[Owasp-leaders] Good Code Advice Requested

Jim Manico jim.manico at owasp.org
Sun Dec 9 20:31:59 UTC 2012


One other note, CAPTCHA is not a security control - it's just a cost 
barrier. Threat agents can easily leverage "mechanical Turk" services 
where underneath the hood of malware or other attacks is a large team of 
people resolving CAPTCHA's by hand all day. There is no way to defeat this.

Also, some CAPTCHA systems, even audio, are vulnerable to automated 
resolution.

Now a lot of folks use it, it IS a cost barrier for attackers.

But please never use CAPTCHA for things like access control, 
authentication or other more robust security controls in code.

Fair?

Regards,
Jim Manico
OWASP Volunteer
@Manicode

> Hi Petr, it sounds very interesting, but I'm not sure what the
> sub-project is or what type of feedback you are requesting.  It is
> going to be an opensource tool project?  It appears that its being
> offered as a service right now.  Also, I'm not sure how this is
> implemented.  The three examples you have on your website show how
> Good Code can be implemented with a CAPCHA, but its not clear how the
> process works or if Good Code provides both the CAPCHA and the Email
> Service, or only the Email Service allowing people to use any CAPCHA
> they want.  Could you provide a more detailed explanation of what Good
> Code does?
>
> Also, one other technical point.  Words and audio in CAPCHAs are not
> "encrypted".  It would be more correct to say they are "distorted".
> Justin Searle
> Managing Partner - UtiliSec
> 801-784-2052
>
>
> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
> <samantha.groves at owasp.org> wrote:
>> Hello Leaders,
>>
>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See below:
>>
>>
>> -------------------
>> Hi Leaders,
>>
>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup part of
>> OWASP Web Application Security Accessibility Project):
>>
>> http://www.dobrykod.cz/en/
>>
>> Users with sight impairment, dyslexia, and other similar conditions may
>> experience difficulties with reading the encrypted characters in the picture
>> of a CAPTCHA code.
>>
>> For this reason picture-based security tests can be supplemented with audio
>> version, where the sound is distorted to prevent unwanted bots form
>> accessing the information. Unfortunately, safely encrypted audio recordings
>> are less discernible or almost indiscernible even for users with perfect
>> hearing. Further difficulties can arise due to different phonetic systems of
>> the user's language and the language of the recording.
>>
>> Please, send me your questions, objections etc.
>>
>> Thanks,
>>
>> Petr Zavodsky
>>
>> OWASP Czech Republic
>> -------------------
>>
>> --
>>
>> Samantha Groves, MBA
>>
>> OWASP Project Manager
>>
>>
>> The OWASP Foundation
>>
>> London, United Kingdom
>>
>> Email: samantha.groves at owasp.org
>>
>> Skype: samanthahz
>>
>>
>> Book a Meeting with Me
>>
>> OWASP Contact US Form
>>
>> New Project Application Form
>>
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list