Phil Dreizen

Everything rusts, including websites - OpenId edition

Comments on this site essentially stopped working because of a lack of support for OpenID in general and the deprecation of the OpenID 2.0 standard specifically. OpenID is (or was?) an open standard for authentication, and allowed you to log into websites using just one URL that that was hosted by an "OpenID provider." There were OpenID providers like myopenid for those who knew what OpenID was. But large companies like Google, Yahoo, and Facebook also acted as providers, hiding the underlying technology, allowing users to log in with their already existing accounts.

What was nice about OpenID was that I didn't need to ask users to create an identity on my site. They just used their identity from somewhere else. And because it was an open standard, I didn't need to write code for each provider.

It seems since I last actively used this site, OpenID 2.0 was dropped, replaced with OpenID Connect. Besides Google, I can't seem to find anything that uses OpenID Connect. (I could be wrong about this, but it sure is hidden). And even Google prefers you use their "Google Sign-In" over OpenID Connect.

Of course, you see "Sign in with Google" and "Sign in With Facebook" all over the web. But it seems to me that if I want people to be able to sign in with Google,Facebook or anything else, I have to handle each case separately. Which is really annoying.

In any case, until I do something about the situation, I have to disable comments. now with more comments! (alpha)

Because at least two people have requested that I add comments, I've implemented a comment system. This isn't well tested by me or anything, so if you encounter bugs please let me know about them! And please, make feature requests. To leave a comment, you'll need to sign in with a 3rd party, like google or yahoo.

Adding comments introduces some...issues. So I wasn't originally in a rush to get it done.

The first issue is trying to combat spam. There are lot's of options to deal with it. Widely used options like recaptcha are in a war of escalation with spammers. As a result they've gotten so difficult to read, I find them too hostile to non-spammers like me. I considered rolling my own Ascii Captcha - it would generate random words in ascii art, and prompt the user to enter the word generated. (In fact, I DID develop this and chose not to use it...yet...) Though a system like this would be fairly easy to break, any time spent doing it would be specific to, and not really worth a spammers time. There are services like akismet that probably use baysian categorizers and the like to guess if a particular comment is spam. akismet is widely used right now, it's probably a good choice. Right now I don't have any of these in place...I'm hoping that since I'm requiring an openid login, spam will be reduced, though I don't actually know that it will help in anyway. I do have a simple honey pot in place. Apparently, spambots can't resist filling in form fields, and so I have a form field (no display) that must be left blank for a successful comment submission.

Then there's the concern that comes with any user submitted data: security. Inviting users to comment invites users to try break into the site. (Things like SQL injection). And, especially since comments are displayed right back on the page, another concern is users leaving malicious javascript code in the comments they leave (XSS). Third party libraries like htmlpurifier help with the later at least.

And what to do about anonymous users? I ultimately decided that having some kind of identity will reduce flaming. So, in order to leave a comment, you'll need to authenticate using OpenID. You'll be able to use lots of services (Google,Yahoo...) to authenticate this way.

Finally is the fact that there will be bugs. So I'm looking forward to angry friends telling me how they tried to leave a comment but couldn't. Why did I bother implementing this from scratch again?