Reusable CAPTCHAS

[Holger]

Hi Christoph,

I like reCaptcha too, so it would be fine to have a solution for it.

Requiring registration for the user of the plugin would be a minor inconvenience, but the plugin configuration would require the user to store the public and the private registration key to config.php, what might be a security issue.

Why

AFAIK yo have to write the public key to the file with your form and the private key to the script the form is posted to.
So why is that more secure than writing both keys to a (anyway .htaccess-protected) config.php?

KR
Holger

[cmb]

Hi Holger,

So why is that more secure than writing both keys to a (anyway .htaccess-protected) config.php?

You're probably right. It shouldn't be a problem to write both keys to config.php, but a .htaccess-protection should be in place, as it's the plugin's config.php which is typically not .htaccess-protected. I guess there are not too many CMSimple installations running under IIS.

I like reCaptcha too

The great advantage of reCaptcha would be the small size of the captcha plugin. But reCaptcha seems to use very hard captchas. I've tried the demo, and had several incorrect tries (video and audio).

I've thought again about how to implement the Captcha plugin: as utility plugin (plugin for plugins) or as optional alternative plugin(s). I'm really not sure what would be best.

Christoph

[Holger]

but a .htaccess-protection should be in place, as it's the plugin's config.php which is typically not .htaccess-protected

That's upon developers choice. Sometimes I put a .htaccess to the plugin-config-folder, sometimes not.
But even if there's no further protection it's IMHO not such a high risk to put both keys to one php-file.

But coming back to topic:
As longer as I think about it, I come to the conclusion that your first suggestion

a general interface

is the best.
We're not so much active plugin-developers here at the moment. And I think if there is an easy solution, which helps to spare a lot of development-time, most of the developers can agree with the interface (at least when more than one captcha-plugin uses the interface).

So I'm looking forward to see the reCaptcha - Plugin with a short demo-plugin or a documentation like with jQuery.

And a small feature request: would you please think about the integration of reCaptchas eMail-Protection http://www.google.com/recaptcha/mailhide/ too?

KR
Holger

[cmb]

Hi Holger,

As longer as I think about it, I come to the conclusion that your first suggestion ... is the best.

I guess both alternatives are basically the same. Both require some kind of interface (and a rewrite of the plugins/addons, if the interface will change ). And either of the solutions would require some cooperation of the plugins using it. Though only one small advantage of the general interface only solution remains: the user doesn't have to install an additional plugin. So indeed I guess that's the best way.

So I'm looking forward to see the reCaptcha - Plugin with a short demo-plugin or a documentation like with jQuery.

So I'll release a version of that ASAP. And I guess that Advancedform_XH might serve as demo. And I'll write some documentation on the interface and probably put that on the wiki. But considering reCaptcha, I suppose it will be necessary to make some slight adjustments to the suggested interface (not only the captcha code, but also the input field and additional controls have to be returned by captcha_display()). But I'll have to figure that out first.

And a small feature request: would you please think about the integration of reCaptchas eMail-Protection

I'll have a look at this.

And I was pointed to Cryptographp by snafu. It's a quite nice captcha solution too (similar to securimage, but lacking audio). It might be interesting for an alternative captcha plugin.

Christoph

[Holger]

So I'll release a version of that ASAP.

Fine .

And I was pointed to Cryptographp by snafu.

Jep, the look of the generated captchas is similar to securimage, but the last update is from march 2007 . IMO securimage is a better choice and it's still under development...

Holger

[cmb]

Hi Holger,

but the last update is from march 2007. IMO securimage is a better choice and it's still under development...

Yes, you're right. But a securimage plugin would have the problem with the audio captcha. I've had a look at this and there exist localized versions for a handful of languages (de, pt, it, but not e.g. dk). IMO a securimage captcha plugin would be really great, but it should provide audio captchas. And I don't want to spend too much time on the captcha solution, so I'd rather leave securimage for someone else to develop. I'll concentrate on recaptcha and another simple captcha solution, that won't need registration (Cryptographp or perhaps freecap, which is even older ).

Christoph

[Holger]

I'll concentrate on recaptcha and another simple captcha solution, that won't need registration (Cryptographp or perhaps freecap, which is even older ).

Of course you should leave some work for others, willing to make their hands dirty .
But it's possible to turn off the audio feature in securimage, if the aktive language is not supported.
I've turned the it off in lb_Gallery at all: http://cmsimple.holgerirmler.de/?Plugin ... c=0&page=0
(in that demo, the captcha will always fail - not a bug, a feature . I made it because that solution isn't hard to solve by spam bots. And now you know why I'm happy to see your development on new captcha-plugins...).

Holger

[cmb]

Hi Holger,

Of course you should leave some work for others, willing to make their hands dirty

I really do hope, that others will!

I've turned the it off in lb_Gallery at all

Indeed an audio captcha will not make to much sense for a gallery.

I made it because that solution isn't hard to solve by spam bots

Just to understand you right: you're talking about the visual securimage captcha, seen on the site? Indeed the captcha doesn't seem to be too hard to OCR, but I'm not sure, if spam bots are programmed especially for widespread captcha solutions such as securimage. But it should be possible to customize the securimage captcha to be much harder to recognize.

I've already made some progress with the recaptcha and the crytographp plugin. The basic code is working and fits nicely to the slightly adjusted interface. Now I'm working on documentation and the details of plugin writing. And I have to play around a bit with cryptographp's customization, as the default captchas are probably not tough enough to keep spam bots off.

Christoph

[Holger]

Just to understand you right: you're talking about the visual securimage captcha, seen on the site? Indeed the captcha doesn't seem to be too hard to OCR, but I'm not sure, if spam bots are programmed especially for widespread captcha solutions such as securimage.

Yes, they are. I had problems with spam-bots with the shown captcha.
BTW: it's the same with the board-captcha here - which looks much harder. There had been a lot of bot registrations before I've integrated the "Anti-Spam-Code" ( http://cmsimpleforum.com/viewtopic.php?f=2&t=582 ). From this time I'm sure that all spammers here are humans...

Holger

[cmb]

Hi Holger,

which looks much harder

But not by far as hard as reCAPTCHA! At least for humans I don't know how bots handle it.

From this time I'm sure that all spammers here are humans...

About Mailhide: it shouldn't be hard to integrate it to the captcha plugin, but the question is: where should it be integrated. As it serves the purpose to protect e-mail addresses, it should be integrated where the addresses are entered: in the editor! I'm thinking of a button "insert e-mail address". A dialog pops up ,the user enters the e-mail-address, and than the e-mail address will be inserted protected by Mailhide, if the user chooses so by a general configuration option or a checkbutton. So I guess it would be nice to develop the Mailhide solution as editor plugin (perhaps separated vom the recaptcha plugin, as the recaptcha lib is < 30KB). But I have no experience with CKeditor (which probably has a plugin interface very similar to FCKeditor) and tinyMCE. So it might be best, if we cooperate in developing such a plugin.

Christoph