Skip to main content

Questions About Known (@withknown) Platform, Webmentions and security / spam

3 min read

On my drive to an airport yesterday, I listened to the enjoyable conversation on Leo Laporte's This Weed In Google (TWIG 266) where he talked with Known's Ben Werdmuller and Erin Jo Richey about the platform and about the "Indie Web" in general.  Kevin Marks was also a guest and continued talking with Leo for a time after Ben and Erin had left.

The discussion helped me understand a great bit more about what they are aiming to do with Known - and also with the broader "Indie Web" movement that I hadn't really been tracking.  I'm a huge fan of all things that are "distributed and decentralized", so I very much like the model that is being developed.

I was also intrigued by the discussion of Webmention, something I'd not heard of but seems to be an updated and improved evolution of the "Trackback" concept that many of us used back in the early days of blogging in the early 2000s (as well as "Pingback" that came later).

I was left with a whole number of questions... some of which I think I'll understand better when I get a chance to install Known directly onto one of my servers... but the biggest question was:

How will Webmention deal with spam?

That to me became the biggest problem with Trackback - spammers turned to it and deluged all of us running blogs with tons of trackback spam.  It's still a problem on several sites where I still have trackback enabled (and I moderate all comments/trackbacks as a result).

I see on the page (which is a redirect to a Github page) that they have some thoughts around spam and abuse:

  • The verification process SHOULD be queued and processed asynchronously to prevent DDoS attacks.
  • Receivers SHOULD moderate Webmentions, and if a link is displayed back to the source, SHOULD link to sourcewith rel="nofollow" to prevent spam.
  • Receivers MAY periodically re-verify webmentions and update them.
  • If a receiver chooses to publish data it picks up from source, it should ensure that the data is encoded and/or filtered to prevent XSS and CSRF attacks.

But that doesn't really offer any solution beyond moderation... which means that the publishing platforms implementing Webmention have to provide some kind of interface for moderating comments and webmentions.

How does Known handle this?  Could I set up a Known server and start sending webmentions to every other Known server I could find?

Right now all of this seems to be more in the experimental development phase where this is all fine ... but at some point when this gets to be more popular, the spammers will come.  Inevitably they show up with their twisted desire to (ab)use every platform to advance their business model.

How will the world of "webmention" deal with that?  And how will Known specifically?

Many questions...