configuration to maintain and function.
• Simple as possible, but no simpler.

There's quite a bit there. The other bit about API design I'll just quote directly:

"You have to be really consciously careful about API design. APIs are forever. Once you put the API out there, maybe you can version it, but you can't take it away from your customers once you've built it like this. Being conservative and minimalistic in your API design helps you build fundamental tools on which you may be able to add more functionality, or which partners can build layers on top of, or where you can start putting different building blocks together. That was the idea from the beginning: to be so minimalistic that we could allow our customers to drive what's going to happen next instead of us sitting in the back room thinking, 'This is what the world should look like.'"

Keep these things in mind in your next API design session.

IDENTITY API SECURITY

It has been a while since I've featured a video in the newsletter. However, the recent Nordic APIs LiveCast featuring David Stewart talking about mobile API abuse is worth your time. During the first part of the presentation, David discusses the importance of:

• Requiring apps to prove they are authentic, rather than just relying on static API keys
• Rejecting apps running in compromised environments instead of just assuming it is the operating system's job
• Enhancing TLS security to prevent man-in-the-middle attacks
• Binding user authentication with a specific app context and expiring these bindings regularly, rather than assuming standardized login flows are enough
• Updating security via over-the-are updates, as opposed to having to wait for new app releases and adoption

The whole thing is worth watching, but I appreciated David's conclusion:

"You will know what is calling your API, not just who, and this will reduce your fraudulent traffic by 90-% or more."

MILESTONES

• In November, Twitter launched a new Instagram Stories-like feature, called Fleets. Unfortunately, the launch seemed to forgo a basic security and privacy audit. Specifically, a user's Fleets are accessible via API after the 24-hour "expiration", and accessing them in this way doesn't trigger a read receipt. Oopsie.
• Speaking of Twitter, ever wonder how academics research a disinformation campaign via the API? Deen Freelon recently tweeted his stepwise approach.
• There's a new Idempotency header RFC draft.
• Postman launched public workspaces.
• You might have heard that Chrome has removed HTTP/2 push from it's supported protocol implementations, effectively killing the feature. There's a brief post on evertpot.com on why API developers are poorer because of it.

WRAPPING UP

The United States celebrates a national holiday called Thanksgiving this Thursday, the 26th. It observes the day that Plymouth colonists shared an autumn harvest feast with the area's Native Americans. The meaning has shifted over time but it is generally a moment to reflect on what we are grateful for in our lives.

Twenty-twenty has been a challenging year. If the newsletter has strayed from strict API topic adherence, it's because that's where my head was at. There were many weeks where I questioned whether occupying headspace with API blather was even appropriate given the numerous other issues crying out for attention.

Writing continues to be an essential part of my sense-making process. The act of refining hyperbole, hints, and gut feeling into a coherent narrative to share has benefitted me greatly. When I had the most doubt about what I needed to be doing throughout this year, the solution nearly always to write it out. Thank you for the opportunity to share. Also, thank you for the gift of your attention and feedback. The conversation has enriched me in a meaningful way.

There is some hopeful news. A more promising future is around the corner. To get there, however, we need to continue to sacrifice for just a bit longer. Wear your mask, maintain physical distance, and virtually check-in on your loved ones. Make a plan for a remote holiday. It isn't ideal, but sometimes a field must lie fallow before growth can begin anew.

Finally, I'd be remiss if I didn't sing a note of gratitude to my Patreons. Your generous contributions are what help keep the newsletter free for others, month after month, year after year.

Till next time,

Matthew @libel_vox and matthewreinbold.com