One of the biggest holes in OpenID is spoofing and that won't be fixed
until the authentication is done by the browser or out of band via some
other method. So in the OpenID, by account is both a username and an
authentication source. So if I used [EMAIL PROTECTED] to log into your
site, your page would redirect me to aol.com for authentication, they
would do whatever to check that I am who I say that I am, then they
redirect back to your site with a token that says I'm legitimate.
Problem is that this is all being done via HTML and JavaScript. It would
be somewhat trivial for a bad bit of code to instead redirect to a site
that looks like the aol.com authentication page but is really a bad site
which stores my password. There are plugins for FireFox which do this
out of band but for the moment most folks would do the web redirect
process which is going to have lots of opportunities for corss site
scripting and other attacks.
Once those things are fixed then OpenID can be trusted and single sign
on will be a possibility. In the meantime I have a jillion accounts and
passwords to manage and get to wade through more captchas to create more
accounts.
As far as automated contextual question generation, I wonder how that
would be done? Sounds pretty high on the artificial intelligence
quotient. So some code is going to read blog posts, slice and dice them
and then present unique relevant questions to a user about the blog
content? If you get that working I'm sure there's some big bags of
venture capital waiting for you.
CB
Jane Lee wrote:
I'm combining my replies to Chris, Alex, Ryan and Jacob here for the sake of
not sending out 10 emails:
Chris: That is a nice idea, but inevitably leads back to trust. One central
authority can "validate" that the OpenID user is a user who can pass a
captcha or other similar test, but how do you know to trust the authority as
a site implementing OpenID? And still, even you point it out..this kind of
stuff doesn't guarantee anything more since each site is going to have a
different criteria to meet a "legitimate user" standard.
Alex: That doesn't work until you can trust the OpenID (or any other
"identity") provider. Let's say I let you login to my computer with
OpenID..there is no way I'd let you have even guest access without knowing
who you are and passing some sort of test from me to you. Now, if you had an
OpenID from a provider I explicitly trust, and you passed the test I set
(lets say the test was a captcha plus a few questions), I'd grant a guest
account to your OpenID. That's how it works now, in a way, anyway. You'd
still have some glaring security issues with OpenID and OpenID server
implementations, as well as user issues (phishing, anyone?).
Ryan, Jacob, et al: Whether or not that form of captcha can be implemented
on a site depends on the audience: for example, who cares about Japanese
when your blog is in English for English speakers and someone leaving a
comment in Japanese is more likely to be marked as a spammer for being
irrelevant/not understood? If they wanted to leave a comment, the implied
behavior would be that the Japanese speaker would have had to read the
entire post in English and therefore should not have a problem either
understanding a captcha in English or writing a comment in English as well.
I've mentioned this before, but one of the blogs I read has a system where
you have to pick out sentences that were in the blog post, mixed together
with sentences from other irrelevant blog posts, in order to leave a
comment. The system can be extended to ask one of a set of random questions
that a reader and commenter of the site would implicitly know (e.g. if it's
an Apple-related blog, asking a question like "what's that company that this
blog is talking about?" or "what's the name of the phone manufactured by the
company that this blog is about?"). Since that implies that you must have at
least read and understood most of the blog post in order to comment, that
kind of system would not put much of a burden on commenters and would be
pretty difficult for spammers to do anything about as long as they have no
huge incentive to do so.
cheers,
jane
