[Owasp-leaders] Good Code Advice Requested
Eoin
eoin.keary at owasp.org
Tue Dec 11 09:05:44 UTC 2012
+1
Eoin Keary
Owasp Global Board
+353 87 977 2988
On 9 Dec 2012, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:
> One other note, CAPTCHA is not a security control - it's just a cost barrier. Threat agents can easily leverage "mechanical Turk" services where underneath the hood of malware or other attacks is a large team of people resolving CAPTCHA's by hand all day. There is no way to defeat this.
>
> Also, some CAPTCHA systems, even audio, are vulnerable to automated resolution.
>
> Now a lot of folks use it, it IS a cost barrier for attackers.
>
> But please never use CAPTCHA for things like access control, authentication or other more robust security controls in code.
>
> Fair?
>
> Regards,
> Jim Manico
> OWASP Volunteer
> @Manicode
>
>> Hi Petr, it sounds very interesting, but I'm not sure what the
>> sub-project is or what type of feedback you are requesting. It is
>> going to be an opensource tool project? It appears that its being
>> offered as a service right now. Also, I'm not sure how this is
>> implemented. The three examples you have on your website show how
>> Good Code can be implemented with a CAPCHA, but its not clear how the
>> process works or if Good Code provides both the CAPCHA and the Email
>> Service, or only the Email Service allowing people to use any CAPCHA
>> they want. Could you provide a more detailed explanation of what Good
>> Code does?
>>
>> Also, one other technical point. Words and audio in CAPCHAs are not
>> "encrypted". It would be more correct to say they are "distorted".
>> Justin Searle
>> Managing Partner - UtiliSec
>> 801-784-2052
>>
>>
>> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
>> <samantha.groves at owasp.org> wrote:
>>> Hello Leaders,
>>>
>>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See below:
>>>
>>>
>>> -------------------
>>> Hi Leaders,
>>>
>>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup part of
>>> OWASP Web Application Security Accessibility Project):
>>>
>>> http://www.dobrykod.cz/en/
>>>
>>> Users with sight impairment, dyslexia, and other similar conditions may
>>> experience difficulties with reading the encrypted characters in the picture
>>> of a CAPTCHA code.
>>>
>>> For this reason picture-based security tests can be supplemented with audio
>>> version, where the sound is distorted to prevent unwanted bots form
>>> accessing the information. Unfortunately, safely encrypted audio recordings
>>> are less discernible or almost indiscernible even for users with perfect
>>> hearing. Further difficulties can arise due to different phonetic systems of
>>> the user's language and the language of the recording.
>>>
>>> Please, send me your questions, objections etc.
>>>
>>> Thanks,
>>>
>>> Petr Zavodsky
>>>
>>> OWASP Czech Republic
>>> -------------------
>>>
>>> --
>>>
>>> Samantha Groves, MBA
>>>
>>> OWASP Project Manager
>>>
>>>
>>> The OWASP Foundation
>>>
>>> London, United Kingdom
>>>
>>> Email: samantha.groves at owasp.org
>>>
>>> Skype: samanthahz
>>>
>>>
>>> Book a Meeting with Me
>>>
>>> OWASP Contact US Form
>>>
>>> New Project Application Form
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list