hah.. I was going to let this discussion die a bit because a lot of it is fairly off-topic. But here and there we've hit on some PHP specific topics. I just had to say Kudos to tedd for providing a fairly interesting and possibly very functional CAPTCHA solution. True, a simple blue dot could be extracted like text could be in the standard visual CAPTCHA systems, but if it was something a little more obscure and mixed in with other images, it might make it a bit harder. The one example before was "show a picture of a pig and the user is asked what animal is shown". But it's a step more complicated to say "WHERE is the pig on this image" or even "Find the pig THEN tell me where it is". For those of you not following, what tedd's done with is blue dot is created a larger image that contains a blue dot somewhere. You can click in a fairly wide area, but only clicking on the blue dot yields a success. These coordinates are sent to the server because what he's done is created an image "Submit" button. When you click on an input type=image, it acts as a submit and sends the X, Y coords of the click relative to the image. So there's nothing in the source code for a bot to read to determine what X, Y coords to send. It's generated on the server and is wholly stored on the server. Nothing is, or can be, checked on the client side. The best someone could hope to do is get lucky and send coords that are inside whatever area of the image needed to be clicked on. Think "Battleship" hah. But a larger image and smaller (and more obscure-to-visual-parsing) target make this highly unlikely. And if you lock out their IP for a short time after a handful of failed attempts, then it makes it hardly worth even trying to brute force. Very interesting tedd. Hadn't thought of this one. Thanks for the example! -TG = = = Original message = = = At 3:37 PM +0200 3/30/07, Tijnema ! wrote: >On 3/30/07, John Comerford <johnc@xxxxxxxxxxxxxxxxxxxx> wrote: >>I was reading the current tread on CAPTCHA and possible cracks and I >>thought maybe I'd throw this out to the group to see what you think. >>Recently I saw a forum where in order to post you first had to click on >>a div that was placed at a random location on the page, it read >>something like, "Click here if you are human". I was thinking that >>maybe you could put together a system that looks something like this: >> >>http://people.aapt.net.au/JComerford/ClickMe.htm >> >>I was thinking you could use it in a couple of ways: >> >>1) As a replacement to a CAPTCHA image >>2) When you click the image a CAPTCHA image is loaded into the 'Click >>Me' container >> >>The main problem is how to tell the server that the div has been >>clicked, in a way that can't be simulated. I am not an expect with >>either JS or PHP, but maybe some of the bigger brains out there could >>throw in their 2 cents...... >> >>JC > >This looks maybe hard to crack, but actually it isn't very hard. All >the clicking does is calling a javascript function. You still could >submit the page without clicking the box. > >Tijnema Tijnema & John: The above link I've already done a long time ago. But check out my dot CAPTCHA here: http://sperling.com/examples/p-captcha This does not use javascript, but does use sessions. As you can see, the blue dot can be placed anywhere on the entrance page. Granted this presents problem for the visually impaired, so I'm not recommending it. But, it's just a proof of concept at this point. Plus, I have not checked this on all browsers. I suspect that some browsers may have problems with alpha channel images -- so your mileage may differ. In any event, I think this may be a bit more difficult to crack than something that replies upon javascript -- what do you think? Cheers, tedd ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
