EllisLab text mark
Advanced Search
1 of 8
1
   
ReCAPTCHA library - ignited
Posted: 17 December 2007 06:23 PM
Avatar
Joined: 2007-03-19
122 posts

Hello,

I’ve created a CI implementation of the reCAPTCHA service (http://www.recaptcha.net)

http://codeigniter.com/wiki/ReCAPTCHA/

The most up-to-date version was written for CI 2.0

Technically speaking, this should still work for CI 1.7.X - but you’ll need to adjust the controller syntax slightly to match the new CI way of doing things.

 Signature 

I plan on being spontaneous tomorrow.

 
Posted: 17 December 2007 07:00 PM   [ # 1 ]   [ Rating: 0 ]
Joined: 2007-12-13
39 posts

Sorry - I really don’t mean to put down your hard work - this is not a reflection on your code, just on the use of captchas in general. It should be noted that they’ve recently been broken. Spammers are relaying captchas to pornsites where visitors are tricked into solving them with the promise of free porn if they do. The solution is then relayed back to the spammer.

So only use captchas if: 1) you are aware that its only a stumbling block, and don’t care because you’re monitoring your system anyway - or 2) for a time delay preventing dictionary attacks on logins, etc, PROVIDED you have a really, really good captcha generator, and enforce a strong password complexity policy.

Besides that: good work! I’m new to the community and am happy to see that it’s such a vibrant and sharing one. Hope to share some of my own someday soon.

 
Posted: 17 December 2007 07:27 PM   [ # 2 ]   [ Rating: 0 ]
Avatar
Joined: 2007-03-19
122 posts
zauber - 18 December 2007 12:00 AM

Sorry - I really don’t mean to put down your hard work - this is not a reflection on your code, just on the use of captchas in general. It should be noted that they’ve recently been broken. Spammers are relaying captchas to pornsites where visitors are tricked into solving them with the promise of free porn if they do. The solution is then relayed back to the spammer.

No offense taken.  I agree that spammers are taking over and rendering a lot of captchas useless.  I haven’t found this to be the case for recaptcha.

[quote author=“zauber”]
So only use captchas if: 1) you are aware that its only a stumbling block, and don’t care because you’re monitoring your system anyway - or 2) for a time delay preventing dictionary attacks on logins, etc, PROVIDED you have a really, really good captcha generator, and enforce a strong password complexity policy.

This is good advice from a security perspective though I can’t say I agree with it 100% (“all generalizations are false”, hehe).

I’d recommend taking a look at how recaptcha works - it’s actually very good with regards to being more difficult to hack.

[quote author=“zauber”]Besides that: good work! I’m new to the community and am happy to see that it’s such a vibrant and sharing one. Hope to share some of my own someday soon.

Yes, this is a great place for collaboration and sharing.  I look forward to your contributions smile

 Signature 

I plan on being spontaneous tomorrow.

 
Posted: 17 December 2007 08:06 PM   [ # 3 ]   [ Rating: 0 ]
Joined: 2007-12-13
39 posts

Yeah, having looked at recaptcha’s images briefly, I’d agree with you and say they’re pretty tough to beat.  Nevertheless they are vulnerable to being solved by real human beings who don’t know they’re helping spammers. As such I wouldn’t trust any captcha for an unmonitored account-creation form or similar.

They DO look good enough for a login form as a brute force protection system (I doubt crackers are getting a lot of speed out of the porn-surfers-solution). But then again, that all depends on how hardcore you want to go on security.

I only even mentioned it because I’ve recently been charged with hardening security in our applications at work (a field somewhat unfamiliar to me previously), so my head has been full to the brim with security concerns lately raspberry. My eyes just automatically landed on this thread because captchas were in the title, and I had to vent wink

So sorry again for not staying on the topic of your code wink  I sincerely hope someone with a need and a mind for testing will come along shortly. Good luck

 
Posted: 17 December 2007 08:33 PM   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2006-09-11
374 posts

One amusing method of doing turing tests is to grab a large pool of thumbnail images off of Flickr every month, read their tags, then set up a system wherein the user must select three images that all contain the same subject material. For instance, run a server-side flickr query for things like ‘dry desert scene’, ‘fruit oranges’, ‘alchohol spirits’, ‘cold water’, etc. Cache them based off of some random hash unrelated to their subject material. On the frontend, present nine thumbnails of images with the question, “Which three of these images contains or represents dry?” Three of the thumbnails would be pulled from the ‘dry desert scene’ pool while the rest would be from subjects opposed to that, such as ‘cold water.’

It’s a good turing test because computers aren’t able to algorithmically determine the answer—without polling large portions of flickr’s many billions of photos, anyway, which they will get shut down by—and you’re updating your photo album every 30 days with new imagery, which should discourage human-informed bot spamming.

I’ve seen this idea used, but I’ve never seen it done very well.

 Signature 

August 2011: I’m not an active codeigniter developer right now. Feel free to contact me, but I may not be able to solve your problem for you.

flickr | twitter | rockets

 
Posted: 18 December 2007 04:36 AM   [ # 5 ]   [ Rating: 0 ]
Joined: 2007-12-13
39 posts

hehe, yeah - I’ve seen similar things too, but as you say: never done well. I guess the problem is you have to make the problem hard enough to guess so that there’s no point just answering randomly. That would require a large number of images, making the captcha too overbearing on “real” users.

 
Posted: 18 December 2007 07:17 AM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2007-03-15
7 posts

Sorry for my 0.03cents but captchas whatever they are - simply suxx
I have some problems with my eyes and I know, that someday my eyes will be worst than spamer engine of captchas recognitions.

Here is example how forms works without captchas: http://15daysofjquery.com/safer-contact-forms-without-captchas/11/
And here is another example - what you could do fighting with spammers: http://sblam.com/en.html

Both examples are much better than all of captchas of the web, so please don’t promote bad behaviour on the web - captchas make web much worst trash than it is.

Thanks

 Signature 
 
Posted: 18 December 2007 09:37 AM   [ # 7 ]   [ Rating: 0 ]
Avatar
Joined: 2007-03-19
122 posts

I’m rather surprised at the negative responses.

My guess is that the reCAPTCHA site isn’t clear on how their service is “better” than most other CAPTCHAs out there.  Here’s my brief synopsis:

1.  You need a private and public key.  This keys are used to identify you with their servers.
2.  If a h4x0r decides to remotely host your form, they would also need to spoof your domain to even get an image to show up.
3.  Even if they *do* get an image to show up, the private key is needed to verify that the text (or numbers, for the audio challenge) entered are being checked from the right source.
4.  The word challenges are typically in plain English so they are easier for a human to read.  This is because we (humans) are able to “fill in the gaps” and figure a word out when some letters are difficult to read.
5.  It works even with cookies and javascript disabled
6.  It works for visually impaired users (audio challenge option)

My intent was to provide a library in CI to make it easier for people to use the reCAPTCHA service.

I appreciate the feedback on the general use of CAPTCHA technologies.  I think that the discussion is derailing the contribution, however, and may be better suited for another part of the CI forums.

Thanks

 Signature 

I plan on being spontaneous tomorrow.

 
Posted: 18 December 2007 10:05 AM   [ # 8 ]   [ Rating: 0 ]
Joined: 2006-07-14
4237 posts

There is no 100% security but i think this should be discussed in another topic because now it seems JayTee did something bad creating an easy way to use recaptcha.

Looking at the class i couldn’t see a way to change the theme other than in the configuration file. For example two pages that use the class but they have a different colorscheme it would be nice to change the recaptcha theme accordingly.

And i’m wondering why you added the recaptcha urls to the config file, not in the library construct. I don’t think they are going to change often?

On the wiki could you document how to challenge recapcha, maybe integrate it in the CI error string.

I’ve checked the recaptcha site and the error messages are only in case there is an error using the functionality, there is no error message that states the input is wrong or am i reading over it. So the error messages or not for public consumption. Maybe you should make a language file to have two error messages : false-input and false-recaptcha. When the latter error is raised the developer can choose to add a log message of some sort.

i’m also wondering why you added the recaptcha_get_signup_url method.

I hope you find some inspiration to develop the library further.

 
Posted: 18 December 2007 10:46 AM   [ # 9 ]   [ Rating: 0 ]
Avatar
Joined: 2007-03-19
122 posts

Excellent feedback smile  I’ll probably get an update uploaded within the next day or so.  This first iteration is really just a mirror copy of the PHP library provided on recaptcha.net.  I was in a hurry to get it implemented for a guy, so I didn’t do much modification to their code.  I’ll be doing a larger cleanup effort tonight/tomorrow.

 Signature 

I plan on being spontaneous tomorrow.

 
Posted: 18 December 2007 01:01 PM   [ # 10 ]   [ Rating: 0 ]
Avatar
Joined: 2006-09-11
374 posts

Unlike some previous contributors, I approve of captchas in general. There are some really bad ones, but in general they’re an effective way of filtering out robots. Some people get filtered out as well, but maybe they’re just robots anyway.

 Signature 

August 2011: I’m not an active codeigniter developer right now. Feel free to contact me, but I may not be able to solve your problem for you.

flickr | twitter | rockets

 
Posted: 18 December 2007 07:59 PM   [ # 11 ]   [ Rating: 0 ]
Joined: 2007-12-13
39 posts

I’m all for moving this thread (minus the posts regarding JayTee’s library) to somewhere else. I really didn’t mean to start an off-topic thread, and especially not to disparage JayTee’s work.

I do think it’s important to have a place discuss PHP-security, especially in the context of CI, seriously. It’s a far deeper and more complicated arena than I could have ever imagined before involving myself. Having looked at the security measures of CI I find they are good in many ways, but I am not really qualified to say. I have yet to see a comparative review of the security features between various frameworks from a trusted source. With more and more applications being based on frameworks, you’d think such a writeup would make an important reference and benchmark for framework developers/contributors.

Also in CI, there are several security aspects left to the discipline of the programmer/sysadmin (Access control, CSRF-protection, session-protection, password hashing, to name a few) which could possibly be implemented by various third party libraries - and in some cases attempts have probably already been made. A discussion of the various design-options for this would definitely benefit the community.

Ok… so I went off on another rant. Sorry JayTee, but since there are a few people interested in security matters on this thread already, I thought I’d try to round up some support for ... i dunno, maybe a forum-category for security discussions? Then we could move the whole captcha discussion there. I still have some thoughts and comments on captchas (and reCaptcha’s implementation in particular), but I will wait for a more appropriate thread.

 
Posted: 19 December 2007 05:25 AM   [ # 12 ]   [ Rating: 0 ]
Joined: 2006-07-14
4237 posts

@zauber : create your own security topic in one of the other categories pointing to this thread as the starter for the discussion. I"m sure you will have some takers.

 
Posted: 25 December 2007 11:47 PM   [ # 13 ]   [ Rating: 0 ]
Joined: 2007-05-21
340 posts

I’ll just say, good work.

Everythings is not white or black.

Keep us posted with your more advanced implementation.

Does Recaptcha figure out a multi-language in word choice and theme ?

Thanks !

 Signature 

-> None official irc channel [ irc.freenode.net #codeigniter ]

 
Posted: 07 January 2008 06:03 AM   [ # 14 ]   [ Rating: 0 ]
Joined: 2007-12-25
2 posts

Hello JayTee,

JayTee - 17 December 2007 11:23 PM

Hello,
I’ve created a CI implementation of the reCAPTCHA service (http://www.recaptcha.net)
http://codeigniter.com/wiki/ReCAPTCHA/

your code didn’t work for me.

On line 138 I had to change

return $this->object->load->view('recaptcha',$data,true); 

into

return $this->_ci->load->view('recaptcha',$data,true); 

And then the view-code is incomplete:

[/code]
should probably be
:
[code] 


killefiz

 
Posted: 08 January 2008 11:53 PM   [ # 15 ]   [ Rating: 0 ]
Joined: 2007-12-26
15 posts

@killefiz:

Hi, I had the same problem with line 138 error and your library fix worked.

However, I think your view-code fix is missing a line or something since the javascript still doesn’t call any function. what function should be called via javascript?

 
1 of 8
1