Saturday, August 09, 2008

Blog Access Blocking, By Denying Individual Permission, Won't Work

In a corporate network, you have one or more teams of employees, whose duty is to assign and maintain authentication and authorisation information. Authentication validates who someone is, and authorisation validates what ability that person should be granted, when accessing corporate resources on the network. Each employee gets one and only one identity, and has one specific list of access rules (authentication / authorisation). This restriction can (must) enforced, because each employee provides proof of identity, when registering as an employee.

With Blogger (Google), as with most Internet services, there is no real proof of identity required. In the online world, many people maintain multiple identities. That is one of the features of online life, called "freedom". Freedom to be who you want to be, or at least to seem to be.

So you, and I, can have as many Google accounts as we wish. Google accounts are free, and if you have multiple lives, or interests, you can have a different Google account for each, and more. And therein lies a problem.

Occasionally, someone asks about having a publicly accessible blog, but blocking specific individuals from accessing or commenting upon the blog.
How do I block one person from accessing my blog? I want it to be otherwise publicly accessible.
but that's an impossibility. Since nobody is restricted to having one identity, if you block one identity from access, it's no great effort for someone to use another. Any determined attacker won't be put off by one identity being blocked, though he may be slightly angered, and his next series of attacks may be nastier than before.

If you're going to restrict access to your blog, you have to start with a private blog. That's the only real solution for restricting access.

>> Top

2 comments:

Richard said...

It's true that blocking their initial identity won't stop a "determined" attacker, but I expect it would suffice to deter 99% of lazily rude or unwelcome visitors. So it would be helpful for Blogger to implement this feature, and let blog authors decide for themselves when it is or isn't worth employing.

Chuck said...

Well, you can suggest it to Blogger, but my suspicion is that anybody who will be deterred by your blocking a single account will probably get bored and go away on his own, anyway.

The ones that you better fear are the determined attackers, and from the description in these forums, that's what many of us are seeing.

Comment moderation is the only real deterrent.