Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 4 of 4 total
Thread Verification on Signup page
Wed, Dec 9 2020 12:05 PMPermanent Link

KimHJ

Comca Systems, Inc

I just had a customer that received 2048 emails about customer signing up on his webpage which is made with EWB.
I have not been able to implement Capture and I like to know if anyone else have done any verification that would prevent this.

I was thinking of having a dialog showing 10 uniquie pictures and then ask the user to select like the carrot and if they selected wrong I would shuffle the pictures and ask again until they selected the right one.

I don't know if it would work, because I don't know how the spammers work.

Any idea, thanks.
Kim
Wed, Dec 9 2020 8:35 PMPermanent Link

erickengelke

Avatar

KimHJ wrote:

>I just had a customer that received 2048 emails about customer signing up on his webpage which is made with EWB.
>I have not been able to implement Capture and I like to know if anyone else have done any verification that would >prevent this.

I impemented Google's recaptcha in my first EWB book.  I believe that was verison 2 and I used a PHP script to help set it up because you receive a background message from Google.  The hardest part was navigating all of google's pages to configure it.

Version three is nicer for the user, it doesn;'t usually even prompt the user, it figures out the robots from various heuristics.  But I don;t know of any EWB examples using it yet.


> I was thinking of having a dialog showing 10 uniquie pictures and then ask the user to select like the carrot and
> if they selected wrong I would shuffle the pictures and ask again until they selected the right one.

You could do that and it would *reduce* the spam probably, it might also frustrate a few people.

But the important part is that you must not have a simple, replayable API to the server.  If you make your own captcha, it must send a unique code to the server and not be predictable in the API you use.  That's the key.

Spammers mostly work by replaying sequences over and over again and thus plugging up your system with useless messages which they can easily do with most simple web apis.

All sophsticated systems generate a unique code for each session, called a nonce.  And we encode that nonce mathematically in every subsequent request.  So if they try to replay a sequnece with an old nonce, the system flat out rejects it.  All my production systems use nonces and are not vulnerable to replay or other attacks.

All in all, it's complicated.  Trust me. Last year I wrote a whole book addressing nonces, Cross Site Scripting and other attacks, Active Directory Federated Services, OpenID Connect and other security features.  It's my least  popular book, but it's a lifesaver for systems that have to be highly secure.  I'm not trying to sell it here, just saying it's a huge topic to do correctly, but it has been done.

Erick
EWB Programming Books and Component Library
http://www.erickengelke.com
Wed, Dec 9 2020 8:44 PMPermanent Link

erickengelke

Avatar

erickengelke wrote:

KimHJ wrote:
> I was thinking of having a dialog showing 10 uniquie pictures and then ask the user to select like the carrot and
> if they selected wrong I would shuffle the pictures and ask again until they selected the right one.

The problem is mathematically called the "Turing Test" after English mathematician Alan Turing to create a problem computers cannot easily solve but people can.  It doesn't have to be complicated for you as a programmer.

A system can ask even a simple question, such as (in a JPEG so as not to be easily converted to text and parsed programatically).

  Add three plus four.


But the question and the response have to be different every time, with a different answer every time, it should ideally be a question the server generates, not the browser app.

Technically, a spammer could use optical character recogianiton, then pass it through a program to calculate the answer.  But spammers are generally lazy. and such a system will thwart the majority of them.  They will move on to easier targets like your original system.

The hardest part is creatingi questions that are easy for a multnational audience.  So be careful to not rely on intricate knowledge of English or any other language, because you do not want to reject people who are not strong in English.

Good luck,
Erick

EWB Programming Books and Component Library
http://www.erickengelke.com
EWB Programming Books and Component Library
http://www.erickengelke.com
Sat, Dec 19 2020 11:00 PMPermanent Link

erickengelke

Avatar

KimHJ wrote:
> I have not been able to implement Capture and I like to know if anyone else have done any verification that would >prevent this.

Several people asked about this so...  I've added a recaptcha client to my Nice Library for Elevate Web Builder.  You can see a demo at:
.  
https://erickengelke.com/nice/samples.html

You just add a few lines of code to your EWB application and it adds the Google Recaptcha tool.

Contact me for more details.

Erick
EWB Programming Books and Component Library
http://www.erickengelke.com
Image