[Owasp-leaders] Good Code Advice Requested

Petr Závodský petr.zavodsky at owasp.org
Fri Dec 28 10:54:26 UTC 2012


Hi Justin,
thank you for you respons. My answers:

Hi Petr, it sounds very interesting, but I'm not sure what the
sub-project is or what type of feedback you are requesting.  It is
going to be an opensource tool project?

 P.Z.: Yes - free and open tool project (open-source - only CAPTCHA
implementing).

It appears that its being offered as a service right now.  Also, I'm not
sure how this is
implemented.

 P.Z.: No. The "Dobry kod" service is currently available only in testing
mode (in development).

The three examples you have on your website show how
Good Code can be implemented with a CAPCHA, but its not clear how the
process works or if Good Code provides both the CAPCHA and the Email
Service, or only the Email Service allowing people to use any CAPCHA
they want. Could you provide a more detailed explanation of what Good
Code does?

 P.Z.: For future I will develop only one version (after communication with
my visually impaired friends):
 - user has registration and user is validate at the "Dobry kod" service

 - web page uses the Dobry kod service - form with CAPTCHA for testing:
testform.dobrykod.cz
 -- implementing - I wil publish in January 2013 but for now (for example
with PHP):

 <?php
 $sensitiveData = $_SESSION['captcha'];

 $pubKey = openssl_pkey_get_public('file://publickey.crt');
 openssl_public_encrypt($sensitiveData, $encryptedData, $pubKey);
 function base64url_encode($data) {
   return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
 }
 ?>

 <img src="captcha.php" id="captcha" /><br/>
 <?php
 echo "<a href=\"http://dobrykod.cz/access-controlled.php?id=".base64url_encode($encryptedData)."\"
target=\"_blank\" title=\"DobryKod - new window\"
id=\"dobrykod\">DobryKod</a>";
 ?>

 Plus validation of CAPTHCA (if, elseif, switch ...). publickey.crt  (only
public key) will for free downloading at web dobrykod.cz. Private key will
only for "Dobry kod" side.


Also, one other technical point.  Words and audio in CAPCHAs are not
"encrypted".  It would be more correct to say they are "distorted".

 P.Z.: Thank you - I corrected.

---

In January 2013 I will:
- implement HTTPS
- test image CAPTCHA examples with "Dobry kod" for PHP and Python
- test public key


Petr

On Thu, Dec 6, 2012 at 9:15 PM, Justin Searle <justin.searle at owasp.org>wrote:

> Hi Petr, it sounds very interesting, but I'm not sure what the
> sub-project is or what type of feedback you are requesting.  It is
> going to be an opensource tool project?  It appears that its being
> offered as a service right now.  Also, I'm not sure how this is
> implemented.  The three examples you have on your website show how
> Good Code can be implemented with a CAPCHA, but its not clear how the
> process works or if Good Code provides both the CAPCHA and the Email
> Service, or only the Email Service allowing people to use any CAPCHA
> they want.  Could you provide a more detailed explanation of what Good
> Code does?
>
> Also, one other technical point.  Words and audio in CAPCHAs are not
> "encrypted".  It would be more correct to say they are "distorted".
> Justin Searle
> Managing Partner - UtiliSec
> 801-784-2052
>
>
> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
> <samantha.groves at owasp.org> wrote:
> > Hello Leaders,
> >
> > This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See
> below:
> >
> >
> > -------------------
> > Hi Leaders,
> >
> > New subproject "Dobry kod" (in english: "Good Code" :)) (a followup part
> of
> > OWASP Web Application Security Accessibility Project):
> >
> > http://www.dobrykod.cz/en/
> >
> > Users with sight impairment, dyslexia, and other similar conditions may
> > experience difficulties with reading the encrypted characters in the
> picture
> > of a CAPTCHA code.
> >
> > For this reason picture-based security tests can be supplemented with
> audio
> > version, where the sound is distorted to prevent unwanted bots form
> > accessing the information. Unfortunately, safely encrypted audio
> recordings
> > are less discernible or almost indiscernible even for users with perfect
> > hearing. Further difficulties can arise due to different phonetic
> systems of
> > the user's language and the language of the recording.
> >
> > Please, send me your questions, objections etc.
> >
> > Thanks,
> >
> > Petr Zavodsky
> >
> > OWASP Czech Republic
> > -------------------
> >
> > --
> >
> > Samantha Groves, MBA
> >
> > OWASP Project Manager
> >
> >
> > The OWASP Foundation
> >
> > London, United Kingdom
> >
> > Email: samantha.groves at owasp.org
> >
> > Skype: samanthahz
> >
> >
> > Book a Meeting with Me
> >
> > OWASP Contact US Form
> >
> > New Project Application Form
> >
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121228/29b877d5/attachment.html>


More information about the OWASP-Leaders mailing list