[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GMG-Devel] CAPTCHA framework for your consideration

From: Christopher Allan Webber
Subject: Re: [GMG-Devel] CAPTCHA framework for your consideration
Date: Wed, 14 Jan 2015 15:51:43 -0600

Christopher Allan Webber writes:

> Again, all for adding the hooks.  It would be good to have the same
> hooks that recaptcha works with and have a builtin free software only
> captcha solution.  I have an idea for this... I will spit it out in a
> separate reply from this one though.

Okay, I said I would spit out ideas for free software only captcha
solutions.  An idea for an advanced one first, then one for a dumb one,
which is more obvious :)

Advanced captcha system

This maybe could wait a bit to be implemented, but I've been thinking
about a captcha system that provides the following features:

 - Serves image-based (and maybe audio-based) captchas, but *doesn't*
   require saving any image files on-server (which you later have to
   garbage collect...)
 - Doesn't require any rows in the database
 - Doesn't require any nonfree software
 - Integrates with the forms system
 - Makes use of our existing crypto/session stuff.

Here's how I think it would work.

 - hooks are run to initialize the captcha for whatever form / view.
   Attach validation requirement to wtforms and generate the image.
 - When generating the image (I'm not sure what kind of algorithm we
   should use for this), *don't* write to a file on disc static-served
   via apache.  Instead, we can base64 encode the image after rendering,
   pack it into the response, and serve it directly.  See 
   for an example of this in action.
 - Provide a question and *hashed* version of the expected answer from
   the captcha which the user needs to answer.  We sign the question and
   hashed answer with itsdangerous (and set a time limit to solve it) so
   that the user can't make up their own question and answer.

I think doing the above could be a pretty smart and elegant
solution... it means being able to do a captcha that doesn't require
storing any extra junk server-side, but still provides a way to pass a
captcha along.

The trickiest part of this might be writing some code to make some
visual captchas in the first place.

Note: I'm not sure if it's possible to base64 encode audio in the same
way?  But if so, we could provide both audio and visual captchas.

Dumb captcha system

So, maybe we need to get something in a lot sooner that's still free
software (we can't/shouldn't include Recaptcha with MediaGoblin proper,
since it isn't, but we can leverage the work Ayleph is doing as in terms
of generalizing the captcha plugin layout).  In the meanwhile, we could
do a very simple/stupid captcha system, that asks the user one of a few

 - Simple arithmetic (I've always found this funny, since computers are
   more efficient at arithmetic than users, but..)
 - User provided text questions with text answers.  We could provide a
   config parameter for admins to put this in place.

... It would be great to provide the smart captcha system, though I
think we should provide the dumb captcha system as soon as possible.  At
the very least, this could help us nail down what features are needed in
a generalized way to fulfill both Ayleph's plugin's needs and this one,
and provide some sort of minimal gate to stem the hoards of spammers.

 - Chris

reply via email to

[Prev in Thread] Current Thread [Next in Thread]