[B2evo-captcha-developers] [Fwd: Re: plugins captcha : enforcing b2evo captcha]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

message #5

-------- Original Message --------
Subject: 	Re: plugins captcha : enforcing b2evo captcha
Date: 	Sat, 16 Aug 2008 20:51:43 -0700
From: 	Paul Lesniewski <pa...@sq...>
To: 	Ben Franske <be...@fr...>, squ...@de...
References: 	<501...@we...>
<581...@ma...>
<486...@fr...>
<581...@ma...>
<581...@ma...>
<48A...@fr...>

Ben,

OK, then in the meantime, I think I will implement Guillaume's
solution in my downstream release in the near future.

Thanks and good luck with your PHD!

Cheers,

  Paul

On Sat, Aug 16, 2008 at 8:24 PM, Ben Franske <be...@fr...> wrote:
> Paul,
>   I'm sorry to say that I do not have this done yet. I had to put it on the
> back burner to work on some papers for my PhD work over the summer.
> Hopefully I'll have a bit of time to work on it once things settle down in
> September.
>
> -Ben
>
> Paul Lesniewski wrote:
>>
>> Ben,
>>
>>  Do you have a new release ready yet?  I have a new release of my
>> SquirrelMail plugin ready to go, and would love to include this fix
>> therein.
>>
>> Cheers,
>>
>>  Paul
>>
>>
>> On Thu, Jul 3, 2008 at 12:52 PM, Paul Lesniewski <pa...@sq...>
>> wrote:
>>
>>>
>>> (Don't forget to Cc: to Guillaume)
>>>
>>>
>>>>>
>>>>> Indeed it is.  I assume associating the key with the image name is
>>>>> nice for image caching, but it could have been foregone in the first
>>>>> place for a more secure solution.
>>>>>
>>>>
>>>> Paul, Do you have a specific suggestion? I'd be happy to look at an
>>>> alternative if you have an idea for a more secure solution. The goal
>>>> with
>>>> this class was to keep it as simple as possible and easily implementable
>>>> in
>>>> other projects so that is one factor to consider. I'll take another look
>>>> at
>>>> this if I have time but if not I'll probably just go with the proposed
>>>> solution where a secret was added into the hash.
>>>>
>>>
>>> The implied suggestion was that if security is the paramount concern,
>>> then caching images could be eliminated.  Most servers have enough CPU
>>> cycles that this isn't a problem, although it means browsers can't
>>> cache the images themselves.  You could see that in itself as a
>>> possible security issue too, so maybe not caching them is a good thing
>>> all around.
>>>
>>> However, adding a configurable secret key is probably going to be near
>>> impossible to break, which allows you to keep the caching
>>> functionality.  The only caveat is that this assumes the implementor
>>> pays attention and actually changes the secret key.  You could put
>>> something in the code so that it does not work until they have created
>>> their own secret key.
>>>
>>>
>>>>>
>>>>> I can implement your solution in my downstream copy of b2evo in the
>>>>> SquirrelMail CAPTCHA plugin, but I'd rather see it come from b2evo, if
>>>>> it's still being maintained.....?
>>>>>
>>>>
>>>>  I'm happy to do some maintenance on this when someone brings something
>>>> to
>>>> my attention (particularly if they include fixes) but don't do any
>>>> active
>>>> development of new features. I've got a few other things to do today but
>>>> I'm
>>>> going to try and take a look at this a bit at the end of the day and
>>>> make
>>>> some fixes based on this as well as some other feedback I've saved up.
>>>> If
>>>> all goes well I'll probably release a new version sometime in the next
>>>> week.
>>>> If you have any other suggestions for improvement I'd be happy to take a
>>>> look at them and include them (again, particularly if code is included).
>>>>
>>>
>>> Thanks.  Please let me know so I can include it in a new release of
>>> the SquirrelMail CAPTCHA plugin!
>>>
>>> Cheers,
>>>
>>>  Paul
>>>
>>>
>