Log in

No account? Create an account
LJ OpenID loophole - Arvind Narayanan's journal [entries|archive|friends|userinfo]

LJ OpenID loophole [Mar. 25th, 2007|03:24 am]
Arvind Narayanan
[Tags|, , ]
[Current Mood |surprisedsurprised]

I get several anonymous spam comments on this blog every day, but they don't show up because they're screened by default. If you ask LJ to screen anonymous comments, it doesn't screen comments from OpenIDs (although the comment posting form claims it does). This is silly, because anyone, including a spammer, can set up an OpenID identity server. That's sorta the whole point of OpenID.

Even better, there are anonymous OpenID servers around, which provide disposable IDs with no authentication. Go ahead, try it out, post a reply to this page by selecting OpenID in the From: field, and "http://www.jkg.in/openid/anything" as the URL. It won't ask you for any sort of password, and the comment will show up even though I'm screening anonymous comments. Kinda silly, isn't it?

Shows you how stupid spammers must be if they haven't figured this out yet.

From: ext_33605
2007-03-25 08:41 am (UTC)
silly, is it?
(Reply) (Thread)
From: ext_38140
2007-03-25 08:49 am (UTC)

Thanks for the tip

I'll update my spam script now :)
(Reply) (Thread)
[User Picture]From: arvindn
2007-03-25 08:57 am (UTC)

Re: Thanks for the tip

i look forward to your tips on penis enlargement and low-interest mortgages :)
(Reply) (Parent) (Thread)
From: ext_28514
2007-03-25 09:02 am (UTC)
Now seriously, the OpenID spam heaven is old news (http://blog.phpbb.cc/2007/01/20/spam-heaven/). LiveJournal has so much work to do wrt OpenID that comment screening almost looks like a non-issue.

P.S. Just got a CAPTCHA on the comment form. Wow! That was fast!
(Reply) (Parent) (Thread)
From: ext_28514
2007-03-25 09:04 am (UTC)
Hahah. The CAPTCHA was probably due to the link...
(Reply) (Parent) (Thread)
[User Picture]From: arvindn
2007-03-25 09:12 am (UTC)
That's a relief! You had me spooked for a second as well with your previous post :)
(Reply) (Parent) (Thread)
[User Picture]From: arvindn
2007-03-25 09:10 am (UTC)
"LiveJournal has so much work to do wrt OpenID that comment screening almost looks like a non-issue."

Saywha? Could you explain that? I was just suggesting that OpenID comments should be screened along with anonymous comments. (I don't believe there's a whitelist/blacklist solution as yet for OpenID, is there?)
(Reply) (Parent) (Thread)
From: ext_28514
2007-03-25 09:57 am (UTC)
What do you mean "whitelist/blacklist solution for OpenID"? Each site that accepts OpenID should maintain an OpenID whitelist/blacklist, otherwise OpenID would no longer be truly decentralized.

And yes, LJ OpenID comments should be screened. They also should be treated better than they currently are:

(Reply) (Parent) (Thread)
[User Picture]From: arvindn
2007-03-25 04:54 pm (UTC)
Obviously not every site has the resources to create its own whitelist/blacklist.

I was thinking of something like spamhaus for OpenID: some third party (or perhaps fourth party -- OpenID already seems to have three parties, but whatever) would provide black/whitelists, and it would be up to each site whether or not to use them and how to use them (maybe just as one component in a spamassassin-type scoring system).

Anyway I need to understand this better. Not being familiar with ma.gnolia or any other implementation besides LJ, I can't quite follow the discussion at the link you posted. I do understand that LJ could do a lot better though, such as allow you to link your OpenIDs to your lj account.

(Reply) (Parent) (Thread)
[User Picture]From: forvrkate
2007-03-25 03:42 pm (UTC)
Odd. I have gotten maybe two spam comments over the last year in my LiveJournal, and I do not have comment screening set up. Maybe the spammers think I am so far gone that penile enlargement tablets and Canadian-produced Viagra won't be any help to establishing my sex life. Maybe they think I'm hopeless!
(Reply) (Thread)
[User Picture]From: arvindn
2007-03-25 04:44 pm (UTC)
Well, I go out of my way to make my blog google-friendly (which makes sense, considering that my posts tend to be more of "here's what I think about the world" than "here's what happened today.") This inevitably means spammer-friendly as well.
(Reply) (Parent) (Thread)