[B2evo-captcha-developers] [Fwd: Re: plugins captcha : enforcing b2evo captcha]
Brought to you by:
bfranske
From: Ben F. <ben...@fr...> - 2009-08-11 19:48:41
|
message #5 -------- Original Message -------- Subject: Re: plugins captcha : enforcing b2evo captcha Date: Sat, 16 Aug 2008 20:51:43 -0700 From: Paul Lesniewski <pa...@sq...> To: Ben Franske <be...@fr...>, squ...@de... References: <501...@we...> <581...@ma...> <486...@fr...> <581...@ma...> <581...@ma...> <48A...@fr...> Ben, OK, then in the meantime, I think I will implement Guillaume's solution in my downstream release in the near future. Thanks and good luck with your PHD! Cheers, Paul On Sat, Aug 16, 2008 at 8:24 PM, Ben Franske <be...@fr...> wrote: > Paul, > I'm sorry to say that I do not have this done yet. I had to put it on the > back burner to work on some papers for my PhD work over the summer. > Hopefully I'll have a bit of time to work on it once things settle down in > September. > > -Ben > > Paul Lesniewski wrote: >> >> Ben, >> >> Do you have a new release ready yet? I have a new release of my >> SquirrelMail plugin ready to go, and would love to include this fix >> therein. >> >> Cheers, >> >> Paul >> >> >> On Thu, Jul 3, 2008 at 12:52 PM, Paul Lesniewski <pa...@sq...> >> wrote: >> >>> >>> (Don't forget to Cc: to Guillaume) >>> >>> >>>>> >>>>> Indeed it is. I assume associating the key with the image name is >>>>> nice for image caching, but it could have been foregone in the first >>>>> place for a more secure solution. >>>>> >>>> >>>> Paul, Do you have a specific suggestion? I'd be happy to look at an >>>> alternative if you have an idea for a more secure solution. The goal >>>> with >>>> this class was to keep it as simple as possible and easily implementable >>>> in >>>> other projects so that is one factor to consider. I'll take another look >>>> at >>>> this if I have time but if not I'll probably just go with the proposed >>>> solution where a secret was added into the hash. >>>> >>> >>> The implied suggestion was that if security is the paramount concern, >>> then caching images could be eliminated. Most servers have enough CPU >>> cycles that this isn't a problem, although it means browsers can't >>> cache the images themselves. You could see that in itself as a >>> possible security issue too, so maybe not caching them is a good thing >>> all around. >>> >>> However, adding a configurable secret key is probably going to be near >>> impossible to break, which allows you to keep the caching >>> functionality. The only caveat is that this assumes the implementor >>> pays attention and actually changes the secret key. You could put >>> something in the code so that it does not work until they have created >>> their own secret key. >>> >>> >>>>> >>>>> I can implement your solution in my downstream copy of b2evo in the >>>>> SquirrelMail CAPTCHA plugin, but I'd rather see it come from b2evo, if >>>>> it's still being maintained.....? >>>>> >>>> >>>> I'm happy to do some maintenance on this when someone brings something >>>> to >>>> my attention (particularly if they include fixes) but don't do any >>>> active >>>> development of new features. I've got a few other things to do today but >>>> I'm >>>> going to try and take a look at this a bit at the end of the day and >>>> make >>>> some fixes based on this as well as some other feedback I've saved up. >>>> If >>>> all goes well I'll probably release a new version sometime in the next >>>> week. >>>> If you have any other suggestions for improvement I'd be happy to take a >>>> look at them and include them (again, particularly if code is included). >>>> >>> >>> Thanks. Please let me know so I can include it in a new release of >>> the SquirrelMail CAPTCHA plugin! >>> >>> Cheers, >>> >>> Paul >>> >>> > |