>> "This is not the first time there have been breaking changes without proper warning (disabling HTTP from TurboActivate)"
That's not true.
Old versions of TurboActivate that *only* talk over HTTP (v 3.4.6 and older) still work. We did nothing to deprecate those old versions. In fact, our infrastructure is still 100% compatible with all old versions of TurboActivate (even closed-beta TurboActivate 1.0 versions from a decade ago can still activate and deactivate with LimeLM).
The fact that newer versions (3.4.7 +) require HTTPS is a good thing. Requiring HTTPS on newer versions fixed many "bugs" (i.e. ISPs spying on and injecting garbage into communication to/from TurboActivate).
So, if you're using an old HTTP version of TurboActivate, and it's not working, point the finger at your customer's ISP and/or network admins. TurboActivate and LimeLM don't exist in a vacuum. We work our asses off to maintain backwards compatibility and fix other people's bugs so things "just work". But there are some things that are unfixable. For example, if an ISP ruins HTTP communication to/from an old version of TurboActivate and LimeLM, we can't magically fix the ISP. The only thing we can do is remove the ISP's ability to ruin that communication. Hence our decision to force HTTPS usage for TA 3.4.7 and newer.
But this is all way off-topic.
Long story short, we bend over backwards to maintain backwards compatibility. We didn't break compatibility here.
>> "We all appreciate the need to secure services and customer data, but we also require adequate communication to mange service changes in a controlled manner."
I agree. And if this were a normal circumstance that's exactly what we would've done in the form of a blog post here with adequate warning: https://wyday.com/blog/
However, as you might've gleaned from my responses elsewhere in this topic, this was not a normal circumstance.
Here's a quick breakdown of what has happened so far:
1. We were investigating unusual communication to/from our servers.
2. It quickly became apparent to us that *at least* 3 large customers had embedded their web API key either in their app(s) or in client-side JS. And other customer had suspicious usage (meaning, they *likely* had used their web-API key in their app(s) or in client-side JS).
3. We saw no evidence of malicious 3rd parties using these leaked keys to steal data and/or manipulate data. However, knowing that it was *possible* steal data using the self-leaked web API keys introduced 2 things: legal responsibility & liability.
In other words, because we *knew* X web API keys had been self-leaked (i.e. leaked by programmers ignoring all documentation and warnings) we had to ensure that those keys could no longer be used. And because we suspected Y other web API keys had been self-leaked, we also had to block those keys.
4. Because legal liability and responsibility were introduced into the equation we now had a ticking time-clock. We had to fix these customer-imposed problems as quickly as possible with as minimal an impact as possible. And that's what we did.
The following use-cases were not impacted at all:
i. Our customers using the web API key on a single server. (It continued to work and will continue to work with no change required by our customers).
ii. End-users (your customers) using TurboActivate, TurboFloat, or the TurboFloat Server. Absolutely no interruption of service was introduced and none will be introduced.
However, due to time-constraints and the introduction of legal responsibility / liability to ensure user-data was safe and remained safe, the following use-cases *were* impacted:
a. Our customers using the web API key in their apps. The fact that we impacted these customers was the whole purpose and we have zero regrets about this.
b. Our customers using the web API key in internal-use apps for support staff, managers, etc. This was an unintentional consequence, but again (I've stated this above 3 times already), this type of usage violates our terms of service. And the solution is to create LimeLM accounts for these people.
c. Our customers using the web API keys in multiple back-end servers for ordering / querying / modifying licenses. This was also unintentional (but unavoidable due to time-constraints). Scott fell into this category, a handful of other customers fell into this category, and I'm guessing you fell into this category as well. I'm sorry you were effected by our decisions. These customers (you included) were unintentionally punished for the behavior of unrelated lazy programmers.
5. The fallout (this forum topic was created accusing us of incompetence, amateurish behavior, etc.).
6. [Happening before & during #5] We were doing further analysis see exactly which web API keys were effected and black-list them manually.
7. The partial-rollback: after manually blacklisting the known offenders we were able to "un-press" the "red button" to fix well-behaving customers (4c -- Scott, you, and a small handful of other customers) while keeping the known-offenders blocked.
That's the timeline thus far (as of this moment). So, what's coming next?
We've been working hard to improve our blocking of *potentially* compromised keys (i.e. keys that we cannot with 100% certainty say are being mis-used). This will happen on Monday. We've been working hard on a flexible solution. The current approach being tested will allow a single web API key to be used from 3 separate IPs within 72 hours. We have not finalized the design (we'll be working longer hours too to finish this).
More details will be on our blog after we make this change.
Very long story short: this was an atypical case handled as well as an atypical case can be handled. I am genuinely sorry some legitimate customers got effected.