[Owasp-leaders] Good Code Advice Requested

Petr Závodský petr.zavodsky at gmail.com
Fri Dec 28 11:24:02 UTC 2012


I agree but:
CAPTCHA = „completely automated public Turing test to tell computers and
humans apart“ or CAPTCHA = "CAPTure CHAracters"?
CAPTCHA reduces some risks (likelihood).

Petr

2012/12/9 Jim Manico <jim.manico at owasp.org>

> One other note, CAPTCHA is not a security control - it's just a cost
> barrier. Threat agents can easily leverage "mechanical Turk" services where
> underneath the hood of malware or other attacks is a large team of people
> resolving CAPTCHA's by hand all day. There is no way to defeat this.
>
> Also, some CAPTCHA systems, even audio, are vulnerable to automated
> resolution.
>
> Now a lot of folks use it, it IS a cost barrier for attackers.
>
> But please never use CAPTCHA for things like access control,
> authentication or other more robust security controls in code.
>
> Fair?
>
> Regards,
> Jim Manico
> OWASP Volunteer
> @Manicode
>
>
>  Hi Petr, it sounds very interesting, but I'm not sure what the
>> sub-project is or what type of feedback you are requesting.  It is
>> going to be an opensource tool project?  It appears that its being
>> offered as a service right now.  Also, I'm not sure how this is
>> implemented.  The three examples you have on your website show how
>> Good Code can be implemented with a CAPCHA, but its not clear how the
>> process works or if Good Code provides both the CAPCHA and the Email
>> Service, or only the Email Service allowing people to use any CAPCHA
>> they want.  Could you provide a more detailed explanation of what Good
>> Code does?
>>
>> Also, one other technical point.  Words and audio in CAPCHAs are not
>> "encrypted".  It would be more correct to say they are "distorted".
>> Justin Searle
>> Managing Partner - UtiliSec
>> 801-784-2052
>>
>>
>> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
>> <samantha.groves at owasp.org> wrote:
>>
>>> Hello Leaders,
>>>
>>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See
>>> below:
>>>
>>>
>>> -------------------
>>> Hi Leaders,
>>>
>>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup part
>>> of
>>> OWASP Web Application Security Accessibility Project):
>>>
>>> http://www.dobrykod.cz/en/
>>>
>>> Users with sight impairment, dyslexia, and other similar conditions may
>>> experience difficulties with reading the encrypted characters in the
>>> picture
>>> of a CAPTCHA code.
>>>
>>> For this reason picture-based security tests can be supplemented with
>>> audio
>>> version, where the sound is distorted to prevent unwanted bots form
>>> accessing the information. Unfortunately, safely encrypted audio
>>> recordings
>>> are less discernible or almost indiscernible even for users with perfect
>>> hearing. Further difficulties can arise due to different phonetic
>>> systems of
>>> the user's language and the language of the recording.
>>>
>>> Please, send me your questions, objections etc.
>>>
>>> Thanks,
>>>
>>> Petr Zavodsky
>>>
>>> OWASP Czech Republic
>>> -------------------
>>>
>>> --
>>>
>>> Samantha Groves, MBA
>>>
>>> OWASP Project Manager
>>>
>>>
>>> The OWASP Foundation
>>>
>>> London, United Kingdom
>>>
>>> Email: samantha.groves at owasp.org
>>>
>>> Skype: samanthahz
>>>
>>>
>>> Book a Meeting with Me
>>>
>>> OWASP Contact US Form
>>>
>>> New Project Application Form
>>>
>>>
>>>
>>>
>>>
>>> ______________________________**_________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>
>>>  ______________________________**_________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>
>
> ______________________________**_________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121228/2bf4b3c4/attachment.html>


More information about the OWASP-Leaders mailing list