I ran across a link to http://id7r.com this morning, and while it’s a technically interesting application, I can’t help but see it, at best, as a complete dilution of what OpenID is supposed to mean, and at worst, an intentional abuse of OpenID and a perfect tool for spammers.
A Quick Refresher
OpenID is a way for a user to assert to a site that the user controls/owns a URI (a good look at the benefits here), and the authentication process tries to make sure that there’s a person on the other end of that URI.
A key feature of OpenID is that it provides a globally unique identifier for every user, no matter what site or service they are using on the Web. Simon Willison
Meanwhile…
The id7r.com home page says:
Id7r turns every email address into an OpenID identifier.
- type in your email address (prepended with id7r.com/) and click “verify”
- check your mailbox for a new message with subject like “Auth Request #### from id7r.com”
- follow instructions therein to complete the process.
Now, isn’t email the thing that spammers have come very close to completely ruining due to creating millions (billions?) of randomly-generated email accounts? The “instructions therein” consist of:
Do not reply to this message! It’s sent from an unattended mailbox.
Hi, <me>,
Someone (possibly you) has requested authorization at id7r.com for an OpenID login.
If you accept, please click this URL http://id7r.com/?action=confirm&token=<atoken>&auth=yes to complete the process.
Otherwise, click this URL http://id7r.com/?action=confirm&token=<atoken>&auth=no to reject it.
If your email client does not make above URLs clickable or a different browser pops up, please cut and paste either URL to the same browser you used earlier.
Sincerely,
The Id7r Team http://id7r.com
It seems to me that grabbing a link from the email and then submitting a form is not particularly hard for the scum out there.
Am I Crazy?
So, I know that OpenID does not claim to be an end to SPAM in and of itself (thanks to singpolyma for the reminder), but this just seems completely wrong to me. There was a recent spat over the anonymous OpenID server, and the community consensus seems to be that we’re going to have to resort to server blacklists eventually (though the author of the annoymous server makes a decent case that blacklists are not going to do it either).
So am I crazy for seeing this as a huge problem? Unlike the anonymous server, id7r.com looks like something that normal users would find useful, thereby making it harder on them if we simply blacklist it.
Got thoughts? Hit the comments and let me know.
I think that if this is a problem (and it is) then it's an issue that affects OpenID in general, but is not OpenID's job to solve.
As the creator of the anonymous server points out, the protocol easily allows for SPAMmers to create unlimited OpenIDs. This is a problem even if we shut down the existing servers that make it simple.
I don't think it's OpenIDs job to fix this though. As with API authentication (OAuth), SPAM should be dealt with by another layer. So what if SPAMmers can OpenID log in to my site? They can SPAM me /without/ OpenID (I have anonymous comments enabled). Akismet+BadBehavior do a good job (although BB I have disabled because it was blocking legit bots...) I'm not saying these services are the ultimate solution, but they illustrate how another layer can be used to handle this. SPAM is bigger than OpenID.
This is certainly not a problem and even less of an OpenID problem!
Who said there should only be one way of saying "this is me" and that it should include a login and a password ? One of the strengths of OpenID is the ability to use any kind of authentification systems.
OpenID is NOT about physical identity. OpenID is NOT about proving we are human. OpenID is about choosing how we sign in.
I'm not sure if it's a problem... I actually think the service is a good idea, except that email, as you pointed out, has largely succumb to abuse. That said, it's still the conduit for the lifeblood of the internet (communication) so it's not the protocol that's the problem. The same thing is true for OpenID. It's just a dumb protocol. Microformats are similarly able to be used for evil/spammy purposes. I guess it comes down to creating a trusted social mesh in which to operate with the right kind of "antibodies" built in.
This is the model of the human body and I'd take the wisdom of its millions of years of evolution over the ingenuity of spammers any day.
Steve has a valid point about potential abuse. However id7r is not an intentional abuse of OpenID ;-) Instead we are trying to make OpenID (& its idea & use) more accessible to endusers. No doubt we monitor our system for any abuse attempt and have tools in hand to defend it.
Stephen & Sunny: I couldn't agree more with you on this issue.
Chris: I like your "model of the human body".
For computer virus, there are theoretical studies like Fred Cohen's that show our inabilities in dealing with computer virus. Just wonder if there is similar work about spam.