## March 20, 2004

### TypeKey

Six Apart have announced their TypeKey service, a centralized Commenter Registration service. Commenters can register with TypeKey, and then sign in once to comment on any MovableType 3.0 blog.

I haven’t seen the details yet, but from what they’ve described, I am not too sanguine about the service. As I read it, there are three motivations for this sort of centralized Registration service.

Spam prevention

This sort of presumes that spammers will be too dumb to register their spambots with the service. Once the spambot is registered and signed-on with TypeKey, I expect it would function pretty much as before.

On the other hand, centralized registration does allow for centralized banning. If word gets back to the TypeKey administrators, they can disable the spammer’s Identity.

But what’s to prevent the spammer from registering hundred, or thousands of Identities for his spambot? The Slashdot trolls have pioneered “registration 'bots”, which register hundreds of throwaway Identities. What’s to prevent spammers from doing the same with TypeKey?

Troll Management

Individual blog owners can ban individual TypeKey Identities from commenting on their blogs. Not much of an impediment, if the troll can easily register another Identity.

Cracking down on trolls is a tricky business, and there are some very clever techniques for dealing with them. Merely forcing them to register isn’t enough.

Identity Theft

Can there be two Identities with the same website URL, but different email addresses? Surely there can. Can a registered user hide his email address on his Profile Page? You bet! No one wants to give the email spammers yet another opportunity to harvest your email address.

Well, then, there’s nothing to prevent me from registering with TypeKey in your name, with your Website URL and your biographical details, but with my (hidden) email address. Now I can sign into TypeKey and go around impersonating you at various blogs. The only non-fakeable detail in my TypeKey Profile — my throwaway Hotmail email address — is hideable. So it’s not really possible to establish my “identity”, based on what is revealed on that Profile.

Presumably, TypeKey won’t let two of us register with the same Username. “JohnSmith37” might be out of luck, but, if you go by a less-common name, you can, to some extent, protect yourself by making sure you’ve registered your favourite nom de plume before I get there. It won’t prevent me from registering a slight variant, with your biographical details, but it’s better than nothing. For purely defensive reasons, this should create a mass stampede to register with TypeKey, as soon as it opens for business.

As you know1, I’ve had my own thoughts about Comment authentication, so perhaps I’m biased. But unreliable authentication can be worse than no authentication at all. It creates a false sense of assurance where there should be none.

Obviously, TypeKey does nothing to make any of these issues worse than before. But it does increase the hassle-factor: commenters must register, and must sign-in to use the service. So one really hopes that TypeKey would actually improve matters with respect to one or more of these problems. Doubtless, I’m missing something, and someone will correct me. But, from what I’ve seen, TypeKey seems to be a lot of bother, for not a lot of benefit.

Again, let me emphasize that I haven’t seen any of the implementation details. This post is based purely on the TypeKey Announcement. Still, I find the whole thing troubling enough to want to start the discussion now, before the official roll-out.

Update (3/23/2003): There’s now a TypeKey FAQ. It addresses some of the questions raised here and elsewhere. The clear focus is on TypeKey as an anti-spam device. By itself, it would be pretty useless. But they argue that, in conjunction with Comment Moderation (another new feature of MT 3.0), it could be rather effective. TypeKey-registered users, who’ve posted comments to your blog before could have their comments immediately posted. Everyone else (including the spammers) would have their comments relegated to a moderation queue. Depending on how you feel about Comment Moderation — more work for the blog owner, interrupts the flow of the conversation — that certainly could be effective. If most of your comments come from the same familiar set of people, TypeKey would allow you to turn on Comment Moderation with minimal disruption.

For myself, I view comment spam as a more-or-less solved problem (I,II,III), and I don’t anticipate turning on Comment Moderation to deal with it. Still, giving blog-owners a sense (even if partly illusory) of control over their comment section is a smart move by Six Apart.

Update (3/25/2003): Phil Ringnalda has also come to the conclusion that TypeKey could be useful in conjunction with Comment Moderation, as a way to whitelist “known” commenters. But, on reflection, I’m now of the opinion that PGP-signed comments provide a much better mechanism for whitelisting known commenters.

1In this context, I think I understand Anil Dash’s cryptic comment a little better.
Posted by distler at March 20, 2004 10:47 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/335

### Re: TypeKey

Presumably, TypeKey won’t let two of us register with the same Username. “JohnSmith37” might be out of luck, but, if you go by a less-common name, you can, to some extent, protect yourself by making sure you’ve registered your favourite nom de plume before I get there.

That had better not be an issue. The username should be the user’s email address, as that is already unique. This should be distinct from the user’s display name, which should be just that, a display name. Heck, even Friendster gets this right. (Though anyone who has used AOL Instant Messenger knows that the one positive side effect of a contested namespace is a flowering of creativity in usernames.)

Posted by: jacob on March 21, 2004 3:41 AM | Permalink | Reply to this

### What’s in a name?

I mean whatever name (the Display Name, if you wish) that is revealed to the blog owner when you post a comment, and is displayed when someone visits your Profile page.

Posted by: Jacques Distler on March 21, 2004 8:22 AM | Permalink | PGP Sig | Reply to this

### Re: What’s in a name?

I mean whatever name (the Display Name, if you wish) that is revealed to the blog owner when you post a comment, and is displayed when someone visits your Profile page.

But why must this display name be unique? The only name that must necessarily be unique is the name used for login.

Posted by: jacob on March 21, 2004 7:03 PM | Permalink | Reply to this

### Re: What’s in a name?

But why must this display name be unique?

It doesn’t have to be. I was simply positing the “best-case scenario” from the point of view of protecting against identity theft. From this point of view, you would probably prefer to be the only “jacob” at TypeKey, whose web site is “http://www.chompy.net/blogs/jacob/”.

This may simply not be a design consideration for TypeKey. In that case, we’re back to its dubious efficacy in helping blog owners control spammers and trolls.

Posted by: Jacques Distler on March 21, 2004 7:30 PM | Permalink | PGP Sig | Reply to this

### Re: TypeKey

I completely agree with your assesment of this service, and in fact the very same thoughts occurred to me when I first heard of it. This looks to me to be about as meaningful a security measure as providing an MD5 checksum for a binary on the same website on which it’s hosted - i.e, worse than useless, in as far as it breeds complacency.

Any measure that will be meaningful for combatting blogspam will have to be costly in some way. There are two methods that occur to me.

1. A registration authority levies a fee small enough to not be a deterrent to the ordinary commenter but large enough to discourage mass registrations by spammers
2. A web of trust is set up in the manner employed with PGP.

I don’t really see any other approaches working.

Posted by: Abiola Lapite on March 21, 2004 4:19 PM | Permalink | Reply to this

### Re: TypeKey

I sent an email to Six Apart to point them to the criticisms you made, and got a less-than-helpful response, the most important part of which is excerpted below.

“We have studied the issues for a long time and have decided, after a long debate, that this really is the best service we can provide. Should people not be interested in it, or wish to not use it, that is fine too. It would be ideal to stop spam without such a system, but we feel this is the best at the moment.”

Maybe it’s me, but this reads like “whatever, we’re going to do what we were going to do anyway.” It’s so content-free that it must be some sort of form response they’ve put together.

Posted by: Abiola Lapite on March 22, 2004 7:08 PM | Permalink | Reply to this

### Re: TypeKey

By the way, according to Jay Allen, the issues you’ve raised won’t be a problem with TypeKey. It’ll be interesting to see how this comes about.

Posted by: Abiola Lapite on March 22, 2004 7:13 PM | Permalink | Reply to this

### Re: TypeKey

I’m pretty sure you’re focusing on the wrong words in that. If you start from the position that Ben and Mena are still as smart as they once were, and still want to do the weblog world right as much as they once did, then the part to focus on becomes “the best service we can provide.”

If I could make everyone comment-spam-free, I would. Myself, I get something like one a week (and another 150-200 that I successfully stop without any action on my part). But letting everyone else share my good fortune involves teaching them enough Perl to be happy hacking at MT, and then enough more that they can all do something slightly different. I’ve been thinking about stopping spam and crapfloods for several months now, and I haven’t even come close to coming up with something that will work when it’s openly distributed: it’s easy as can be to stop when your code is hidden and you’re the only one doing things the way you do them, and twice as easy to work around when your code is open.

So, what’s the best that they can do? What has worked, at least slightly, in other applications? Well, registration. It sucks, it’s easy to get around, but it’s what everyone does and all everyone does, from forums to free email accounts to whatever, because it’s all you can do and maybe slightly better than nothing. But having to register to leave one comment on a weblog you’ll never go back to would be a PITA, and mostly you wouldn’t bother, so how can they get around that? TypeKey. It’ll be easy to game, but then so is registration, and at least we won’t have to go through the constant register here, register there thing.

Will it work, and do any real good? No. Is there anything better to do instead? Well, picture yourself supporting 100K PGP/GPG newbs. Oh, and you’ll have to figure some way of supporting them server-side as well, which isn’t exactly easy if you’ve got root, and probably impossible otherwise, and in the end doesn’t actually do what you want: you don’t need to know who someone is, you need to know why they are commenting. Anything you can do with PGP to block comment spam, short of only allowing comments from people you’ve personally met, I can get around. And if you are only allowing comments from your five best friends, you might just as well give them accounts to post entries. Or just switch to email or IM.

Posted by: Phil Ringnalda on March 22, 2004 9:31 PM | Permalink | PGP Sig | Reply to this

### Anti-Spam Measures

But, Phil, you’ve done precious little to hide from the spammers.

Your comment CGI script is still named mtcomments.cgi and you still have a comment-entry form on your individual entry page, where it’s indexed by Google. (And even your dedicated comment-entry page doesn’t have a <meta name="robots" content="noindex,nofollow" />, so it, too is indexed by Google.)

I eliminated these loopholes, and the number of spams I’ve gotten stands at 8 in 23 weeks. Now, just as you do, I have some other measures as a second line of defence, but they have stopped no more than a handful of spams in that time. Even if I dispensed with all of them, my spam count would still be no more than one every couple of weeks.

None of the things I have done to combat spam are complicated, or require serious hand-holding. A few simple changes in the “default” templates, renaming the comment CGI script to something random, and … shazam! … spam drops to near zero.

These would not be difficult changes to distribute, and they would make a dramatic impact on spam for most people.

SixApart is offering Commenter Registration because … people have been clamoring for it. Ben Trott can’t be so addle-brained as to think that it will have even a temporary effect on spam.

But his customers are demanding it, so he delivers.

Posted by: Jacques Distler on March 22, 2004 10:41 PM | Permalink | PGP Sig | Reply to this

### Re: Anti-Spam Measures

Off-topic: do you have any idea why Google lists you without any description? I know why all those comment links of mine are that way: I didn’t notice Google indexing them until I started log watching, so now robots.txt tells them to stay out, but they still know about them.

Changing the name of mt-comments.cgi? I’ve really got to get to work on my spambot, especially now that PHP 5 has a nice HTML parser, so I don’t have to switch to Python. Fake forms leading to honeypots? Fine, ban my proxies, plenty more where those came from. Fake forms with tied nonces in the preview? A hundred or a thousand attempts, eventually I find the right one.

Renaming the script is one of those things that works well when only a few people do it, but I’m already seeing plenty of bot-activity that does a GET before a POST (and that’s mostly why I look so open still: fishing).

Posted by: Phil Ringnalda on March 22, 2004 11:46 PM | Permalink | PGP Sig | Reply to this

### Re: Anti-Spam Measures

Off-topic: do you have any idea why Google lists you without any description?

I’m not sure what you mean. Explain?

Renaming the script is one of those things that works well when only a few people do it

I disagree entirely. The reason why I get so few spam attempts is that the spammers can’t find me.

Change the name of the comment script, and a search for the default name won’t turn up your blog. Move the comment-entry form off the pages that get indexed by Google, and a search for common names of form elements will also come up empty.

It’s a lot more fun to play with nonces (I know, I’ve done that too), but it’s the mind-numbingly simple stuff that is the most effective.

Posted by: Jacques Distler on March 23, 2004 12:44 AM | Permalink | PGP Sig | Reply to this

### Re: Anti-Spam Measures

Search for blog comment (a phrase that gets me a fair bit of bot-posted spam (or is sent as a fake search referrer)), and there you are on the second page of results, with nothing but a title and a URL, in the midst of other sites with a few random words from the content. Same sort of result for all the random phrases I pulled from your recent posts. Title, URL, no text.

Once enough people start renaming the comment script to make it worthwhile (or, enough people add hidden fields), GET that page, and if there’s no form look for links with /comment/ or /reply/ or /add/ in the text, and GET them. Once you find a form (or a form and multiple decoys), parse out the action attribute and all the fields, make a best guess at the input fields, POST, if you get a form back POST it again, then GET the page where you expected your comment and look for your link. If you find it, mark them as a sucker to revisit, if not either flag it for review, or just forget about it and go on to blasting easier fish in the same barrel.

I’m not logging enough right now to know for sure if they are parsing anything out of the HTML, but looking at today’s bot-posting, it’s all GET, one to ten second pause, POST, so if they aren’t, they certainly could be.

As to how they would find me without being able to search for the filename or the form elements: if it was me, I’d start with link:movabletype.org if I was tied to MT’s comments, or combinations of whatever and comment (rss comment, atom comment, comment trackback, syndicate comment, technorati comment, blogshares comment) that seemed likely to get me weblogs with comments.

XML error while submitting (signed, using the Textile filter for no good reason):

XML Parsing Error: junk after document element Location: http://golem.ph.utexas.edu/cgi-bin/MT-2.5/sxp-comments.pl Line Number 431, Column 8:</html><pre>MT::App::Comments=HASH(0x809acc) Use of uninitialized value in string at /Library/WebServer/CGI-Executables/MT-2.5/plugins/OpenPGPComment.pl line 133.

Posted by: Phil Ringnalda on March 23, 2004 1:56 AM | Permalink | PGP Sig | Reply to this

### Freaky!

Same sort of result for all the random phrases I pulled from your recent posts. Title, URL, no text.

That’s friggin' frightening! It’s true of everything in the Google index from my blog.

XML error while submitting (signed, using the Textile filter for no good reason)

Hmmm. I can’t imagine why that is. I will compose this comment using the Textile filter and see if I can reproduce the error.

Whoops! Textile severely messes with the PGP Signature. I’ll suggest to Srijith that he find a way to apply the text filters after stripping out the PGP signature.

Once enough people start renaming the comment script to make it worthwhile (or, enough people add hidden fields), GET that page, and if there’s no form look for links with /comment/ or /reply/ or /add/ in the text, and GET them…

I guess, after MT 3.0 comes out, I’ll have to code up my honeypot and let your 'bot have at it.

That’s, of course, after I change the name="" attributes of all the <input type="submit"> elements in the form to random values.

If spambots are actually parsing the HTML, I can force them to parse the English.

As to how they would find me without being able to search for the filename or the form elements: if it was me, I’d start with…

No question that I can be found. For the spammer, it’s a matter of choosing search queries which minimize the false-positive rate…. and then having a good algorithm for determining what is a false-positive.

Posted by: Jacques Distler on March 23, 2004 10:44 AM | Permalink | PGP Sig | Reply to this

### Re: Freaky!

That’s friggin’ frightening! It’s true of everything in the Google index from my blog.

That’s true of my site too. I’d always assumed that google had a moral objection to XHTML, although I don’t see why I wouldn’t be feeding the googlebot text/html. Maybe it just doesn’t like the XML decleration or something? Not so long ago, I remember noticing that google was claming my pages were in an unknown format; maybe they’ve upgraded the system to deal with XHTML but only got as far as extracting the title?

Posted by: jgraham on March 23, 2004 2:54 PM | Permalink | Reply to this

### Re: Freaky!

But unlike your site, non-XHTML pages on my site seem to be displayed as normal

Posted by: jgraham on March 23, 2004 3:25 PM | Permalink | Reply to this

### Re: Freaky!

I wonder, are you serving the XHTML MIME-type to Googlebot? For what it’s worth, my weblog only uses this MIME-type if a client lists it in its Accept header, and I don’t seem to have the same problem; Google displays an excerpt for most of my pages (plus a nonsensical description from dmoz, but that’s neither here nor there). That doesn’t explain why Google would be able to snag your pages’ titles, though.

Posted by: jacob on March 23, 2004 4:20 PM | Permalink | Reply to this

### Re: Freaky!

I’m certainly being indexed. It just appears as if I’m not being archived. It’s as if I put a <meta name="robots" content="noarchive"/> on all my pages.

Yahoo does archive me, so it’s not a generic search-engine problem. And Google used to archive me.

Weird!

Posted by: Jacques Distler on March 23, 2004 4:46 PM | Permalink | PGP Sig | Reply to this

### Re: Freaky!

[Off topic, sorry -

Jacob, your website is so indescribable, you should be glad to have any description at all. :) I’ve changed it just now, but I really have no idea how close it is to how you’d describe it.]

Posted by: Keith on March 23, 2004 11:32 PM | Permalink | Reply to this

### Textile Fixed

Turns out that the fix was rather simple. Thanks to quick work by Srijith, this comment, written with the Textile filter will not have the problem you were seeing.

Posted by: Jacques Distler on March 24, 2004 8:46 AM | Permalink | PGP Sig | Reply to this
Weblog: FultonChain
Excerpt: I'm not going to go on much about this -- until things are clearer it's foolish to speculate -- except to point to the comments (including some by Ms. Trott) on Jeff Jarvis' site. Also see: MeFi | Shelley Powers...
Tracked: March 21, 2004 4:22 PM

### Re: TypeKey

I was a bit surprised to see Mena answering questions about TypeKey on Jeff Jarvis’ site, when so many people were asking similar questions on the MT forum, all of which remained unanswered until Phil pointed towards Mena’s answers at Jeff’s site.

Posted by: Srijith on March 21, 2004 5:23 PM | Permalink | PGP Sig | Reply to this
Read the post Movable Type 3.0 and TypeKey
Weblog: JayAllen - The Daily Journey
Excerpt: A lot of people are talking a lot about MT 3.0 and TypeKey. A lot of what has been posted...
Tracked: March 22, 2004 3:20 AM
Weblog: Medley
Excerpt: Turns out that TypeKey is not the full extent of the planned authentication possibilities in
Tracked: March 22, 2004 7:21 AM
Read the post More TypeKey discussion -UPDATE-
Weblog: hebig.org/blog
Excerpt: SixApart: TypeKey and MT Comment Registration FAQ > Jaques Distler: TypeKey > Mark Pilgrim: TypeKey? You Blog Me > Shelley...
Tracked: March 23, 2004 7:52 AM
Read the post MT Reinvent Drupal Authentication
Weblog: TeledyN
Excerpt: Well, not quite, or rather, Ben and Mena have plans for comment authentication options of which TypeKey mimicks the Drupal-network logins ... only Drupal's is open and distributed. But, to their considerable...
Tracked: March 23, 2004 9:08 PM
Weblog: Full Speed
Excerpt: Six Apart has announced TypeKey. Due in part to many complaints, they have also put out a FAQ. Burningbird has excellent analyses from both before and after the FAQ release. While it's great to see the creators of Movable Type...
Tracked: March 24, 2004 1:01 AM

### Re: TypeKey

All very interesting, but I wouldn’t trust a central resource for ID’s (think Microsoft’s Passport service).

Obviously the spamming of comments, forums, chat rooms, guestbooks, and so on is a huge problem that needs addressing. This guy seems to have a pretty good idea: http://urbanmainframe.com/folders/blog/20040323/page_1.htm

No system will ever be perfect however. It’s good that TypeKey’s coming because it shows that the developers are considering the problem - but I’d prefer a local solution personally.

Posted by: Patrick on March 24, 2004 4:57 AM | Permalink | Reply to this
Read the post Distributed comment authentication
Weblog: Random Neural Misfirings
Excerpt: With the introduction of Typekey, the discussion of blog-comment validation and moderation has kicked into high gear. I applaud the...
Tracked: March 30, 2004 4:47 PM
Weblog: This Chick
Excerpt: If you're not interested in my thoughts on Movable Type 3.0 and/or TypeKey then don't bother to continue reading....
Tracked: April 9, 2004 9:19 PM
Weblog: JoeHewitt.com
Excerpt: I must admit, I've never been the type to worry too much about security or privacy. However, after working for
Tracked: May 9, 2004 5:37 PM

### Re: TypeKey

This has nothing to do with Typekey, because I could not read the small fonts, and could not use Internet Explorer to display the larger fonts without so much overlap as to render the screen virtually unintelligible.
Looks like you might have a great site, otherwise, or, otherwise, I would have not taken the trouble to send this comment.

Best wishes.

Posted by: George Smotherby on December 14, 2004 7:11 PM | Permalink | Reply to this

Post a New Comment