[BUG - 1.1 RC3] request another captcha image

[bananaman]

You can request another image to see different fonts and modifications.

- There are more fonts.
- Some fonts are negative images, i.e., white fonts inside dark borders.
- One font is a 3D looking one, and still a negative font.
- Fonts are rotated more
- Fonts are waved, so they are different each time.

Fantastic!! I agree the existing captcha are too difficult for humans to read too - this is a great improvement.

Would it be possible for these variables to added to forum administration so that each SMF admin can set the letter rotation, fonts, image size, background noise, etc that they feel comfortable with?

@Thantos Good work on fixing the firefox bug

[Harzem]

Would it be possible for these variables to added to forum administration so that each SMF admin can set the letter rotation, fonts, image size, background noise, etc that they feel comfortable with?

Yes it is possible, but I don't recommend it. Not every admin knows about captchas, which variables make it secure, which makes it weak. I'm trying to achieve the best combination of parameters to make it human readable, but not robot readable.

[Techdomain]

Love the work you are doing there HarzeM!

[stt442]

I agree that the RC 3's CAPTCHA image is really unusable. HarzeM version looks a lot better .

I was just wondering if it's possible to write a custom CAPTCHA as a mod, or do I need to hack the sources? I was thinking of making a verification that displays small images of different objects. Then you would have to select one (or many) images to prove you are a human.

For example, theres images of car, train, house and cat. A text would instruct you to select a car from those images.

I'm new to SMF so... 

[Harzem]

I'm also working on another captcha image, here:
http://www.turkproje.org/proje/captcha/resim.php

This is somewhat different. It has nice gradiend backgrounds. But the main thing is, the characters are almost never the same. There are tons of fonts, rotations, waves etc.., in addition to multiple renders of the same character to make some of them "border-only", double border-only, bla bla... The best is when you see it

I'm inspiring from it, but I'm not thinking of integrating this to SMF directly. Because this should be unique to that site.

[Cache-man]

I'm not too educated with the whole CAPTCHA thing yet, but i do agree with everyone else that the RC3 letters are too difficult to read.

Is it just possible to replace all the letters in the default themes /fonts directory, or is there more to it than that?

If it is that simple, would it be possible for us to use the images you are using? would you be able to attach them to this thread please?!?

[Surferbird]

That's nice and readable. This should be adopted to SMF instead of the one added there now, which is mostly unreadable. Hope SMF team adopt it or buy it from you. Great creation. Seems all your works is excellent works  

[rejetto]

i agree, this is much better

[Harzem]

Is it just possible to replace all the letters in the default themes /fonts directory, or is there more to it than that?

Replacing the fonts isn't just the whole thing. There are programming differences using different functions to create images. Also I waved the characters by some coding.

That's nice and readable. This should be adopted to SMF instead of the one added there now, which is mostly unreadable. Hope SMF team adopt it or buy it from you. Great creation. Seems all your works is excellent works 

I won't attempt to sell it If the team wants, they can get it. If they don't, I'll release it as a mod.
Soon, I'll add some perturbation to make it harder to be read by robots.

And yes, I do like my own work too

[ediww]

there is already working captcha module,

http://mods.simplemachines.org/index.php?mod=277

covering both registration and guest posting, and i'm using it for months on a quite large board. it is good and pretty readable.

you can configure how much letters will be shown.

i've found that 3 (yes, only 3) are quite enough to stop the bots we've suffered from. take a look, this is from the registration page (just after password and confirm password):



right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.

edi

Love the work you are doing there HarzeM!

[Harzem]

there is already working captcha module,
covering both registration and guest posting, and i'm using it, it is good and pretty readable. right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.

RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...

About guest posting... I'm thinking about a mod for it in RC3.

[Benson]

RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...

I thought hncaptcha can't be read by bots...

About guest posting... I'm thinking about a mod for it in RC3.

This is what i'm missing at the moment, this would be very nice, i don't want to disable guest posting to prevent bots spamming the forum...

cheers,
Benson

[Daniel Hofverberg]

I would also very much like a mod for image verification on guest posting. In my humble opinion, that is far more important than on registration. While bots registering on forums is a reasonably small problem (at least in my experience), bots trying to post topics and replies is a huge problem, which makes it pretty much impossible to enable guest posting without CAPTCHA these days.

[Bigguy]

This does not work on mine using the default theme.

Try this:
Find

Code (Register.template.php) Select Expand


if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}


replace with

Code Select Expand


if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);

// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';

if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}


[ediww]

i will not discuss the existence of the module (it does work) - the captcha image created is only part of the problem, and i guess that it will be easier (and opensource way) to modify the mod to include the "harder" captcha. and, please note (other readers of this post which have not installed the mod) that the number of letters is adjustable.

i will talk about the "proofstrength" of the captchas. i completely don't agree with your statement "insecure by means of the image created". heavy words, but i don't agree. see below why.

this is one thing that i've heard too much of, but, suddenly, it turns that 99.9% of the spammers do not posses and use such technology to spam. and the remaining .1 percent are quite not interested in smaller than yahoo sites:) because it is time consuming to launch such attack, even if you have the reader ready.

as you experienced, sophisticated (read: almost human unreadable) captchas screw up not only the robots but also the regualr users.

i do not have worldwide experience with hundred own sites, maybe you do, but i don't feel the captcha needs to be even this hard, as you propose. it goes as measure and countermeasure - i do hardly believe that small (<100000 users, mine is small) site is worth such sophisticated attack. for smaller (again, relatively, most of the sites are small from this point of view) site, it will be more efficient for the attacker to spam manually, instead of preparing the tool - even it takes only changes to reflect the html generated from eveln slightly modified templates.

my conclusion is that simple, readable captchas are better in most cases. and the hard ones are worse, as you notices criticizing SMF built-in captcha.

but, hell, why do not have choice between levels of captcha? or random "sets" of different captcha "styles" - adding some "Tarpitting" (artificial delays between two tries), it will make it safe and EASY for the user.

let's do not do it like the SMTP antispam - killing the "good-will" human users in some hypothetical threats. in fact, you did this work to alleviate SMF's captcha, and most of the comments i've seen in this thread was "this is good, cause it is more human readable".

i will be pretty hapy if you contact dev of the mod, and (both you together or just you) finish it with such thoughts in mind - firstly, give the users (forum admins:) a choice from 2-3 different models with different "strength". or at least to be easy replaceable, for example, a mod for implementing and maintaining the security with captcha, and other one, which actually generates the captcha - then, you can replace the captcha with audio or math formulas.

edi
PS please, DONT forget that every one single human is having different eye perception. what is "easy" for you can be very hard for small or bigger group of your users.

there is already working captcha module,
covering both registration and guest posting, and i'm using it, it is good and pretty readable. right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.

RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...

About guest posting... I'm thinking about a mod for it in RC3.

[acculver]

Try this:
Find

Code (Register.template.php) Select Expand


if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}


replace with

Code Select Expand


if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);

// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';

if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}


It worked wonderfully for me also..earlier in FF 1.5.0.6 it did not worked even in my forum also!

I Did the above and it gave me this
function refreshImages() { // Make sure we are using a new rand code. var new_url = new String("hxxp:clergyaccess.iccec.org/index.php?action=verificationcode;rand=ff1e7ff6832c638da163d29c3a76d5ca [nonactive]"); new_url = new_url.substr(0, new_url.indexOf("rand=") + 5); // Quick and dirty way of converting decimal to hex var hexstr = "0123456789abcdef"; for(var i=0; i < 32; i++) new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1); document.getElementById("verificiation_image").src = new_url; }

Please Help

[Harzem]

ediww,

You are right, most spammers don't prepare such tools to attack small sites. But when a captcha system becomes widely used, then there exist tools for these. For example, a spammer doesn't try to create a captcha reader to attack a forum of 100 users. But if that forum is vBulletin, and there are available *spammer* tools that break vBulletin captchas, then this spammer doesn't need to create individual tools for different forums.

If only one programmer on the earth can create a tool to break a widely used captcha, say vBulletin or phpBB captcha, then any spammer can use it, either for small forums or large communities. Those guys like redistribution.

Thus, a captcha system should be designed such that (1) no single human can create a reader, OR, (2) no human should need to create one.

If a website uses a unique captcha system, this means a tool to break that capthca will only work for that website. So probably no one will try to create a reader, it will be much effort than needed. This is case (2).

But if a website uses a widely used captcha system, like SMF capthca, then any tool to read it will result in spamming thousands of forum with each has only one thousand users. That's a total of a million users, then this tool deserves to be created.

So, we are left with option (1). This tool shouldn't exist, even if it was tried. This is called "hard to read by robots" captcha, which is my goal. SMF is widely used, probably a total of tens of millions of users (not admins, total members of SMF powered forums), so a good target for spamming. This is why such reader tool can be created, and why we should use stronger captchas.

Let me show you some examples of mine. You know the captcha I've just designed for SMF above. I have two other systems.

http://www.turkproje.org/yazilim/index.php?action=register
This is stonger than 1.1 RC2 captcha mod, because it has background perturbation. RC2 capthca mod doesn't have background perturbation, even if it claims to be. I've reported that already (here) but didn't get a response. The one I have in turkproje.org forum registration has a better perturbation. It is almost fully secure, but still I'm not satisfied with it. (Though it is a unique captcha now, and won't get unique tool attacks.)

And I'm designing a better captcha, http://www.turkproje.org/proje/captcha/resim.php
This one doesn't have background perturbation (for decorative purposes, it looks cool ), so the characters should be modified. I've used a very strange technique to generate many different types of characters, some are empty in borders, some have double borders, etc... This is also a unique captcha, and won't get unique tools to decipher it. But I just like to be safe.

In short, SMF captcha will be widely used, thus can be a target for robot attacks. phpBB had a very poor captcha, and it was broken already. SMF shouldn't have such easy ones.

[Leipe Po]

how do they do it, as far as i know its impossible to read the phpcode that create the image, offcource the source can be downloaded and looked up, but they, they can do that witch your catcha (or how its called)
and design a bot for that, what i was thinking, a mutch simpler method would be to create a sort of "password" or "seed",  either admin chosen, or done auto, that will affect the way the pic is shown like colors, fonts, witch size(let it variate between 3 and 7 numbers/letters), so then you will have a system that would be tailor made for every single smf installation.... right, well i donnu mutch about gd, just my 2 cents

[ediww]

harzem,

you didn't get it right, definitely

the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha. also, you're forgeting about something - attacker should use quite specifically installed machine with quite a few CPU to do image recognition. really, i do thing that all the fluff about "it can be done" is and will stay quite a time just not applicable in the "real world", so why'd we need to make our REAL users unhappy?

btw, there are quite many serious works about it, and the background is not the primary method of making captcha computer-nonreadable. playing with fonts is far more efficient and does not bother the user too much.

but again, it comes only to the generated image. what i'm saying, there is quite a few standart ready-made captcha scripts, and even an working mod (altough far from perfect) - so, why not:

1) get the mod and extend it to support more "image generators";

2) leave the admin to choose which is better for him - simpler images and happy users (+great but right now imaginary risks) or overburden image which causes pain in the azz for the user to read. yes, it is important if you will support captcha for guest posting. if the user is determined to use right and only your forum, the complexity does not matter, but if the user 2-3 times does not guess what to type-in, it can be effectively dissapointed and will not use your forum.

there are a few more ideas for you, if we're about to speak for the mod not for the image complexity, i think that adding "tarpiting", some smart auto-ban and mixing methods can be disastrous for the intruder.

edi
PS was your captcha apllauded for being more readable than SMF's? right now you're advocating complexity just joking.
PS2 no, i don't think that captcha is the ulitmate solution, futuremore - if we've overburden the images it will become similar to the anti-spam methods related to SMTP.

[Harzem]

harzem,

you didn't get it right, definitely

the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha.

No, you didn't get me
There is no need for 100 modifications or 100 different scripts for 100 different sites. If they are using the same system of captcha, they are all broken with the 1 tool. And if they are all SMF, they do share the same system. So, one single tool for all SMF sites in the world. This is why the captcha should be strong.

And, making it human readable and making it robot readable are different things. Something can be easy to be read by human, but impossible for a robot. Or it can be both impossible (as SMF's default captcha!), or it can be both possible. So, I'm advocating complexity AND human-readability We can have complex images and happy users at the same time. The captcha I've posted at the previous page is easily readable by humans (happy users) and still complex for robots.

I agree with the rest of your post.