Seth Woolley's Blog

TrackBack and PingBack revisited(0)

Update

A short while after TrackBack and PingBack were introduced, I wrote a blog entitled "The Problems with TrackBack and PingBack" where I laid out that both were a completely useless addition to the web and only worked to increase security risks by adding a plethora of complex code additions.

It turns out that I was correct.

http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulner\
able_to_xmlrpc_exploits.html

http://isc.sans.org/diary.php?date=2005-07-03

Rather than repeating what I wrote that has since been lost to a harddrive crash, I found a good summary of what to do instead here:

http://www.peej.co.uk/thinking/2004/10/trackback-pingpack

I wish I had a copy of what I wrote, as it predates that entry by six months, but that will have to suffice.

So in summary, please, disable trackback and pingback and use the existing methods we already have.

For clarification, the existing methods are:

• for comment-aggregation, use a blog that allows comments to be edited by the user.  A "feature" of trackback is the "remote comment".  Post a link to the comment in your blog, or post a link to the remote blog of the link back to your comment.  This prevents unneeded duplication as well.
• for link-aggregation, use a referrer analyzer that validates the legitimacy of referrers.