Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

February 5, 2005

Who Do You Trust?

The debate over Google’s new rel="nofollow" attribute for “untrusted” links continues to simmer. I explained our (Musings and the String Coffee Table’s) policy a while back. Trackbacks and Comment-Author Links are innoculated with rel="nofollow".

But then I got to thinking. There is, surely, one class of Comment-Author Link that I do trust: authors who have gone to the trouble to PGP-sign their comments. Previously, PGP-signing your comments gave you that warm feeling of knowing that you cannot be impersonated, nor the text of your comments tampered-with, without that being evident to anyone who clicks on the verification link. But now, PGP-signing your comments buys you that extra little ε of Google PageRank as well.

Comment-Author Links of PGP-signed comments are exempt from the rel="nofollow" policy.
So … go generate yourself a PGP key, put your public key on your website (make sure it’s served right), start signing your comments here, and watch your PageRank soar.

Well, OK, maybe not the last one. But this is a wee bit more incentive to do what you should be doing anyway.

Posted by distler at February 5, 2005 12:41 AM

TrackBack URL for this Entry:

9 Comments & 2 Trackbacks

Re: Who Do You Trust?

Good, I get some PageRank! That’s especially important since I wasn’t even giving myself PageRank. The MT nofollow plugin adds rel="nofollow" to all comments, even my own. I disabled the plugin after I realized that.

Posted by: Zack on February 5, 2005 1:35 AM | Permalink | PGP Sig | Reply to this

A problem?

One exploitable issue I can think about is that since PGP signed comments are not verified at submission time, you can never know if a comment with the PGP header and footer is indeed a valid PGP signature. A spammer could put some bogus header and footer and spoof a valid looking PGP comment and get away with it. The obvious way to counter this is to validate any PGP signed looking comment as soon as it is submitted and then if valid, to decide not to tag it as no-follow. This raises the possibility of a DoS attack since validation process puts a not too insignificant load on the machine and given that spammer attack in a swarm, it seem to me to be a very relevant threat. The spammers may not be aiming for such an attack, but the joint effect of their comment attack and our system could be just that.

Posted by: Srijith on February 5, 2005 2:20 AM | Permalink | PGP Sig | Reply to this

Re: A problem?

I considered this.

But we are so far from having support for PGP-signed comments widely enough deployed for them to even come on the radar screen of the spammers, that I figure it’s not even worth worrying about at this point.

Right now, whether PGP-signed comments get rel="nofollowed" is a trivial little change to a single MT template module. The day I see a PGP-signed spam comment, I could change policies in less than a minute.

In the meantime (which could be a long time), it’s worth rewarding those who PGP-sign their comments.

Posted by: Jacques Distler on February 5, 2005 2:34 AM | Permalink | PGP Sig | Reply to this

Re: Who Do You Trust?

How did you implement this? Did you only change the templates or did you also have to hack in MT?

Posted by: Jeroen on February 5, 2005 10:42 AM | Permalink | PGP Sig | Reply to this


A two-line change to the OpenPGPComment 1.5 plugin. The first line adds a new tag, <MTPGPCommentAuthorLink>; the second makes <MTPGPIfSigned> compatible with <MTElse> (a bugfix, really).

---      Mon Mar 29 19:35:10 2004
+++   Fri Feb  4 23:51:55 2005
@@ -72,6 +72,7 @@
 MT::Template::Context->add_container_tag('IfNotSpecificComment' => sub{&showCommentForm;});
 MT::Template::Context->add_tag('PGPCommentBody' => sub{&_hdlr_pgpcomment_body;});
 MT::Template::Context->add_tag('PGPCommentPreviewBody' => sub{&_hdlr_pgpcomment_body;});
+MT::Template::Context->add_tag('PGPCommentAuthorLink' => sub{&MT::Template::Context::_hdlr_comment_author_link;});
 MT::Template::Context->add_conditional_tag('IfPGPSigned' => sub {&ifPGPSigned;});

@@ -162,6 +162,7 @@ sub ifPGPSigned { my $ctx = shift; my $pgp_signed=0; + local $ctx->{__stash}{tag} = "PGPSigned"; my $comment_text = $ctx->stash('comment')->text; my $q = CGI->new; my $raw_pgp=$q->param('raw_pgp');

Then a small change in template module to conditionally use <MTPGPCommentAuthorLink> or <MTCommentAuthorLink>, depending on whether the comment is signed.

Posted by: Jacques Distler on February 5, 2005 12:21 PM | Permalink | PGP Sig | Reply to this

Re: Who Do You Trust?

This is a pretty cool hack.

(Yes, this *is* just a test comment because I’m curious to see how it works!)

Posted by: Rod Begbie on February 15, 2005 9:20 PM | Permalink | PGP Sig | Reply to this

Linking to your public key

It would be even cooler if you were to make your public key available from your homepage, as specified above.

Posted by: Jacques Distler on February 15, 2005 9:29 PM | Permalink | PGP Sig | Reply to this

Re: Linking to your public key

Heh. I edited my MT template to include the link, but forgot to rebuild the index. All working now!

Posted by: Rod on February 16, 2005 8:02 AM | Permalink | PGP Sig | Reply to this
Read the post OpenPGPComment 1.5.1 released
Weblog: TriNetre - The Third Eye
Excerpt: Version 1.5.1 of OpenPGPComment has been released. It is a 2 line addition to version 1.5 code to (1) disable 'no-follow' in PGP signed comments (using new tag MTPGPCommentAuthorLink) and...
Tracked: February 21, 2005 3:11 PM

Re: Who Do You Trust?

I think the real reason Google wants us to add “nofollow” is to get rid all of these blog links which disturb their ranking algorithm.


Posted by: Sebastian on August 12, 2006 8:41 AM | Permalink | Reply to this
Read the post Full Disclosure
Weblog: Musings
Excerpt: A serious MovableType security vulnerability.
Tracked: January 6, 2007 1:54 AM

Post a New Comment