(no title)

The spec makes it clear that they're trying to simplify pingbacks but they don't address the fundamental security problems with pingbacks in the first place. And anyone who's maintained a Wordpress site will tell you, the first thing you do is turn off the Trackback and Pingback features [1] because not only does it attract the scummiest deluge of spam [2] but they've also been useful for disclosing internal network info and [3] leveraged to target other websites in DDoS attacks. [4]

The only thought given to preventing abuse is as follows from Section 4.1:

>The verification process SHOULD be queued and processed asynchronously to prevent DoS attacks per section 3.2.

>Receivers MUST verify Webmentions per section 3.2.2.

The first directive isn't a guarantee a DoS attack won't block all IO, it just means don't make it trivial to bring a site down with webmentions. The second directive sounds nice but if you read through section 3.2.2 of the recommendation, it just mandates that you should validate the application data that's submitted. [5] There's no mechanism to authenticate messages, validate the sender, nor limit mentions to a set of trusted parties.

Am I missing something or is this recommendation just splitting the pingback feature from the XML-RPC protocol? In my opinion, that's not providing a lot of value because the feature is still so very easy to abuse.

[1] https://www.wpbeginner.com/beginners-guide/what-why-and-how-...

[2] https://blog.hubspot.com/website/trackback-spam

[3] https://www.acunetix.com/vulnerabilities/web/wordpress-pingb...

[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-b...

[5] https://www.w3.org/TR/webmention/#h-webmention-verification