## February 5, 2005

### Who Do You Trust?

The debate over Google’s new rel="nofollow" attribute for “untrusted” links continues to simmer. I explained our (Musings and the String Coffee Table’s) policy a while back. Trackbacks and Comment-Author Links are innoculated with rel="nofollow".

Comment-Author Links of PGP-signed comments are exempt from the rel="nofollow" policy.
So … go generate yourself a PGP key, put your public key on your website (make sure it’s served right), start signing your comments here, and watch your PageRank soar.

Well, OK, maybe not the last one. But this is a wee bit more incentive to do what you should be doing anyway.

Posted by distler at February 5, 2005 12:41 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/505

### Re: Who Do You Trust?

Good, I get some PageRank! That’s especially important since I wasn’t even giving myself PageRank. The MT nofollow plugin adds rel="nofollow" to all comments, even my own. I disabled the plugin after I realized that.

Posted by: Zack on February 5, 2005 1:35 AM | Permalink | PGP Sig | Reply to this

### A problem?

One exploitable issue I can think about is that since PGP signed comments are not verified at submission time, you can never know if a comment with the PGP header and footer is indeed a valid PGP signature. A spammer could put some bogus header and footer and spoof a valid looking PGP comment and get away with it. The obvious way to counter this is to validate any PGP signed looking comment as soon as it is submitted and then if valid, to decide not to tag it as no-follow. This raises the possibility of a DoS attack since validation process puts a not too insignificant load on the machine and given that spammer attack in a swarm, it seem to me to be a very relevant threat. The spammers may not be aiming for such an attack, but the joint effect of their comment attack and our system could be just that.

Posted by: Srijith on February 5, 2005 2:20 AM | Permalink | PGP Sig | Reply to this

### Re: A problem?

I considered this.

But we are so far from having support for PGP-signed comments widely enough deployed for them to even come on the radar screen of the spammers, that I figure it’s not even worth worrying about at this point.

Right now, whether PGP-signed comments get rel="nofollowed" is a trivial little change to a single MT template module. The day I see a PGP-signed spam comment, I could change policies in less than a minute.

In the meantime (which could be a long time), it’s worth rewarding those who PGP-sign their comments.

Posted by: Jacques Distler on February 5, 2005 2:34 AM | Permalink | PGP Sig | Reply to this

### Re: Who Do You Trust?

How did you implement this? Did you only change the templates or did you also have to hack in MT?

Posted by: Jeroen on February 5, 2005 10:42 AM | Permalink | PGP Sig | Reply to this

### Implementation

A two-line change to the OpenPGPComment 1.5 plugin. The first line adds a new tag, <MTPGPCommentAuthorLink>; the second makes <MTPGPIfSigned> compatible with <MTElse> (a bugfix, really).

--- OpenPGPComment.pl.orig      Mon Mar 29 19:35:10 2004
+++ OpenPGPComment.pl   Fri Feb  4 23:51:55 2005
@@ -72,6 +72,7 @@

@@ -162,6 +162,7 @@
sub ifPGPSigned {
my $ctx = shift; my$pgp_signed=0;
+       local $ctx->{__stash}{tag} = "PGPSigned"; my$comment_text = $ctx->stash('comment')->text; my$q = CGI->new;
my $raw_pgp=$q->param('raw_pgp');

Then a small change in template module to conditionally use <MTPGPCommentAuthorLink> or <MTCommentAuthorLink>, depending on whether the comment is signed.

Posted by: Jacques Distler on February 5, 2005 12:21 PM | Permalink | PGP Sig | Reply to this

### Re: Who Do You Trust?

This is a pretty cool hack.

(Yes, this *is* just a test comment because I’m curious to see how it works!)

Posted by: Rod Begbie on February 15, 2005 9:20 PM | Permalink | PGP Sig | Reply to this

It would be even cooler if you were to make your public key available from your homepage, as specified above.

Posted by: Jacques Distler on February 15, 2005 9:29 PM | Permalink | PGP Sig | Reply to this

Heh. I edited my MT template to include the link, but forgot to rebuild the index. All working now!

Posted by: Rod on February 16, 2005 8:02 AM | Permalink | PGP Sig | Reply to this
Read the post OpenPGPComment 1.5.1 released
Weblog: TriNetre - The Third Eye
Excerpt: Version 1.5.1 of OpenPGPComment has been released. It is a 2 line addition to version 1.5 code to (1) disable 'no-follow' in PGP signed comments (using new tag MTPGPCommentAuthorLink) and...
Tracked: February 21, 2005 3:11 PM

### Re: Who Do You Trust?

I think the real reason Google wants us to add “nofollow” is to get rid all of these blog links which disturb their ranking algorithm.

Seb

Posted by: Sebastian on August 12, 2006 8:41 AM | Permalink | Reply to this
Weblog: Musings
Excerpt: A serious MovableType security vulnerability.
Tracked: January 6, 2007 1:54 AM

Post a New Comment