Seth Woolley's Blog

Occasional Musings

Tue Jul 5 03:49:44 2005 -- TrackBack and PingBack revisited

TrackBack and PingBack revisited(0)

Update

A short while after TrackBack and PingBack were introduced, I wrote a blog entitled "The Problems with TrackBack and PingBack" where I laid out that both were a completely useless addition to the web and only worked to increase security risks by adding a plethora of complex code additions.

It turns out that I was correct.

http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulner\
able_to_xmlrpc_exploits.html

http://isc.sans.org/diary.php?date=2005-07-03

Rather than repeating what I wrote that has since been lost to a harddrive crash, I found a good summary of what to do instead here:

http://www.peej.co.uk/thinking/2004/10/trackback-pingpack

I wish I had a copy of what I wrote, as it predates that entry by six months, but that will have to suffice.

So in summary, please, disable trackback and pingback and use the existing methods we already have.

For clarification, the existing methods are:

  • for comment-aggregation, use a blog that allows comments to be edited by the user.  A "feature" of trackback is the "remote comment".  Post a link to the comment in your blog, or post a link to the remote blog of the link back to your comment.  This prevents unneeded duplication as well.
  • for link-aggregation, use a referrer analyzer that validates the legitimacy of referrers.

Seth Woolley's Blog webdevel security

Leave A Comment

Secret is used for editing your own comment. If subject, secret, and name all are the same as a previous comment, it will be overwritten. Turing is the name of this program (look at the Source Code link on the front page), used to see if you are human.