billso.com

I recently implemented OpenID on billso.com. OpenID is a single sign-on (SSO) system that lets web users log on to multiple sites with the same username and password. SSO support is becoming a key success factor for social networking and social media web sites, as new users struggle to manage a growing number of passwords.

With OpenID, no one needs to apply for a user account on billso.com. They can use their username and credentials from another site to join billso.com, or to post a comment on a billso.com article.

Kyle Neath posted a long rant about OpenID yesterday. He won’t be implementing OpenID on his site because he thinks the system too confusing for users. I don’t think OpenID is that difficult to understand - here are two brief explanations from OpenID.net and Wikipedia.

Phishing phears

Kyle’s concerned that phishers might target OpenID users, and he uses PayPal as an example. That site has become a primary target for phishing attacks.

OpenID does have an identity system that lets an authorized user revoke their OpenID as a last resort. Anyone who uses an OpenID should select a strong passphrase, as I described in this billso.com article from 24 Aprill 2008. OpenID can also add multifactor authentication to their service. Checking a user’s location, or asking for a token or passphrase that only the user should have, in addition to the regular passphrase, would provide a strong defense against phishers. Virtual keyboards and other systems could also be used, as I described in this billso.com article from 17 April 2008.

The provider’s burden

I understand some of Kyle’s points. Any web site that implements OpenID for SSO could also become a provider of OpenIDs. I decided not to do this right from the start. I don’t want to provide perpetual support users who request a billso.com OpenID username. There is a system that lets departing OpenID providers delegate their users to another provider.

On 30 April 2008, I posted some programming code that lets a popular WordPress OpenID plugin use JanRain’s ID Selector tool. There are several providers of OpenIDs that can carry the long-term burden of maintaining these accounts, including VeriSign, AOL, Google, Flickr, and WordPress.com.

Universities could become OpenID providers. It makes sense to give students and employees access to a global SSO system, as long as schools are willing to provide stable, permanent usernames for their stakeholders.

Users can also purchase a personal identity domain for around US$10 a year and get a personalized OpenID URL.

Related posts and pages from billso.com

• OpenID
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 24 April 2008: Change that password into a passphrase
• 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
• 12 April 2008: Finding business contacts and passwords on the Internet
• 14 March 2008: Social media in action
• 2 July 2007: CXOs face malware email attacks
• 11 January 2007: How to create a secure password

Today I spent a few minutes modifying the WP-OpenID plugin to support JanRain’s ID Selector.

I added OpenID support to billso.com last month. This page has more information about the OpenID signle sign-on (SSO) system. Short story: OpenID lets users log in to a site with an ID they obtained on another web site. There are many different providers of OpenIDs, and many Internet users have not heard of the OpenID system.

So the ID Selector box provides opportunities to promote the OpenID system, and to add more users to a web site by supporting OpenID authentication.

The ID Selector is a small dropdown box that gives the user several choices for an OpenID provider. The system uses a small piece of JavaScript that calls a centralized server at www.idselector.com and generates an attractive selection box.

WP-OpenID doesn’t support ID Selectors yet, so I modified the code myself. The code is available in this ZIP file as interface.php

Installation is easy. Simply download my zipped file, extract the php file, edit it to include the ID Selection script that can be generated here, and upload the modified php file to your WordPress server at wp-content/plugins/openid/

The only hitch I have seen is that the selection button does not render properly in Safari, possibly because Safari uses its own weird buttons. In Firefox and Internet Explorer, it seems to work.

I’m tested this against WP 2.51 and WP-OpenID 2.1.8. I’m sure other people will find issues, so please add a comment to this post and check out my other OpenID posts, too.

For WordPress sysads who want to type in the modified code themselves, here’s an example. The code that must be changed is found in function login_form() as follows:

<label>Or login using your
<a class="<?php echo $link_class; ?>"
href="http://openid.net/">OpenID</a> url:<br/>

<input type="text" name="openid_url"
id="openid_url" class="input openid_url"
value="" size="20" tabindex="25" /></label>

</p>

<!-- this section remaps the OpenID Selector
box to the proper field on the form-->
<script type="text/javascript">
  <!--
      idselector_input_id = "openid_url";
    -->
</script>

<!-- insert the ID SELECTOR script that
you generated at idselector.com AFTER THIS LINE -->

<!-- BEGIN ID SELECTOR -->

<script type="text/javascript"
id="__openidselector"
src="https://www.idselector.com/selector/hex"
charset="utf-8"></script>

<!-- END ID SELECTOR -->
<!-- the rest of the interface.php
proceeds as originally written-->

<?php
}

This site is now available in a mobile web format at http://m.billso.com/ – please give it a try with your mobile phone or PDA.

Apple iPhone users can view this site in its regular desktop mode at billso.com, or try the mobile version.

As I mentioned on 27 November 2007, the mobile web is not quite ready for the masses yet. There is no standard URL for mobile web sites, for example. Some sites like Facebook use “m.” as a subdomain that serves up a mobile site. Other mobile sites are using the .mobi top level domain. I have a short list of mobile web sites at http://billso.com/mobile/

I own http://billso.mobi and I’ve set that name to redirect to http://m.billso.com

It’s difficult to design web sites that resolve well on small screens, especially given the number of different devices, platforms and carriers that exist in the mobile Internet market.

Difficult does not mean impossible

I’ve tweaked my web site with some WordPress plug-ins. Plug-ins are prepackaged files of PHP programming code that third-parties have written to extend the WordPress blog software. I’ve made m.billso.com work on several hundred pages of content with 3 hours of effort.

The mobile version does load quickly on PDAs and phones, while preserving most of the site content. Those were my primary goals. I’m pleased with what I’ve accomplished using free software and web services.

Feel free to log on with a real computer and leave a comment about the mobile site. I’d like to know if the mobile version of this site is usable and useful for my readers.

A few of the site’s features do not work well on the mobile version. I’m looking for workarounds to address some of these problems.

1. The menu on the top of each page becomes a long set of entries.
2. The event calendar in the right sidebar turns into a single column of text, for example. This happens with the standard WordPress calendar widget, too.
3. Tables do not resolve well in mobile browsers, either. That’s one reason that the calendars on the Spring 2008 course pages are written in a boring text format.
4. The scenic image at the top of each page shrinks a bit.
5. Mobile users cannot enter comments. The reCAPTCHA plugin that I use to stop comment spam does not support mobile web browsers. The comment fields will appear on the mobile site, but comments will not be posted. i’ve seen very few mobile blogs that support comment entry, so I am not very worried about fixing this issue.

I’m spending some time this week importing some of the better articles from my old blogs. Before I installed WordPress here on billso.com in January 2007, I used Bloglines.com.

The blogging tools that Bloglines provided left a lot to be desired, however. In fact, that user interface hasn’t changed very much in the last 2 years. It is very difficult to export these old articles to other systems.

My old articles were posted to Bloglines during 2005 and 2006, and I’m tired of supporting links to a legacy system. But I didn’t want to lose my articles from the October 2006 earthquake.

I am keeping the time-date stamps for these old articles, and I am adding an imported category to my content management system (CMS) here at billso.com. Each of these old articles includes a link to the original Bloglines URL, so that Google and other search engines can find the new locations.

I completed some tweaks to the blog Thursday evening, and they’re worth mentioning.

It’s easy to update articles in WordPress, the server software I use for this blog. Sometimes I edit an article to include new links or updated information.

The 3 September article on ad blocking is a good example. I updated that article today, and now the article’s header looks like this:

Notice the text that says “Updated” – this indicates when I changed this article.

I’ve also made it easier to see blog articles that have comments by adding a visible hyperlink after the article’s title. Sometimes I add comments to an article instead of updating the article itself, and sometimes user have added their own comments:

This screenshot also shows the new format I’m using to display articles on the home page and in search results.
An excerpt of the articles first words will appear, followed by the relevant hyperlinked tags. Just click the article title or the (more…) link to see the entire article. This is a good way to get additional clicks from readers, and to pull them deeper into a web site.

The excerpt isn’t a summary or abstract of the article. It’s just enough text to show the reader how the article begins.

I display excerpts on the home page and in search results to keep these pages small. This helps keep the site responsive and usable for readers with mobile device or limited bandwidth. Google Analytics has shown me that most users access this site at broadband speeds, but I want to accommodate all users, as discussed here.

Of course, the RSS feeds on this site will always display the entire article, including tags. Most RSS readers will also retrieve the updated version of each article.