What happens when you switch various OpenID IdP’s?
Your OpenID keeps changing.

What do you do if you do not have your own website to ensure the your OpenID remains constant?
You should use Permanent OpenID.

Using the Permanent OpenID, you always use your OpenID as www.jkg.in/popenid/username irrespective of the OpenID Identity provider you use. We recommend that you do not use a Anonymous OpenID unless you are sure of its implications.

We all know that OCR technology can be exploited in breaking the CAPTCHA. Same applies for Audio CAPTCHA’s. Spammers can use voice recognition to break them.

They aren’t 100% effective doesn’t mean, we don’t use them. Further if we generate good CAPTCHA images, we can improve the effectiveness of them failing in OCR.

Yes, spammers can still use low-paid data entry workers and get them to break the CAPTCHA’s. It will always remain a cat and mouse game between spammers and the anti-spam technology. Unfortunately, the spammers have been winning so far.

This doesn’t mean that we cannot/ should not use the CAPTCHA’s. There isn’t a single solution that will help us from all our SPAM problems. We need to employ multiple barriers for spammers and having a good CAPTCHA engine is just one step towards it.

Most anti-spam strategies are “reactive” as they were made/ thought of once the spammer starts to bypass the existing strategy in place. We gotta be more proactive on this front and try to beat them. Whatever we do, low-paid data entry workers can take things away but the increased difficulties will definitely discourage many spammers.

I say, Yes!

Dmitry Shechtman quickly and rightly realized that my Anonymous OpenID server is a heaven for spam.

First, why did I create the server if I knew/realized this as well? Well to generate awareness the hard way

Quoting http://openid.net/about.bml

What about spam?
Again, this is not a trust system.
…

The above statement at OpenID.net reflects total ignorance about it. C’mon guys, we cannot be ignorant about it. I am sure all “normal” people hate spam. I think we must implement a solution for it in the protocol itself. We don’t have to be 100% accurate but we must be able to deter a major chunk of spammers.

See, all that I did to create my Anonymous OpenID server was to modify a few lines of code in phpMyID and the spammer friendly OpenID server was up and running. (And, no, I am not going to release the changes I made.)

We know that spammers have lot of domains and I am sure all of their servers are capable enough to have one or the other OpenID IdP running. This means they are also capable of generating unlimited number of OpenID’s like I did.

I don’t think using only blacklists is a good idea given that all that it takes for a spammer is to buy a domain, modify and setup phpMyID and voila! He’s back in business (maybe only for sometime but still).

Here is what I propose:
When we initiate the process, the client/consumer sends a dynamically generated image to the IdP. The IdP shows the normal login form, along with the captcha image and a input field.

When the user submits the form, the IdP server communicates with the client/ consumer and gives it the text the user entered for the captcha image to verified. The client checks if the text is proper and sends the reply back to the server.

If the user entered captcha text was not proper, we request another image from the client. We do it at maximum 3 times for a given IP.

If the user entered text for captcha image is found to be correct, we proceed with the present authentication process.

Is the solution proposed full-proof? Ofcourse not, but it will deter a lot for the spammers.

I am sure there will be folks that will not like the above captcha idea given that some people may have problems reading them etc. I do understand that. I think with some constructive discussion around it, we can do it in a way that suits everyone and can make things difficult for the spammers.

I hope I’d be successful in my attempt to get the protocol changed slightly and to try and make things difficult for spammers.

What will I do with this Anonymous OpenID server? Well, it will be online for now till I am able to convince the change of protocol. If the spammers use it too often or I have any bandwidth issues, I might take it down earlier.

On a side note, Dmitry also thinks that the Anonymous OpenID server is a perfect anti-phishing solution since no authentication happens

But, that won’t stop the anti-phishing debate though

OpenID is getting popular day by day and generating lot of discussion with varied response. I was wondering if it would be a good idea to have a password-less/ anonymous OpenID that one can use. I think that I need one, so I made the anonymous OpenID server and it ready for you to use at http://www.jkg.in/openid/. Read the Anonymous OpenID page for more info.