Dealing with comment impersonation

| Comments (2) | COMSEC SYSSEC
A number of political blogs (e.g., Obsidian Wings, Matthew Yglesias, etc.) seem to have a problem with comment impersonation. The general pattern is that someone will show up and post something more or less blatantly offensive under the name of a well-known commenter. This is then followed by a series of posts asking "was that really John or just a comment spoofer?" "Can someone check/block their IP?", and often eventual removal of the offending comment, leaving everyone confused about what the fuss is about.

Obviously, the underlying source of the problem is that most blog software has completely open commenting: you don't need to register and you can provide any identity you want and it will just accept it. This is convenient if you regularly post from random machines, but makes this sort of impersonation trivial. The natural "security guy" defense here is of course to require actual user authentication [this seems to be supported by most blog software], but that's really overkill for this situation, where all we really want to do is stop random people from impersonating random other people. Here, then, is my suggestion for a small set of changes which would make most casual impersonation very difficult:

  1. The first time a given identity is used, record the IP from which it is used and install a cookie in the browser which is used to make the comment.
  2. In future, restrict use of that identity to requests which either come from that source IP or present the right cookie.
  3. If you see a request from a different source IP that present the right cookie, add that source IP to the whitelist.
  4. If you see a request from a whitelisted source IP without a cookie, install the cookie.
  5. Have a manual mechanism (e.g., e-mail challenge response) for allowing a new computer to post comments under an existing name.

This isn't perfect in a number of respects. First, it doesn't provide perfect security. For instance, if I ever post from a hotspot (which generally has a NATted network) anyone else from that hotspot will be able to post as me. However, that seems relatively unlikely given the form of attack which we're generally seeing here, which is mostly trolls trying to disrupt the conversation. The second problem, of course, is that it's a little inconvenient if you have multiple computers, but even people who do post from multiple computers generally only have a few and those would quickly be whitelisted. The big advantage of this scheme is that it provides reasonable deterrence against a common attack and is generally pretty transparent to most users. We don't have a comment impersonation problem here on EG, and I'm too lazy to implement it for the public good, but I'm a litle surprised that hosting services like Typepad haven't implemented something similar.


You could let people log in using OpenID. There are lots of OpenID providers like Facebook and Google (you can even host your own), which means no matter where a person posts, they have the same identity. Or, more simply, use a gravatar based on the person's email address. You don't publish the email address, but the gravatar will show that it is the same address across multiple posts/sites.

To flog a paper of mine in this space, in The Strengths of Weaker Identities: Opportunistic Personas we explore several facets of relaxed notions of identity.

Leave a comment