You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Jonathan Vanasco <mo...@2xlp.com> on 2006/06/06 02:09:17 UTC
Slightly OT: mp2 oriented Captcha Module -- anyone interested ?
i wrote a captcha system in python using the turbogears framework and
the python imaging library
it basically just creates an image/validation scheme based on a few
variables that is passed into the object -> site secret , user seed ,
expiry time built into a key generator
it's also with a clustered behavior - images are never saved to disk,
they're always rendered on-the-fly.
if you want one-time use captchas, you'd have to 'clear' them through
a db beforehand -- otherwise no db is really necessary
its designed so that the 'image' is a subclass of the captcha --
other subclasses can be audio or text formulas "type the second word
in this sentence" "type out four minus three" etc. simpler put: the
main captcha class handles actually creating captchas and validating
user input , and its up to the user to choose how to display it
( which is different than most of the captcha systems out there that
go for an image then backtrack to creating other formats )
i'm currently migrating it fully into modperl using imager... it
would be very much like GD::SecurityImage, but use imager ( i don't
want to have GD compilied in) and i need some open standards /hooks
on how it creates/validates a captcha, so the same thing can work
with python and php
i'm about 2/3 of the way through porting this... however when its
done its going to be very much tailored to my style of coding, and my
framework, and use conventions that would make some cringe.
i'd like to make this cpanable so other modperlers can use it - would
anyone on the list be interested in collaborating with me, and help
make it more standardized and cpanable? i don't have the time/energy
to do that myself.
i'd also like to make this as optimized as possible since there's a
lot of image generation etc - which means if some processing can be
saved by using some mp only things over perl conventions -- so be it.
fwiw, the python version and some samples is here:
http://dev.2xlp.com/trac/browser/another_python_captcha/trunk
if anyone is interested, please contact me offlist -- thanks.
| - - - - - - - - - - - - - - - - - - - -
| RoadSound.com / Indie-Rock.net
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - -
Re: Slightly OT: mp2 oriented Captcha Module -- anyone interested ?
Posted by Jonathan <mo...@2xlp.com>.
forgive the continued OT-ness, it makes sense to just continue this
for another post or two here...
On Jun 6, 2006, at 5:10 AM, Kjetil Kjernsmo wrote:
> a lot of good points
i agree 100% with everything you said. its awful for users, and its
awful for the server load - which is why i want to make it as modperl
as possible.
i'd rather not use images, but right now they're 'easiest' and expected.
i want to implement one captcha system, and then just have a modular
element handle how the challenge is presented...
i should have something usable for input within 18hours via Trac/SVN.
its a bit awkwardly laid out classwise, as i'm pretty much porting
from a half-finished python version and both langauges have very
different approaches to class inheritance.
i don't mean to use cheaply implemented / replaced / upgraded plugins
for image generation , but for all presentation formats. ie, you can
switch between different image outputs if your want... or between
jpeg/text-logic with a single line of code
basically the idea for use is this:
# build a new captcha
my $captcha= Captcha::NewCaptcha->new( sitesecret=>'a-z', seed=>'A-
Z' );
my $publickey= $captcha->generate(); # public key is used to
generate the captcha test
# validate the captcha
my $captcha= Captcha:: ExistingCaptcha->new( sitesecret=>'a-z',
seed=>'A-Z' );
if ( !$captch->validate( public_key=>$publickey , human_answer=>
$human_answer ) {
die "invalid key";
}
# generate the captcha using a factory pattern
my $captcha= Captcha:: ExistingCaptcha->new( sitesecret=>'a-z',
seed=>'A-Z' );
my $jpeg_data= $captcha->render( 'image' );
my $html_logic_field= $captcha->render( 'html_logic' );
my $wav_data= $captcha->render( 'sound' );
# i chose a factory dispatch instead of calling a variation directly,
because some captchas may have several versions called at once...
all of the output options are separate and modularized. ie:
Captcha::Img
Captcha::Sound
Captcha::Logic
but share the main Captcha interface and inheritance
captcha keys so far work like this
public_key= md5( sitesecret , seed , timenow );
question/answer = generate_pair( key ) ; # where a given key will
always return a specific pair
something presented to the user ( a text puzzle, a visual captcha, a
sound ) has embedded with it 'public_key' and 'timenow'
captcha.gif?public_key=2384u20983u4234&time=111110001
<input type="hidden" name="public_key" value="2384u20983u4234"/>
timenow is valid for ( cpu - 30s ) - ( cpu + 240s ) which is 30s in
the past and 4mins in the future
sitesecret is configured per-site, defaults to '' -- just to add a
minimal layer of security
seed is a session variable supplied by the calling program
this makes a GENERAL key that can provide a turing authentication
with a built in self-destruction time of 4.5mins (time can be
changed, but that should account for casual use of a computer plus a
cluster of machines that are out of sync and not running ntp )
to make things secure, keys SHOULD be checked into/outof a db -- but
that makes more sense to me in the calling program, not a generation/
validation module. i think a captcha system should just generate a
test and validate it. whether or not a test has been used before, or
if an ip has called for 300 tests in 10seconds, or if a test was
given to ipA and answered by ipB,C,D shouldn't be in the module. its
too user specific to put in there (i think) - or at least in the main
module.
in any event, thats my approach so far - i can implement most of it
right away with an image test that everyone will find annoying and
some will feel disfranchised by... but with a few lines in code I can
switch it to audio or text-logic as those parts get written.
( though its not as extensible as i'd like right now.. i'd like to
support multiple image rendering options).
//Jonathan Vanasco
|- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -
| RoadSound.com / Indie-Rock.net
| Collaborative Online Management And Syndication Tools
|- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -
Re: Slightly OT: mp2 oriented Captcha Module -- anyone interested ?
Posted by Jonathan Vanasco <mo...@2xlp.com>.
ok, last posting on this list - a few people exhibited interest in
helping out and setting me straight. i just wanted to make a final
call for any more.
i've got the general architecture migrated to perl. the class/
namespace stuff is a complete mess as its from python which has a
very different approach, and as a result i'm also passing around
variables/settings rather clumsily. its really all just a complete
mess internally right now , but it shows the general idea as a proof
of concept.
right now the 'Img' rendering just does text on osx with some lines.
an 'img' is basically just a stack of filters/classes on background
(i got the idea from the imaging section of a python captcha i
modeled my python captcha on) i haven't had time to learn much of
Imager and will likely need to write a filter to handle warping or
other tasks. the captcha creation/validation is currently within the
main bit of the module, but i'd like to bust it out into a pluggable
subclass so it can be user specified.
in any event, the functional mess i hacked up in some spare time is
here:
there is internal pod on Captcha.pm describing most things
view via trac:
http://dev.2xlp.com/trac/browser/mod_perl/PerlCaptcha/trunk
or svn access
$ svn co http://dev.2xlp.com/svn/mod_perl/PerlCaptcha/trunk
i'll move all further discussion offlist now
| - - - - - - - - - - - - - - - - - - - -
| RoadSound.com / Indie-Rock.net
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - -
Re: Slightly OT: mp2 oriented Captcha Module -- anyone interested ?
Posted by Kjetil Kjernsmo <kj...@opera.com>.
On Tuesday 06 June 2006 02:09, Jonathan Vanasco wrote:
> i'd like to make this cpanable so other modperlers can use it - would
> anyone on the list be interested in collaborating with me, and help
> make it more standardized and cpanable? i don't have the time/energy
> to do that myself.
I could do the CPAN bit, however, I wouldn't want the system to be
constrained to image CAPTCHAs. Image CAPTCHAs is a Really Bad Thing.
Users hate it, they are not really efficient (or that is, either bad
for users or easy for computers), extremely bad for accessibility,
quite bad on mobile devices, and really, they don't separate man from
machine very well, they separate users with certain capabilities from
users without those.
See also http://www.w3.org/TR/turingtest/
I'm trying to move away from image CAPTCHAs here, but it is not that
easy. Anyway, the above also contains some suggestions.
Furthermore, the thing with CAPTCHA's is that it is an arms race. That
is, if your measures are more expensive than the spammer's
counter-measures, you loose. So, there is a big question how much time
you are going to spend on it. You can spend a lot of time on research,
and come up with something that spammers really can't crack, but I
think it would be more useful to be cheap, i.e. realise that this is
going to be a game of whack-a-mole and spend a bit of time on an
architecture where you can very cheaply implement plugins. So, when a
spammer manages to get through your CAPTCHA, you have a new plugin the
next day.
But yeah, I'd like to cooperate on this, as we need to replace the stuff
we have.
Cheers,
Kjetil
--
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA