Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re^3: Is using 'Cookies' impractical for 'Contact Us' forms?

by gellyfish (Monsignor)
on Jul 07, 2006 at 07:43 UTC ( #559732=note: print w/replies, xml ) Need Help??

in reply to Re^2: Is using 'Cookies' impractical for 'Contact Us' forms?
in thread Is using 'Cookies' impractical for 'Contact Us' forms?

If you are concerned about locking people out who might not want to or are not able to receive cookies then you should equally be concerned about those people who you are deliberately excluding by using "image verification" (Known as CAPTCHA to most of us.) CAPTCHA is documented as being inaccessible to a significant proportion of the population, and is also not as secure as many people seem to think they are. To be honest the inaccessibility issue should make most people think twice about using them these days as a number of countries have laws requiring equality of access to web sites.


  • Comment on Re^3: Is using 'Cookies' impractical for 'Contact Us' forms?

Replies are listed 'Best First'.
Re^4: Is using 'Cookies' impractical for 'Contact Us' forms?
by newbie00 (Beadle) on Jul 07, 2006 at 08:39 UTC

    I've seen that some 'CAPTCHAs' are incorporating 'audio'. That is what I'd like to use. I still have to make a final decision as to which one I'd 'go live' with if I use it. I'd like to find other sources and/or options.

    Is there another method besides 'CAPTCHA' and 'IP-based throttling' since 'IP-based' doesn't work on those systems that continually change IP addresses during a session?

    If I remember correctly, I believe one of the most popular blogs has or is possibly adding 'CAPTCHA' capability. It seems I read that somewhere... Maybe spamming bloggers is growing? Hope not...

    If there is a 'better mousetrap', please let me know. Again, I'd like to have an option available to either circumvent or to institute a 'fix' immediately if it happens. I don't want to wait to do the research...

    Thanks again, folks.

      Of course even a combination of both audio and visual CAPTCHA is going to be inaccessible to a certain proportion of people, and audio CAPTCHA is equally vulnerable to this kind of exploit as the purely visual method.

      IP throttling schemes will also fail in the face of a concerted "attack" from someone who avails themselves of the large number of open HTTP proxies (either mis-configured or opened up by some malware.) In checking hosts involved in reports we have seen on the NMS mailling list it could be that upwards of half of them are known open proxies or otherwise exploited hosts.

      The NMS TFmail program implements a DNSBL type technique to protect from open proxies, exploited machines and other known abusive hosts: there is a bit of background in my talk from yapc::Europe last year.

      To be honest you could do worse than using the TFmail rather than writing your own "contact form" program as we are actively (if fitfully) developing it and are keen to implement more "attack mitigation" measures in the future.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://559732]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2022-11-30 06:15 GMT
Find Nodes?
    Voting Booth?