There's plenty more besides. My own static blog supports webmentions thanks to webmention.io, which is used by numerous other blogs. Brid.gy also uses it to trucker syndication and backfeed of comments from various silos.
My personal static site has a custom implementation of dispatch and receipt of Webmentions using netlify functions. I’m sure there are many more folk quietly coming up with their own ways to do it as well.
I've began implementing Webmention on my blog just this week after seeing it in action at EmacsConf - it's a good sign to see it also syndicated here not long after. I hope many more adopt it, it's a great idea.
Exactly that. I use WebMentions to gather information about people sharing each blog post and also for comments. If you want to comment on the site you can simply send a WebMention. For example, sites such as Lobste.rs do that so every time a post ends up there, the comments on the thread appear on the site. The same happens on Twitter and Mastodon. It is very neat.
I'd argue it's because the risk is not worth the reward. Pingback and Trackback is used to send a monsoon of spam and I'd wager site maintainers are not too keen on enabling the new version of an old problem.
I've read through the spec along with the FAQ that epeus so graciously shared here. The idea of mentioning beyond the scope of one website's walled garden seems like a very natural progression of ActivityPub and the new-found hype surrounding Mastodon. My concern is that I haven't seen much thought into the security implications.
The spec makes it clear that they're trying to simplify pingbacks but they don't address the fundamental security problems with pingbacks in the first place. And anyone who's maintained a Wordpress site will tell you, the first thing you do is turn off the Trackback and Pingback features [1] because not only does it attract the scummiest deluge of spam [2] but they've also been useful for disclosing internal network info and [3] leveraged to target other websites in DDoS attacks. [4]
The only thought given to preventing abuse is as follows from Section 4.1:
>The verification process SHOULD be queued and processed asynchronously to prevent DoS attacks per section 3.2.
>Receivers MUST verify Webmentions per section 3.2.2.
The first directive isn't a guarantee a DoS attack won't block all IO, it just means don't make it trivial to bring a site down with webmentions. The second directive sounds nice but if you read through section 3.2.2 of the recommendation, it just mandates that you should validate the application data that's submitted. [5] There's no mechanism to authenticate messages, validate the sender, nor limit mentions to a set of trusted parties.
Am I missing something or is this recommendation just splitting the pingback feature from the XML-RPC protocol? In my opinion, that's not providing a lot of value because the feature is still so very easy to abuse.
That doesn't do anything to prevent the DDoS problem of pingbacks/trackbacks, if anything it makes it worse because checking the third party vouch address causes an amplification attack. As with most things on the Internet spammers and assholes have ruined *back systems.
