Welcome to CrankyGoblin.Com Sign in | Join | Help

Public Class GeoffAppleby

Inherits Microsoft.VisualBasic.MVP : Implements IBrainFart
GAPTCHA - Some Small Updates

Update: The source is now live! 

Tonight I made a couple of little mods to my Gaptcha control.

First, I stopped just base64 encoding the names of the images that needed to be selected in the form. It was extremely easy to crack :) It now encrypts the information first, and THEN base64 encodes it.

Second, I made it a little user-friendlier for when you click the wrong pictures. Before, you'd lose your comment (whoops!). Now, it leaves the comment text there, and scrolls down to that area of the page and shows a nice big message about how got it wrong and need to try again. A little birdy told me that he wants to steal my code for this feature :)

I've also started work on making the validation timeout too. Some sites have terrible timeouts (a small number of seconds). Me, I'm not that bad. I think 10 minutes is plenty. Do you agree? Should it be more? I don't think any less is important - by the time a spammer could crack it so that they figure out which images were needed etc, and save the post data so they can resubmit it every day, the ten minutes will be about up anyway. I haven't pushed this live yet, as I'm still thinking of what details I need to pay attention to, but I am storing a timeout of 10 minutes in my encrypted info in the first change above - so I've proved that part works anyway :) I'm just not enforcing it yet.

So that's where I'm at. I've had some great feedback too in the last day - thanks to everyone who has commented (especially Bill who scared me a little too much :) It's nice to know that people seem to think I've had a good idea too. All the feedback is valuable (bad and good!) so keep it coming please!

Posted: Tuesday, October 17, 2006 11:39 PM by Geoff Appleby

Comments

Dave Burke said:

"A little birdie."  Nice. :-)

I promise if I DO steal your code I'll blog about it as if it was my own idea, just like your Remember Me fix.

I don't know why you're concerned about a timeout value.  No one's going to crack The GAPTCHA, and you can take that to the bank, bud.

# October 18, 2006 2:20 AM

Geoff Appleby said:

Heh :)

Well, it certainly can be cracked if the form is saved (do a file/saveas) and then repeatedly submitted over time. It's the samee combination every time you hit submit, because the form data is still identifying the exact same images to be selected.

By putting in a timeout (which will cost very little - hell, as I said the live code is already sending out and parsing back in the timestamp in teh encrypted data, it's just ignoring the timestamp that it parses) then a saved form will only work for small amount of time.

If I can be confident in the difficulty in cracking this thing, then others might want to use it too :)

So with the timeout, i think we're safe until image parsers can match text strings to different random pictures of moi :)

# October 18, 2006 3:32 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

To submit your comment, click on these pictures:
  • Geoff's little sister's pussy
  • Geoff's bald spot
  • Geoff the big mouth
Gaptcha Image - No Peeking! Gaptcha Image - No Peeking! Gaptcha Image - No Peeking!
Gaptcha Image - No Peeking! Gaptcha Image - No Peeking! Gaptcha Image - No Peeking!
Gaptcha Image - No Peeking! Gaptcha Image - No Peeking! Gaptcha Image - No Peeking!
Can't recognise the people in these pictures? Look here for a quick introduction.
There's a time limit for you to get your comment submitted before this set of pictures expires. If you think it's been longer than 10 minutes, get some new pictures first (you won't lose what you've typed so far).
Get some new pictures 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS