PDA

View Full Version : Ext Form Captcha



jon.whitcraft
7 Sep 2007, 10:21 AM
Hey guys. I just had a great idea while doing a form on my public site and I want to know what the UX community though of it.

Have a form field that would build out put a generated image from a specified url that you provide and then allow an input dialog so that they could input what the image says.

Let me know. I might just have to work on this.

JeffHowden
7 Sep 2007, 7:26 PM
You mean something like this (only fully extized)?

http://www.jeffhowden.com/code/coldfusion/captcha/

Certainly any validator that's used must be a server-side one so as to not expose the CAPTCHA string.

amon
7 Sep 2007, 11:19 PM
Jon:

The captcha value never can be sent to the client side, because of the spammers could catch it. And if the spammers could catch the value, what is the good of it?
Of course, I have my own captcha engine too. But it's PHP class for my own framework, and the ext form have only an image (like Jack's photo in the ext basic form example) with a spec. url.
Because of the value never can be sent to client side, the captcha checking must be on server side too.
If you like, I can publish my captcha engine. :) If you can use it.
Here is an example: http://chat.theba.hu/.
(The chat application is under development, if reach the stable state, I'll publish it under LGPLv3 of course, here, on this site too. :D)

steffenk
8 Sep 2007, 1:42 AM
Hi Amon,

this is a nice integration.
As CAPTCHA won't work as Client app i use it also with php only. So my question is, how you integrated it. I looked to the code and didn't found the integration of the captcha picture into the form.

amon
8 Sep 2007, 2:05 AM
steffenk:

for example:

this.loginLayout.getEl().createChild({
tag: 'center',
cn: {
tag: 'img',
src: this.urls.system + 'code/'
}
});
Where this.url.system is the base url of the site.
I said, this is like Jack's photo in the basic form example. :D

steffenk
8 Sep 2007, 2:11 AM
ok, i see ;) thx amon.

What is the state of your chat app? I need some chat for a project and i don't know atm which chat i should use for it.
Thx for your creativity - the color picker is a nice extension too.

jon.whitcraft
8 Sep 2007, 6:59 AM
Jeff this is true and i understand that but see the problem I'm having is there is no easy way to put captcha in an Ext form right now and I just want to provide a utility to do that. the captcha would still have to be validated by the server side when you submit what they typed in.

JeffHowden
8 Sep 2007, 9:58 AM
Agreed, Jon. Different implementations require different details. For example, Amon's doesn't appear to require any sort of "key" to be sent with the text to validate it, presumably because he's storing it in the session. However, in my implementation, I need the filename and the hash of the CAPTCHA text because I don't want to use a session simply to implement a CAPTCHA.

So, whatever the Ext implementation, it needs to be configurable such that additional parameters can be sent to the server to assist with validation. I'd probably also recommend that everytime the text fails, the CAPTCHA text image is replaced with a new one (to thwart automated attacks).

DigitalSkyline
8 Sep 2007, 10:04 AM
While I understand that someone somewhere might be that motivated to write a program to defeat it... for the normal 99.999999% using ajax to get the codeword, and writing it to an ext field (posibly a triggerField?) would be good enough security for 99.99% of forms (or am I just an optimistic fool?)

I think it'd be cool ux. The server still has to validate etc.

amon
8 Sep 2007, 11:31 AM
Agreed, Jon. Different implementations require different details. For example, Amon's doesn't appear to require any sort of "key" to be sent with the text to validate it, presumably because he's storing it in the session.

Of course, I store it in session, database or I calculate it based on time, server, client and browser data. But I never store something on client side, because of I never could be sure, that somebody do not build an application for catch this code or hash, or something with related with the captcha. Store on client side or send anything to the client (and vica versa) is not secure.

And this is the point why I do not sure that good idea to build a javascript implementation of any captcha. On client side, it is not secure. If it is not secure, what is the good of it?

JeffHowden
8 Sep 2007, 12:17 PM
Of course, I store it in session, database or I calculate it based on time, server, client and browser data. But I never store something on client side, because of I never could be sure, that somebody do not build an application for catch this code or hash, or something with related with the captcha. Store on client side or send anything to the client (and vica versa) is not secure.

And this is the point why I do not sure that good idea to build a javascript implementation of any captcha. On client side, it is not secure. If it is not secure, what is the good of it?

Storing a hash is sufficiently secure, provided your CAPTCHA text is of appropriate length. This makes the validation painfully simple on the server as you're now comparing a hash of the provided text with the stored hash. Or, using my Crypto UX, you can simply perform the comparison client-side.

steffenk
8 Sep 2007, 2:17 PM
there are some bots with the ability of reading the image.
The protection against spamming is only a few steps in front of the bots.

On the other side i was very astonished that a simple JS protection helped me to prevent all spam bots, and it's such simple:


<form action="www.xyz.com" method="post">
...
<input type="submit" onclick="this.form.action="therealpage.php" />
</form>

So i don't believe that a login or form submit with extjs is easy for the bots.

JeffHowden
8 Sep 2007, 3:31 PM
This mechanism isn't really viable on a regular site though as it immediately locks out any non-JS users.

steffenk
9 Sep 2007, 2:35 AM
that's true, and this is only an example - using an ext-form also kicks out non-JS users ;)

JeffHowden
9 Sep 2007, 5:09 PM
that's true, and this is only an example - using an ext-form also kicks out non-JS users ;)

Agreed, but since you used markup, there's more opportunity for inclusion than using an ExtJS form which is why I mentioned it.

amon
9 Sep 2007, 9:07 PM
I think, the most clever antispam technique is this (http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/). :) And make this in an Ext form, it's so easy.

matjaz
9 Sep 2007, 10:41 PM
There is no real protection against spam.
If I say CAPTCHA, 90% of all people will think of an image, but that isn't always true.
Good protection against spam is also simple questions, with a simple short answer, for example "5 plus 3 equals", with as much as possible random combinations.

If you want to validate CAPTCHA on client-side, you can send to client hash (sha1, md5) of answer and you can validate CAPTCHA on client-side, as already someone suggested.

amon
10 Sep 2007, 12:50 AM
Yes. Questions. But these are language-sensitive things, but the Captcha...

"5 plus 3 equals (write here ->)"
"5 meg 3 erem

steffenk
10 Sep 2007, 9:15 AM
why?

5+6=
5*2=
12-3=
...

trbs
10 Sep 2007, 3:18 PM
i use:

5 + ? = 11
5 * ? = 10
12 - ? = 3

having the user question in the middle a one-step more work for spammers, since you have to reverse the operator :)

ApocalypseCow
12 Sep 2007, 7:11 AM
Nice ideas, although I worry that some of these maths questions might be too difficult for my user base /:)

dantheman
12 Sep 2007, 9:08 AM
Years ago I suggested the simple maths approach,
but got shot down by folks who claimed it was "too hard".

Nowadays I see them everywhere. I even see very loose
things like geography questions and free-form text answers.

This kind of thing is the only way forward, imo.

--dan

JeffHowden
12 Sep 2007, 10:13 AM
Years ago I suggested the simple maths approach,
but got shot down by folks who claimed it was "too hard".

Nowadays I see them everywhere. I even see very loose
things like geography questions and free-form text answers.

This kind of thing is the only way forward, imo.

--dan
One way forward, perhaps, but certainly not the only way forward. The reality is that questions like this are a barrier to entry, moreso than a simple image CAPTCHA. Many that don't know the answer simply won't go through the effort to find the correct answer. Worse, the answers must match exactly. So, if the answer is a word that's commonly misspelled, you'll be turning away users who think they're providing the correct answer, but are simply misspelling it. Additionally, like someone else said, questions mean that the form is immediately inaccessible for anyone who doesn't speak the same language the question is in.

Personally, I see the question approach actually creating far more problems than it solves, but that's just my opinion.

dantheman
12 Sep 2007, 11:47 AM
One way forward, perhaps, but certainly not the only way forward. The reality is that questions like this are a barrier to entry, moreso than a simple image CAPTCHA. . . . Additionally, like someone else said, questions mean that the form is immediately inaccessible for anyone who doesn't speak the same language the question is in. . . .Personally, I see the question approach actually creating far more problems than it solves, but that's just my opinion.Jeff,

While I am opiniated, I didn't mean to come across as dismissively so.

More specifically, I believe that image captcha has a limited useful life left.
What I call "cognitive" captcha has, I believe, a long-term promise.

I use a system that randomly walks a large matrix of possibilites.
One pseudo-example:


Which of these is not like the others? X X X Y X X

There are a number of issues surrounding these to ensure luck is (mostly) excluded
(Of course this doesn't address the language issue, but I personally think this
isn't a real problem: the question of language on pages is much larger.)

In general I strongly agree with the concern over exclusion.
The context of these tools has to be carefully considered.
My work involves (semi-) private sites (ie: less fragile user interest)
exclusively, so I have not had to wrestle directly with the larger issues
of balancing participation and maintaining quality of contributions.

It's an interesting problem, but then I've always been fascinated with the Turing test. /:)
--dan

DigitalSkyline
12 Sep 2007, 11:59 AM
What about a system that uses drag and drop, say to put a series of images in order... something that ensures a mouse action was taken. A 2.0-ish system :) Think beyond the box.

jon.whitcraft
12 Sep 2007, 12:03 PM
Not a bad idea...but it doesnt make for an efficient way of completing the form in a timely manor.

steffenk
12 Sep 2007, 1:26 PM
i think we should separate.

In Ext i don't see a reason for captcha - it's javascript and should be easy to hide the address for bots.

In normal forms captcha is an important thing. The visual (normal) captcha is often an anoying thing because also the user can't read (and those like blinds have no chance)
Doing question, logics etc. only varies the input, but from bot side it's all the same. They will use some techniques to analyze and the day will come when they will hack the mechanism.

I understand the annoyance when fetching mails and over 80% are ****** stuff. I think they should change the legal situation that people using spam bots are criminal and doing illegal things. This would help much more.

my 2 cents

dantheman
12 Sep 2007, 4:55 PM
What about a system that uses drag and drop, say to put a series of images in order... something that ensures a mouse action was taken. A 2.0-ish system :) Think beyond the box.Once "your" source is in "their" hands, there is no way to ensure anything.
The cgi data coming into your app could be from anywhere, and shouldn't
be assumed to be from your page as it was loaded . . .

And addressing SteffenK's point about finding the pattern: you use
this against them. If you have a sufficiently rich matrix of possibilities,
and take rudimentary steps to sidestep brute force attacks, you have
a quite sufficiently high probability of keeping non-humans out.

Oh and spam is already illegal. As Gordon Dickson said "Computers don't argue".
--dan

steffenk
13 Sep 2007, 3:03 AM
Oh and spam is already illegal. As Gordon Dickson said "Computers don't argue".
--dan

in germany the situation is not cleared - we don't have anything to do something against spammers. It's discussed over years without any result.
Also most spams are from US, so this will ever be an international probelm.

amon
8 Oct 2007, 4:16 AM
FYI,

If somebody want to use my captcha library (what is in my TChat application), it came to downloadable.

You can download from here (http://captcha.theba.hu/).

mjlecomte
16 Jul 2008, 7:49 AM
For anyone stumbling into this thread, you might be interested in this:
http://extjs.com/forum/showthread.php?p=195962