Habaritag:mattread.com,2020-02-06:openid/8570b76d965d9aabc07ffb82b7ac6c3a35ed2deaMatt Read, WeblogIt says little, does less, means nothing.2008-12-12T10:21:37-05:00A Bold Move To OpenIDMatt Readhttps://mattread.comtag:mattread.com,2008:a-bold-move-to-openid/12290952972008-12-12T10:21:37-05:002014-10-08T18:55:04-04:002008-12-12T10:24:58-05:00<p>After deleting thousands of spam comments every week, I got fed up. I went looking for a way to eliminate spam all together. There are many different approaches that work at completely destroying spam bots A Honey Pot, <a href="http://svn.habariproject.org/habari-extras/plugins/spamhoneypot/">a Habari plugin</a> by <a href="http://seancoates.com/">Sean Coates</a>, that adds a CSS hidden field that only bots would fill in; encoding the “action” URL, and input elements names and ids of the submitting form, a technique used by <a href="http://gsnedders.com">Prof. Sneddy</a>, killing all spam bots which don’t use an HTML parser (which is all of them). There are others, but those are two that I find work reliably.</p>
<p><img alt="OpenID Logo" src="//mattread.com/user/files/openid.png" class="right"></p>
<p>The above mentioned methods, however, do not provide any way to authenticate the identity of the submitting comment author. In comes <a href="http://openid.net/">OpenID</a>. Using <a href="http://openid.net/">OpenID</a> to authenticate that the commenter is who they say they are, allows us to ensure that only valid comments are submitted. Since I haven’t seen a spam bot with an <a href="http://openid.net/">OpenID</a>, this will absolutely stop them in their tracks.</p>
<p><a href="http://openid.net/">OpenID</a> also allows to use heuristics to determine which <a href="http://openid.net/">OpenIDs</a> can be trusted, and which can be blacklisted. Since every commenter has a unique authenticated <a href="http://openid.net/">OpenID</a>, we can reliably trust repeat commenters and push their comments through the moderation queue; at the same time, not trust blacklisted <a href="http://openid.net/">OpenIDs</a>, deleting them immediately, without needing any human interaction to <em>reliably</em> do so.</p>
<p>I’ve decide to jump head first into the deep end, and only allow comments to be submitted using an OpenID Identifier. This means, that if you want submit a comment on my site, you <em>must</em> have an <a href="http://openid.net/">OpenID</a>. There are many people who do not have an <a href="http://openid.net/">OpenID</a> yet, but for your protection, and mine, I would highly recommend you go out and get one now.</p>
<p>I use <a href="https://pip.verisignlabs.com/">Verisign’s <abbr title="Personal Identity Portal">PIP</abbr></a> service for my OpenID provider. The service is still in “beta” (whatever that means nowadays) but I would highly recommend it. They even provide phishing detection, and “Strong Authentication” methods, including Browser Certificates, and their <a href="https://idprotect.verisign.com/learnmore.v">VIP Credetial</a>. Go sign up!</p>