[Owasp-leaders] Good Code Advice Requested

Eoin eoin.keary at owasp.org
Tue Dec 11 09:05:44 UTC 2012


+1

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 9 Dec 2012, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:

> One other note, CAPTCHA is not a security control - it's just a cost barrier. Threat agents can easily leverage "mechanical Turk" services where underneath the hood of malware or other attacks is a large team of people resolving CAPTCHA's by hand all day. There is no way to defeat this.
> 
> Also, some CAPTCHA systems, even audio, are vulnerable to automated resolution.
> 
> Now a lot of folks use it, it IS a cost barrier for attackers.
> 
> But please never use CAPTCHA for things like access control, authentication or other more robust security controls in code.
> 
> Fair?
> 
> Regards,
> Jim Manico
> OWASP Volunteer
> @Manicode
> 
>> Hi Petr, it sounds very interesting, but I'm not sure what the
>> sub-project is or what type of feedback you are requesting.  It is
>> going to be an opensource tool project?  It appears that its being
>> offered as a service right now.  Also, I'm not sure how this is
>> implemented.  The three examples you have on your website show how
>> Good Code can be implemented with a CAPCHA, but its not clear how the
>> process works or if Good Code provides both the CAPCHA and the Email
>> Service, or only the Email Service allowing people to use any CAPCHA
>> they want.  Could you provide a more detailed explanation of what Good
>> Code does?
>> 
>> Also, one other technical point.  Words and audio in CAPCHAs are not
>> "encrypted".  It would be more correct to say they are "distorted".
>> Justin Searle
>> Managing Partner - UtiliSec
>> 801-784-2052
>> 
>> 
>> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
>> <samantha.groves at owasp.org> wrote:
>>> Hello Leaders,
>>> 
>>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See below:
>>> 
>>> 
>>> -------------------
>>> Hi Leaders,
>>> 
>>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup part of
>>> OWASP Web Application Security Accessibility Project):
>>> 
>>> http://www.dobrykod.cz/en/
>>> 
>>> Users with sight impairment, dyslexia, and other similar conditions may
>>> experience difficulties with reading the encrypted characters in the picture
>>> of a CAPTCHA code.
>>> 
>>> For this reason picture-based security tests can be supplemented with audio
>>> version, where the sound is distorted to prevent unwanted bots form
>>> accessing the information. Unfortunately, safely encrypted audio recordings
>>> are less discernible or almost indiscernible even for users with perfect
>>> hearing. Further difficulties can arise due to different phonetic systems of
>>> the user's language and the language of the recording.
>>> 
>>> Please, send me your questions, objections etc.
>>> 
>>> Thanks,
>>> 
>>> Petr Zavodsky
>>> 
>>> OWASP Czech Republic
>>> -------------------
>>> 
>>> --
>>> 
>>> Samantha Groves, MBA
>>> 
>>> OWASP Project Manager
>>> 
>>> 
>>> The OWASP Foundation
>>> 
>>> London, United Kingdom
>>> 
>>> Email: samantha.groves at owasp.org
>>> 
>>> Skype: samanthahz
>>> 
>>> 
>>> Book a Meeting with Me
>>> 
>>> OWASP Contact US Form
>>> 
>>> New Project Application Form
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list