use reCaptcha in place of existing captchas?

[mattsches]

The idea's great and has come up on the s9y mailing list just the other day. Garvin argued that it's probably better to put recaptcha into a separate plugin:

I'd however go with a distinct unique plugin instead blowing up the
spamblock plugin with that. Much like the add-on plugins for SURBL/DNSBL. This
has the upside that people could use the new plugin on their existing blogs
without upgrading to a core s9y version.

- Mattsches

[garvinhicking]

Hi!

Are the hooks in place to replace the existing captcha mechanism with this one?

Yes, very much so. The spamblock plugin itself uses those hooks to emit its own captcha.

A different captcha plugin could be written using the same hooks/means.

I would love to see that, it's an interesting project IMHO!

Regards,
Garvin

[chrisbra]

Hi,
I have tried to extend the existing spamblock plugin by using the recaptcha plugin.
Here is the patch (of recaptcha 1.16 and serendipity 1.1.2)

lang_en.inc.php.diff:
--- lang_en.inc.php 2007-05-29 18:26:17.127768400 +0200
+++ lang_en.inc.php.orig 2007-05-29 12:28:17.279592400 +0200
@@ -5,6 +5,7 @@
* @author Translator Name <yourmail@example.com>
* EN-Revision: Revision of lang_en.inc.php
*/
+
@define('PLUGIN_EVENT_SPAMBLOCK_TITLE', 'Spam Protector');
@define('PLUGIN_EVENT_SPAMBLOCK_DESC', 'A variety of methods to prevent comment spam');
@define('PLUGIN_EVENT_SPAMBLOCK_ERROR_BODY', 'Spam Prevention: Invalid message.');
@@ -19,12 +20,6 @@
@define('PLUGIN_EVENT_SPAMBLOCK_IPFLOOD_DESC', 'Only allow an IP to submit a comment every n minutes. Useful to prevent comment floods.');
@define('PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS', 'Enable Captchas');
@define('PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_DESC', 'Will force the user to input a random string displayed in a specially crafted image. This will disallow automated submits to your blog. Please remember that people with decreased vision may find it hard to read those captchas.');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA', 'Use Recaptcha');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_DESC', 'If set, a recaptcha will be generated. This is a special kind of captcha, that will help digitize books. See http://www.recaptcha.net for more details. As with normal captchas, remember that people with decreased vision may find it hard to read.');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PUB', 'Public key for recaptcha');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PRIV', 'Private key for recaptcha');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PUB_DESC', 'Provide a public key pair for communicating with the recaptcha.net site. You can request a public/private key pair at http://www.recaptcha.net/api/getkey');
-@define('PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PRIV_DESC', 'Provide a private key pair for communicating with the recaptcha.net site. You can request a public/private key pair at http://www.recaptcha.net/api/getkey');
@define('PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC', 'To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.');
@define('PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC2', 'Enter the string you see here in the input box!');
@define('PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC3', 'Enter the string from the spam-prevention image above: ');


------------------------------------------------------------------------------------
serendipity_event_spamblock.php:

--- serendipity_event_spamblock.php 2007-05-29 18:16:59.770099300 +0200
+++ serendipity_event_spamblock.php.orig 2007-05-29 12:23:20.252671700 +0200
@@ -12,11 +12,6 @@
}

include dirname(__FILE__) . '/lang_en.inc.php';
-require_once dirname(__FILE__) . '/recaptchalib.php';
-$GLOBALS['recaptcha_api_server'] = 'http://api.recaptcha.net';
-$GLOBALS['recaptcha_api_secure_server'] = 'https://api-secure.recaptcha.net';
-$GLOBALS['recaptcha_verify_server'] = 'api-verify.recaptcha.net';
-

/* BC - TODO: Remove for 0.8 final */
if (!function_exists('serendipity_serverOffsetHour')) {
@@ -61,9 +56,6 @@
'ipflood',
'csrf',
'captchas',
- 'recaptcha',
- 'recaptcha_pub',
- 'recaptcha_priv',
'captchas_ttl',
'captcha_color',
'forcemoderation',
@@ -172,31 +164,6 @@
'desc' => array(YES, NO, PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_SCRAMBLE)
));
break;
-
- case 'recaptcha':
- $propbag->add('type', 'radio');
- $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA);
- $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_DESC);
- $propbag->add('default', 'no');
- $propbag->add('radio', array(
- 'value' => array('yes', 'no'),
- 'desc' => array(YES, NO)
- ));
- break;
-
- case 'recaptcha_pub':
- $propbag->add('type', 'string');
- $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PUB);
- $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PUB_DESC);
- $propbag->add('default', '');
- break;
-
- case 'recaptcha_priv':
- $propbag->add('type', 'string');
- $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PRIV);
- $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_RECAPTCHA_PRIV_DESC);
- $propbag->add('default', '');
- break;

case 'hide_for_authors':
$_groups =& serendipity_getAllGroups();
@@ -598,13 +565,11 @@
if (isset($hooks[$event])) {
$captchas_ttl = $this->get_config('captchas_ttl', 7);
$_captchas = $this->get_config('captchas', 'yes');
- $_recaptcha = $this->get_config('recaptcha', 'no');
- $captchas = ($_captchas !== 'no' && ($_captchas === 'yes' || $_captchas === 'scramble' || serendipity_db_bool($_captchas)) && ($_recaptcha ==='no'));
- $recaptcha = ($_captchas !== 'no' && ($_captchas === 'yes' || $_captchas === 'scramble' || serendipity_db_bool($_captchas)) && ($_recaptcha ==='yes' || $_recaptcha !== 'no' || serendipity_db_bool($_recaptcha)));
+ $captchas = ($_captchas !== 'no' && ($_captchas === 'yes' || $_captchas === 'scramble' || serendipity_db_bool($_captchas)));

// Check if the entry is older than the allowed amount of time. Enforce kaptchas if that is true
// of if kaptchas are activated for every entry
- $show_captcha = (($captchas || $recaptcha) && isset($eventData['timestamp']) && ($captchas_ttl < 1 || ($eventData['timestamp'] < (time() - ($captchas_ttl*60*60*24)))) ? true : false);
+ $show_captcha = ($captchas && isset($eventData['timestamp']) && ($captchas_ttl < 1 || ($eventData['timestamp'] < (time() - ($captchas_ttl*60*60*24)))) ? true : false);

$forcemoderation = $this->get_config('forcemoderation', 60);
$forcemoderation_treat = $this->get_config('forcemoderation_treat', 'moderate');
@@ -620,7 +585,8 @@
$use_gd = true;
} else {
$max_char = $min_char = 5;
- $use_gd = false; }
+ $use_gd = false;
+ }

switch($event) {
case 'fetchcomments':
@@ -864,38 +830,16 @@

// Captcha checking
if ($show_captcha && $addData['type'] == 'NORMAL') {
- if ($captchas) {
- if (!isset($_SESSION['spamblock']['captcha']) || !isset($serendipity['POST']['captcha']) || strtolower($serendipity['POST']['captcha']) != strtolower($_SESSION['spamblock']['captcha'])) {
- $this->log($logfile, $eventData['id'], 'REJECTED', sprintf(PLUGIN_EVENT_SPAMBLOCK_REASON_CAPTCHAS, $serendipity['POST']['captcha'], $_SESSION['spamblock']['captcha']), $addData);
- $eventData = array('allow_comments' => false);
- $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_ERROR_CAPTCHAS;
- return false;
- } else {
- // DEBUG
- // $this->log($logfile, $eventData['id'], 'REJECTED', 'Captcha passed: ' . $serendipity['POST']['captcha'] . ' / ' . $_SESSION['spamblock']['captcha'] . ' // Source: ' . $_SERVER['REQUEST_URI'], $addData);
- }
- }
- // check recaptcha
- else {
- $privatekey = $this->get_config('recaptcha_priv');
- if ($_POST["recaptcha_response_field"]) {
- $resp = recaptcha_check_answer ($privatekey,
- $_SERVER["REMOTE_ADDR"],
- $_POST["recaptcha_challenge_field"],
- $_POST["recaptcha_response_field"]);
-
- if (!$resp->is_valid) {
- # set the error code so that we can display it
- $error = $resp->error;
- $this->log($logfile, $eventData['id'], 'REJECTED', $error, $addData);
- $eventData = array('allow_comments' => false);
- $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_ERROR_CAPTCHAS;
- return false;
- }
+ if (!isset($_SESSION['spamblock']['captcha']) || !isset($serendipity['POST']['captcha']) || strtolower($serendipity['POST']['captcha']) != strtolower($_SESSION['spamblock']['captcha'])) {
+ $this->log($logfile, $eventData['id'], 'REJECTED', sprintf(PLUGIN_EVENT_SPAMBLOCK_REASON_CAPTCHAS, $serendipity['POST']['captcha'], $_SESSION['spamblock']['captcha']), $addData);
+ $eventData = array('allow_comments' => false);
+ $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_ERROR_CAPTCHAS;
+ return false;
+ } else {
+// DEBUG
+// $this->log($logfile, $eventData['id'], 'REJECTED', 'Captcha passed: ' . $serendipity['POST']['captcha'] . ' / ' . $_SESSION['spamblock']['captcha'] . ' // Source: ' . $_SERVER['REQUEST_URI'], $addData);
}
- }
- }
- else {
+ } else {
// DEBUG
// $this->log($logfile, $eventData['id'], 'REJECTED', 'Captcha not needed: ' . $serendipity['POST']['captcha'] . ' / ' . $_SESSION['spamblock']['captcha'] . ' // Source: ' . $_SERVER['REQUEST_URI'], $addData);
}
@@ -993,45 +937,33 @@
}

if ($show_captcha) {
- if ($captchas) {
- echo '<div class="serendipity_commentDirection serendipity_comment_captcha">';
- if (!isset($serendipity['POST']['preview']) || strtolower($serendipity['POST']['captcha'] != strtolower($_SESSION['spamblock']['captcha']))) {
- echo '<br />' . PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC . '<br />';
- if ($use_gd) {
- printf('<img src="%s" title="%s" alt="CAPTCHA" class="captcha" />',
- $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'plugin/captcha_' . md5(time()),
+ echo '<div class="serendipity_commentDirection serendipity_comment_captcha">';
+ if (!isset($serendipity['POST']['preview']) || strtolower($serendipity['POST']['captcha'] != strtolower($_SESSION['spamblock']['captcha']))) {
+ echo '<br />' . PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC . '<br />';
+ if ($use_gd) {
+ printf('<img src="%s" title="%s" alt="CAPTCHA" class="captcha" />',
+ $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'plugin/captcha_' . md5(time()),
+ htmlspecialchars(PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC2)
+ );
+ } else {
+ $bgcolors = explode(',', $this->get_config('captcha_color', '255,0,255'));
+ $hexval = '#' . dechex(trim($bgcolors[0])) . dechex(trim($bgcolors[1])) . dechex(trim($bgcolors[2]));
+ $this->random_string($max_char, $min_char);
+ echo '<div style="background-color: ' . $hexval . '">';
+ for ($i = 1; $i <= $max_char; $i++) {
+ printf('<img src="%s" title="%s" alt="CAPTCHA ' . $i . '" class="captcha" />',
+ $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'plugin/captcha_' . $i . '_' . md5(time()),
htmlspecialchars(PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC2)
);
- } else {
- $bgcolors = explode(',', $this->get_config('captcha_color', '255,0,255'));
- $hexval = '#' . dechex(trim($bgcolors[0])) . dechex(trim($bgcolors[1])) . dechex(trim($bgcolors[2]));
- $this->random_string($max_char, $min_char);
- echo '<div style="background-color: ' . $hexval . '">';
- for ($i = 1; $i <= $max_char; $i++) {
- printf('<img src="%s" title="%s" alt="CAPTCHA ' . $i . '" class="captcha" />',
- $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'plugin/captcha_' . $i . '_' . md5(time()),
- htmlspecialchars(PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC2)
- );
- }
- echo '</div>';
}
- echo '<br />';
- echo '<label for="captcha">'. PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC3 . '</label><br /><input type="text" size="5" name="serendipity[captcha]" value="" id="captcha" />';
- }
- elseif (isset($serendipity['POST']['captcha'])) {
- echo '<input type="hidden" name="serendipity[captcha]" value="' . htmlspecialchars($serendipity['POST']['captcha']) . '" />';
+ echo '</div>';
}
- echo '</div>';
- }
- elseif ($recaptcha){
- $pubkey = $this->get_config('recaptcha_pub');
- $privkey = $this->get_config('recaptcha_priv');
- // The response from recaptcha.net
- $resp = null;
- // The error code from recaptcha.net, if any
- $error = null;
- echo recaptcha_get_html($pubkey);
+ echo '<br />';
+ echo '<label for="captcha">'. PLUGIN_EVENT_SPAMBLOCK_CAPTCHAS_USERDESC3 . '</label><br /><input type="text" size="5" name="serendipity[captcha]" value="" id="captcha" />';
+ } elseif (isset($serendipity['POST']['captcha'])) {
+ echo '<input type="hidden" name="serendipity[captcha]" value="' . htmlspecialchars($serendipity['POST']['captcha']) . '" />';
}
+ echo '</div>';
}

return true;

-----------------------------------------------------------------------------------

This is my first contribution to serendipity and I had a hard time figuring out the plugin_api . But it works for me.

All you need to do is get a copy of recaptchalib.php from <a href="http://recaptcha.net/plugins/php/">recaptcha.net</a> and place it in the serendipity_event_spamblock folder. Next you need to apply for your public/private key combination at <a href="http://recaptcha.net/api/getkey">recaptcha.net</a>.
Now apply the patch and enter the keys into the fields in the configuration dialog for the spamblock plugin.

[chrisbra]

Hi,

The spamblock plugin itself uses those hooks to emit its own captcha.

A different captcha plugin could be written using the same hooks/means.

I would love to see that, it's an interesting project IMHO!

I have been working a little more on integrating the recaptcha into s9y. I have created a captcha_plugin which integrates the old captcha functionality and the new recaptcha one. Therefore I have been taking the captcha functionality out of the spamblock plugin.

Both plugins are available as tar.gz Archives at http://www.256bit.org/~chrisbra/s9y/

Instructions:
Get the recaptcha library from www.recaptcha.net.
Place the unzipped recaptcha library at bundled_libs in a new folder called Recaptcha.
Put serendipity_event_captcha into the plugins_folder.
Replace the serendipity_event_spamblock folder by the new one.
Go to the login screen and add the captcha plugin as new event-plugin. Reconfigure the capture-plugin and the spamblock-plugin.

As this is pretty much the first time, I haved digged into the s9y-code, I would appreciate feedback from the developers. (some code is only commented out, as I was not sure, whether it might have to be included later on).

Please note, this is no stable software, it may burn your computer. I'll take no responsibility.
Update:
I have installed the recaptcha plugin in my blog see http://blog.256bit.org for some examples, what it would look like.

[garvinhicking]

Hi Chris!

Thanks a lot for your work! Might I be so bold to request a slightly different implementation?

What I would ultimately like to have is a simple "recaptcha" plugin that a person can install on top of a s9y installation without changing his spamblock plugin.

So we leave the spamblock plugin exactly as it is now.

The recaptcha plugin will then take care of issuing its very own captcha, and when people use it, they simply configure the spamblock plugin to not use captchas (because recaptcha does that job).

This has the following advantages:

1. People don't need to upgrade to a new s9y version because of the spamblock changes

2. The recaptcha plugin stands as its own and can be advertised on the recaptca pages easily.

3. The recaptcha plugin can easily be installed via Spartacus without interfering with the spamblock plugin

4. We can upgrade the recaptcha plugin independently from the s9y installation, because it is completely unrelated to the spamblock plugin.

BTW, the recaptcha library should be included within the plugin directory. It can be licenses as BSD, so no need to externally download the library for the user.

Do you think this would be possible? I would love it to be.

Thanks a lot for your work,
Garvin

[chrisbra]

What I would ultimately like to have is a simple "recaptcha" plugin that a person can install on top of a s9y installation without changing his spamblock plugin.

So we leave the spamblock plugin exactly as it is now.

The recaptcha plugin will then take care of issuing its very own captcha, and when people use it, they simply configure the spamblock plugin to not use captchas (because recaptcha does that job).

Well got your point. From a users point of perspective I find that suboptimal, because you end up with 2 places where to configure captchas. And if the users isn't carefully, he might end up with 2 different captchas.

If you just take my provided recaptcha-plugin and use the existing spamblock-plugin, you'll see how that works. (In the end the captcha provided by the spamblock-plugin would always win).
What needs to be sure, is that the recaptcha-plugin would need to disable the captcha from the spamblock plugin. Don't know if this is possible.

Also from a programmer's view I find it not optimal, cause you end up with the same (or nearly the same code) in 2 plugins. This just does not sound reasonable.

This has the following advantages:

1. People don't need to upgrade to a new s9y version because of the spamblock changes

2. The recaptcha plugin stands as its own and can be advertised on the recaptca pages easily.

3. The recaptcha plugin can easily be installed via Spartacus without interfering with the spamblock plugin

4. We can upgrade the recaptcha plugin independently from the s9y installation, because it is completely unrelated to the spamblock plugin.

Well, I am not sure how to proceed. I can rework the plugin, but in my personal opinion, this does not sound right.
May I ask for comments? I need to rethink this a little bit more, before I'll implement that change.

BTW, the recaptcha library should be included within the plugin directory. It can be licenses as BSD, so no need to externally download the library for the user.

Ok, I was not sure were to put it anyway.

Do you think this would be possible? I would love it to be.

Of course this is possible. I am not yet really convinced, but if you or a majority still want it that way, I guess I will implement it.

Thanks a lot for your work,

I got finally the chance to give something back.

regards,
Christian

[garvinhicking]

Hi!

Well got your point. From a users point of perspective I find that suboptimal, because you end up with 2 places where to configure captchas. And if the users isn't carefully, he might end up with 2 different captchas.

We could add a check to the spamblock plugin that checks for a variable which is set by the recaptcha plugin (using the frontend_configure hook). If that variable is set, the spamblock captcha will not be emitted?

People would only benefit from that option when they upgrade to the new serendipity version with that new plugin, but for the future it would be there.

Also from a programmer's view I find it not optimal, cause you end up with the same (or nearly the same code) in 2 plugins. This just does not sound reasonable.

IMHO the amount of duplicate code would not be that high. The only thing I see identical would be the <img src> output and the blocking of spam when the captcha is found?

There are drawbacks, I agree. But IMHO the advantages are much more important.

Well, I am not sure how to proceed. I can rework the plugin, but in my personal opinion, this does not sound right.
May I ask for comments? I need to rethink this a little bit more, before I'll implement that change.

Of course, please have a go at it. But at the current implementation point, I cannot put your plugin into the official spartacus/serendipity repository - which is sad, because I'd really like reCaptcha implementation.

So, all the people reading it here, please comment.

Regards,
Garvin

[bowzer]

I'm in agreement with Garvin. I feel that, although reCaptcha is a cool new idea to an old-time problem, I don't think that it should be jumped on and fully adopted so quickly. IMHO, it would be better to implement as a plugin so that people have the option of using it, but not forcing it down people's throats NOR forcing an update to Serendipity for those who want to utilize it.

I'm still iffy when I say this, but I would propose that should adoption of the reCaptcha be taken extremely well (ie: a sizable percentage of the userbase for Serendipity using the plugin), the original captcha idea be replaced with reCaptcha. The only issue that I have is the requirement for a API key:

Sign up for an API key. This sign-up process makes it much more difficult for an attacker to break your CAPTCHA.

That is not something old Captcha lovers will want to have to do, and I'm sure Serendipity won't want to have a universal API key for security reasons. Additionally, new adoptions to the blogging software might be extremely slow especially if the added step of having to register for an API key is required...

[chrisbra]

I'm in agreement with Garvin. I feel that, although reCaptcha is a cool new idea to an old-time problem, I don't think that it should be jumped on and fully adopted so quickly. IMHO, it would be better to implement as a plugin so that people have the option of using it, but not forcing it down people's throats NOR forcing an update to Serendipity for those who want to utilize it.

That was exactly was I did. The user could stay with the old traditional captcha or take the new one. Therefore I thought a captcha plugin would be better.

But anyway, I'll rework it.

regards,
Christian

[chrisbra]

Well I reworked the plugin. See http://www.256bit.org/~chrisbra/s9y/ser ... 0.4.tar.gz
for the new recaptcha plugin.

We could add a check to the spamblock plugin that checks for a variable which is set by the recaptcha plugin (using the frontend_configure hook). If that variable is set, the spamblock captcha will not be emitted?

Ok, made a patch.
I hope it is ok, to simply put a variable in $serendipity. I tried to make is in such a way, that other plugins could also use that.
Anyway, the problem with this approach is, that now, the recaptcha plugin needs to be loaded before the spamblock plugin, otherwise, the spamblock plugin will not see the variable.

Also from a programmer's view I find it not optimal, cause you end up with the same (or nearly the same code) in 2 plugins. This just does not sound reasonable.

IMHO the amount of duplicate code would not be that high. The only thing I see identical would be the <img src> output and the blocking of spam when the captcha is found?

Well actually it is the spamblock plugin, removed by all non-necessary parts. (You'll probably see similarities, if you diff spamblock and recaptcha) Even some of the configuration options are shared.

There are drawbacks, I agree. But IMHO the advantages are much more important.

Oh well, you wanted it that way, so you'll find a better version at my site (see link above)

regards,
Christian

[garvinhicking]

Hi!

Thanks a lot for the work! I just committed your files with minor modifications:

1. I modified the serendipity spamblock plugin to check your variable in place where the actual captcha is emitted, not on 'frontend_configure'. So now the order doesn'T matter any more. With my note I just wanted to say that the variable needed to be SET in frontned_configure, not read. That can be done later in the queue, where the variables of all plugins have been set.

2. I stripped some more code out of the recaptcha plugin that was not used (forcemoderation for example). I bumped the version to 0.5.

3. I removed the example*.php files frmo recaptcha to prevent people calling them and possibly endangering the serendipity installation with malicious code.

Now, what remains is a IMHO conceptual flaw:

The recaptcha plugin checks if $_POST['recaptcha_response_field'] is set. Now, if a spambot submits his own POST data to comment.php and simply leaves out that field, that will completely bypass the captcha protection, because the plugin does not have that field and simply says "hooray, this ain't spam".

It should be changed so that in case the POST-Field is missing, the comment is classified as spam, right?

Then another problem: If I solve a captcha once, I can get the POST-Data for the challenge field, and because I know the required result for the response field, I will be able to submit comments with the same POST-Data for challenge/response time and again, right?

Or is a challenge only valid until it has been solved for the first time? If so, how does it prevent that a challenge is not issued to two users who both validly solve it and submit it to the API?

Best regards,
Garvin

[chrisbra]

1. I modified the serendipity spamblock plugin to check your variable in place where the actual captcha is emitted, not on 'frontend_configure'. So now the order doesn'T matter any more. With my note I just wanted to say that the variable needed to be SET in frontned_configure, not read. That can be done later in the queue, where the variables of all plugins have been set.

ok thanks.

2. I stripped some more code out of the recaptcha plugin that was not used (forcemoderation for example). I bumped the version to 0.5.

Yeah forgot about the forcemoderation code.

The recaptcha plugin checks if $_POST['recaptcha_response_field'] is set. Now, if a spambot submits his own POST data to comment.php and simply leaves out that field, that will completely bypass the captcha protection, because the plugin does not have that field and simply says "hooray, this ain't spam".

It should be changed so that in case the POST-Field is missing, the comment is classified as spam, right?

I think, an empty POST field will produce an error, since the plugin sends that to the recaptcha server. It is probably a good idea to check for an empty field, to reduce network traffic.

Then another problem: If I solve a captcha once, I can get the POST-Data for the challenge field, and because I know the required result for the response field, I will be able to submit comments with the same POST-Data for challenge/response time and again, right?

Or is a challenge only valid until it has been solved for the first time? If so, how does it prevent that a challenge is not issued to two users who both validly solve it and submit it to the API?

My understanding from the existing documentation (which is not much on the security matter) is, that by providing your private key and the token generated by the recaptcha server, one single captcha can always be linked to one user and one session.

See the Api-Documentation for more infos.

regards,
Christian

[garvinhicking]

Hi!

I think, an empty POST field will produce an error, since the plugin sends that to the recaptcha server. It is probably a good idea to check for an empty field, to reduce network traffic.

No, it does not generate an error because if the response-POST-Field is missing, the webservice is not even queried in current code.

My understanding from the existing documentation (which is not much on the security matter) is, that by providing your private key and the token generated by the recaptcha server, one single captcha can always be linked to one user and one session.

Okay, thanks for clearing that up!

Best regards,
Garvin

[Neut]

The recaptcha plugin works great (http://3gz.com/test/ - runs on nightly build s9y_200706012342).
But... maybe I'm missing the point here, although recaptcha looks slick, and the decipher-project is a great initiative, the captchas in the S9Y-Spam Protector plugin seems faster and more friendlier for visitors to read. Also my readers (hi mum!) are Dutch not English. The mix of letters and numbers in the S9Y Spam Protector plugin seems more universal to me.

So, my verdict:
+ Appealing Looks
+ helps the decifering of books
+ because we can

- not reader-friendly
- a tad slower

[chrisbra]

The recaptcha plugin works great (http://3gz.com/test/ - runs on nightly build s9y_200706012342).
But... maybe I'm missing the point here, although recaptcha looks slick, and the decipher-project is a great initiative, the captchas in the S9Y-Spam Protector plugin seems faster and more friendlier for visitors to read. Also my readers (hi mum!) are Dutch not English. The mix of letters and numbers in the S9Y Spam Protector plugin seems more universal to me.

So, my verdict:
+ Appealing Looks
+ helps the decifering of books
+ because we can

- not reader-friendly
- a tad slower

I also have 2 blogs, one which is basically exclusively read by Germans. Most of my readers probably neither understand, what a captcha is, nor what this recaptcha thing is actually doing. Therefore I do not use it at this blog.
In fact, I only wrote the plugin, because I wanted to contribute back to the team and wanted to learn about the Plugin-Interface of serendipity.

regards,
Christian