Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

  1. The comment author enter’s their comment in to a form on the site. They see a standard icon indicating that the blog in question supports comment signing. Rather than manually entering their name and URL, they activate a bookmarklet that they have previously added to their browser.
  2. The bookmarklet fills in the name and URL fields for them. It also takes the comment, appends a secret key (stored in the bookmarklet) and finds the MD5 hash of the new string, using the Javascript MD5 library. It inserts this hash in to a hidden field in the comment form.
  3. The user can now submit the new comment. That’s all they have to do.
  4. The weblog server now kicks in to action. If the comment has not been signed (there is no hash in the hidden field) it adds the comment normally, noting that it should be displayed as an “unsigned” comment on the comments page. End of story.
  5. If it has been signed, the server has some work to do. First it must start loading the URL indicated by the user on the comment form. It is looking for a <link rel="signature"> element, which will provide the URL of a signature authenticating web service. If the </head> tag is reached, the system can assume the link element does not exist and can mark the comment as “unsigned”,
  6. If the web service is found, the server can now send it the comment and the User’s site URL. The web service (which knows the user’s secret key) will respond with a hash created in the same way as the one constructed by the bookmarklet.
  7. If the hash returned by the web service matches the hash provided by the bookmarklet, the comment is considered “signed”. The server can store it as such, and later display it with an icon or style that indicates it is a signed comment. If they do not match, the server can either store the comment as “unsigned” or even flag it as “untrusted”, since it was incorrectly signed.

As you can see, it’s a relatively complicated system. The comment authors must have a custom bookmarklet and add a tag to their home page indicating their authenticating web service URL. Note that they do not need to host the authentication web service themselves—they can instead point to one run by someone else who they trust (trust here is essential as the web service must know the user’s private key). Meanwhile, the blogging system needs to be able to perform HTTP requests.

The key advantage of my system is that, being based on MD5, it is relatively easy to implement (as opposed to a system based on something like PGP). Provided no one points out any immediate flaws, I would happily construct a prototype in PHP. I’m sure a Perl implementation for Moveable Type users would not prove much of a challenge to any talented plugin author.

Security wise, it strikes me that the weakest link is the client side bookmarklet which comment authors would need to use. However, comment signing is not the most critical security application in the world and comment authors could easily change their password by updating their bookmarklet and alerting their signature web-service provider (which could even be themselves) of the change.

And if the signature idea doesn’t win any favour, the idea of having a bookmarklet to fill in your name and URL in blog comment forms is one I’ve been meaning to share for some time.

Posted 22nd July 2003 at 9:10 pm

This is Signing comments on blogs by Simon Willison, posted on 22nd July 2003.

Tagged ,

View blog reactions

Next: You can't keep a good man down

Previous: BuyMusic, the latest sharecropper on the block

32 comments

  1. MD5 is just a hash, not a public key system, so this wouldn't work, sorry.

    Jim Dabell - 22nd July 2003 22:03 - #

  2. Why not? I'm pretty sure MD5 is cryptographically secure (in that you can't derive the original text from the hashed text), and you don't need public/private key cryptograph provided you don't mind having a shared secret.

    Simon Willison - 22nd July 2003 22:20 - #

  3. That sounds very good, and even so it leaves out my by-product feature of reporting one's remote comments on their own weblog, I think you have found a secure solution. My only grip is the portability of the bookmarklet: - browser/platform compatibility (I suspect not all browsers are created equal in that matter) - mobility. What do I do when I'm commenting from a public computer on which I can't easily install it? What if I forget to deinstall it? I'm starting to think of one-time passwords. Before commenting I would go on my weblog and generate a short one-time password, which I would use in lieu of the secret key. Since it would be valid only once, you don't have to bother about traces and encryption. You could still simplify the generation through a bookmarklet and I wouldn't be stuck when blogging from, er, someone else's PC :-) How about that?

    François - 22nd July 2003 22:22 - #

  4. Francois, Regarding the bookmarklet issue, you could just use a password protected script on your authentication server to generate the hash key exactly like the bookmarklet would and then copy/paste it manually. I think this acts eaxctly like a one time password, but without actually adding any extra complexity to the process ;) Simon, This sounds good. You can count me in for testing ;)

    Francois PLANQUE (and not trying to abuse the prev - 22nd July 2003 22:36 - #

  5. Blogging from public PCs / other people's computers is definitely a problem. One solution would be to allow people to "sign later" - they could go back to a comment they had previously posted and click an icon next to it, then sign it as normal with their bookmarklet. The problem with one-time passwords is it requires you to take an extra step every time you want to post a comment. Unless...

    OK, scrap the original idea entirely! No MD5 needed - the bookmarklet can retrieve a javascript file from the auth server which contains a randomly generated one-time password. The auth server saves the one-time password and the URL of the page that made the request (the URL of the comment form), or alternatively some unique ID in a hidden field in the "add comment" form. The blogging system can then find out the auth server (again using a link element) and give it the one-time password, which it will verify.

    Simon Willison - 22nd July 2003 22:36 - #

  6. Yes, MD5 is cryptographically secure, and it sounds good enough for this job. We're not trying to rubberstamp both sides, just the author's site. If I get Simon's idea well, the hash that would be provided to the site, and transmitted over the wire, would be different each time. So we don't fear the eavesdroppers. Waitaminit: Simon, both the URL and email address need to be included in the hash, because they need to be authenticated in the process.

    François - 22nd July 2003 22:42 - #

  7. Forget about signing in later. As Dave Shea (so he pretends to be ;-) wrote on Adrian's site, it's too difficult to clean up after the fact. Just right now, by the time I finish a comment, there are already one or two sliced in between! But I might be wrong on that.

    And, no pun intended, you should think of implementing line breaks in your comments before the sign-in thing ;-)

    François - 22nd July 2003 22:49 - #

  8. I commented about this sort of thing before, here and here.

    In short, the only real way to handle this stuff is going to be via the use of some sort of trusted party. Either a portal-like community service, a PKI infrastructure or well-known hashing techniques. Something that allows a person to say "I'm this identity" and then the site can verify that's the case. What's possible here is building up on things like Advogato's trust network. We all have 'spheres of interest' and that might be a fine way to build up trust networks.

    As you recognize, this isn't easy stuff. But it's becoming more and more apparent that something like this is going to be needed.

    Bill Kearney - 22nd July 2003 22:58 - #

  9. Bill, I truly resist the idea of relying on a central server. Or at least before we have exhausted solutions that involve only two servers: the one I'm commenting on and mine.

    François - 22nd July 2003 23:39 - #

  10. I don't think a single trusted third party is necessary provided the authentication information is retrieved from the comment author's own blog - if it is, then they can specify their own trusted authentication service (which they themselves can control if they are really paranoid).

    I don't know that even MD5 hashing is necessary if we use the one-time randomly generated password idea. I'm going to knock up a simple prototype under the idea that working code speaks louder than words. Any problems should then become instantly obvious. If it doesn't work, I'll have lost a couple of hours coding time.

    Simon Willison - 22nd July 2003 23:40 - #

  11. And what of those of us who like to read and occasionally comment but have no particular inclination to put up a website of our own? Would we then be barred from commenting? There's a risk that schemes like this will make blogging more insular and cliqueish by excluding non-blogging outsiders.

    James Kew - 22nd July 2003 23:58 - #

  12. I see a small problem. There isn't much to stop me from saying I am He-who-must-not-be-named (for example) and having my auth server confirm such. People could deduce it is not Him from the URI that I would enter, but most weblogs don't expose the URI these days, they turn the commenter's name into a link. Unless I rollover the link and check the URI, I would never know if it is really Him. In the end, you are still manually confirming that the commenter is who they say they are. If you can't trust the auth server then the whole thing becomes a tool of convenience for the commenter. Which is a good thing in and of itself.

    gilmae - 23rd July 2003 00:11 - #

  13. And what of those of us who like to read and occasionally comment but have no particular inclination to put up a website of our own? Would we then be barred from commenting?

    Not at all. The system we are talking about is for optional authentication of comments. The way I envisage it, comments which have been "signed" will either have the comment author's name displayed in a different colour or will be accompanied by a small icon indicating that they are authenticated. All other comments would still appear, but they would not have the icon. The system is not meant to restrict commenting, just to allow people to add proof that it is really them to their comments.

    There isn't much to stop me from saying I am He-who-must-not-be-named (for example) and having my auth server confirm such. People could deduce it is not Him from the URI that I would enter, but most weblogs don't expose the URI these days, they turn the commenter's name into a link. Unless I rollover the link and check the URI, I would never know if it is really Him.

    I don't see that as a huge problem. If someone were to do that they would be spotted pretty quickly, and if the person they are impersonating heard about it it would not be at all hard for them to prove that they have been impersonated. This is a huge improvement on the situation now, where it is impossible to prove an impersonation. In any case, authentication on a name would not work as some people have the same name (I'm sure there's more than one Dave S. active in the blogosphere for example).

    Simon Willison - 23rd July 2003 00:21 - #

  14. Hi, It seems simplier to me to add a field for an optional password, instead of having to setup a bookmarklet... My main problem would be trusting the site on which I'm commenting with my password.

    Bill Zeller - 23rd July 2003 00:22 - #

  15. What a lot of effort for not alot of return.

    Why not just implement a user registration system for people who are *really* bothered about signing their comments - most people who actually have something good to say usually use their own blog to say it anyway - and I think we're all intelligent enough to realise when someone is being lame and imitating someone

    Smiler - 23rd July 2003 00:35 - #

  16. Bill: That's the exact problem with a password scheme - anyone who runs a blog that you have commented on could potentially imitate you.

    Smiler: user registration isn't plausible because there are so many blogs; besides, what's to stop me registering on someone's blog as Adrian Holovaty before the real Adrian Holovaty gets there? OK so it's not the most critical problem in the world, but distributed authentication is interesting enough to be worth playing around with.

    Simon Willison - 23rd July 2003 01:19 - #

  17. There's no need to use a centralized service. But if you intend to build in a way to *make sure* the content is coming from where it claims then there's little choice other than to make use of such intermediaries. Experience has already shown that spammers WILL abuse weblogs and their comment systems. My point of mentioning use of 3rd parties is to make it clear that the /option/ to use them should be seriously considered when implementing something. It doesn't have to be used, but failure to consider the hows and whys of using them would be a shortsighted mistake. After all, go look at who's done the Perl PGP modules on CPAN...

    As for effort without return, think seriously about the complexities of user registration systems. Then think about the security risks. Too many users will use the same password on different systems. One hack and their entire network of sites becomes ripe for being compromised. Not to mention most sites don't even do *basic* login dictionary attack logging and notification. That's one cure that's worse than the disease.

    In short, a site can well make use of regular old web input forms. A site could also make use of a back/forth system that helps both the site and the visitor. The site gets helped by having a way to 'be reasonably sure' who's posting and the visitor gets some help in tracking what they post and where. It ends up being a win/win situation here. Yes, it will require sites to implement something new. It will also require visitors interested in this concept to implement something. It's not like it's going to happen without some modicum of effort. Even weblogging required a LOT more effort than just using vi to write your own HTML pages but fortunately easy-to-use frameworks evolved. Likewise an evolution is possible for commenting.

    Bill Kearney - 23rd July 2003 14:05 - #

  18. New proposition du jour - mimic the TrackBack autodiscovery and do it all from your weblog.

    François - 23rd July 2003 15:27 - #

  19. I disagree about password schemes and impostors. This is why making use of a trusted third party is worth factoring as an option from the very beginning. Better to allow for people that express a strong desire to maintain ownership over the identity they choose to use than to leave it out of consideration. Note, I'm suggesting verification for an identity. That identity need not be the 'official one' for yourself. It merely needs to be an identity whose participation in a community desires being authenticated over time. As in, you can be "hottiegrrrl9" provided that identity has means to verify itself within the context of the communities you use it within.

    Bill Kearney - 23rd July 2003 16:19 - #

  20. In my BlogBack system, I allow (Plus) users the ability to verify commenters by IP, in a similar way to how they can ban people. Once a commenter verified, the system will flag up all their comments as authenticated by underlining their name in the posts. Not the most secure of systems, but an easy hack that'll work for my purposes, anyway.

    Marcus - 23rd July 2003 18:12 - #

  21. The problem is that if the authenticating service returns the hash, "Mark" (generic malicious user) could pretend to be Alice by sending his comments to the authenticating service, and taking the hash returned by the auth service and submitting that to the website. The website will then check the hash with the auth server, and it will match.

    One solution is for the website to send the hash to the auth server and let the auth server return a boolean to say if its correct.

    And with the idea about giving a password to every website you comment on, and them now having your password: You just use a different password on the different blogs, or a bookmarklet implementation of my password generator (makes different passwords for each URN from a base password) could be written, or perhaps that mixed with a OneTimePassword.

    Brian - 23rd July 2003 19:10 - #

  22. Better to allow for people that express a strong desire to maintain ownership over the identity they choose to use than to leave it out of consideration

    That is exactly why I do not want a third party involved.

    François - 23rd July 2003 19:13 - #

  23. On the Internet, no one knows you're a dog.

    And, similarly, none of the Rube Goldbergesque schemes suggested here could ever assure you that I am "really" Jacques Distler and that I am not, in fact, a dog.

    To do that, you need to establish trust in the signature. For this purpose, few people seem willing to pay Verisign for Personal Certificates. And PGP's "web of trust", while free, seems not to have scaled well. Beyond a few immediate acquaintances, I encounter vanishingly few PGP signatures whose authenticity I can establish.

    If, as you say, comment authentication is not mission-critical, then the commenter could simply have a bookmarklet which would produce a detached PGP signature of his comment (and put it in a hidden field of the comment form). Then the server could retrieve the public key -- corresponding to the commenter's email address -- from one of the PGP keyservers (a simple http request) and verify the signature.

    No trust is established -- that requires human intervention -- but at least you know that the commenter is the same canine whose public key/email address is on the keyserver. Which is more than you can say for any of these other schemes.

    Jacques Distler - 24th July 2003 08:33 - #

  24. Testing signature.

    Simon Willison - 24th July 2003 10:49 - #

  25. Testing signature? Mmmh, yummie :-) Can I join?

    François - 24th July 2003 14:55 - #

  26. I see gilmae's point as a very good one. How can you stop me from putting "Simon Willison" in the name field and have my own little web service confirm that I am Simon ? This idea is similar to allowing people to create their own ID cards and referring people to their home address for verification ;) Please let me know if I'm wrong here, of course.

    Joao Prado Maia - 24th July 2003 21:39 - #

  27. This is sort of.. all.. bullshit. Authenticity is in the eye of the beholder, it seems. All of these strategies are proposing varying levels of making it more annoying for a malicious poster to post his or her malicious posts. The system is fundamentally either closed (requiring registration that is approved by the blog author), or open (allowing anyone to post.. thus inviting the inevitable possibility for a malicious poster). There are mergings between these two, and users who are commenting from approved accounts in the eye of the blog owner should have those stamps of approval displayed. Any attempts at creating some sort of way to identify random people on the internet is doomed to fail.

    Tony - 25th July 2003 09:49 - #

  28. After a bookmarklet is used, can the host page have any access to the bookmarklet's code and variables? If so, the host page might be able to steal whatever makes your bookmarklet unique and identifiable.

    Dumky - 10th March 2004 08:16 - #

  29. At this juncture - I'd like to point out www.sharedid.com. Which is a free foaf-based solution to comment signing and authentication.

    There are already movabletype and generic php plugins available. All SharedID does is keep track of your identity - allowing you to submit your foaf file (stored on your own server) to the web application with a single click.

    The web application (eg mt-comments) can then parse the foaf file to get your name, email address and homepage. Plus all the other neat foaf-stuff, like location, your friends, interests - etc etc.

    SharedID even goes further - recommending that foaf authors include a link to a public atom api in their foaf file - that can serve as an 'activity log'. ie - when a user posts to a movabletype weblog - a copy of their comment is posted back to their activity log - so they can keep track of conversations they are involved in across the net.

    See http://www.sharedid.com/sharedid/developers/ for some examples.

    Ben Nolan - 17th March 2004 05:29 - #

  30. i cant sign in to ma msn address im really sure that my net passport is correct and my password is correct but it let me sign in

    sibonginkosi - 2nd February 2005 18:40 - #

  31. i cant sign in to my msn address im really sure that my net passport is correct and my password is correct but it wont let me sign in

    sibonginkosi - 2nd February 2005 18:43 - #

  32. Have you checked out OpenID? It sounds to me like a nice and open solution and it solves the same problem as you're trying to solve (at least seemingly).

    Jonas Bengtsson - 13th October 2005 22:20 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/07/22/signingComments

A django site