The idea of your captcha is great, however, it has a few flaws:
The hardest-to-fix flaw is that if the spammer can get the images, he can always do image-matching to find the right rotation. People REALLY need to use their own image sets.
The following flaws are more severe, but easier to fix:
your implementation does allow to send multiple comments using one captcha (just re-use the captcha_checkword). you will need some sort of persistency to avoid that. if you want to avoid a database, PHP sessions could work. would still require that a spammer solves a captcha once per website, but then he could spam away freely as often as he wants.
also, your encryption function only uses the first character of your key (try for yourself - encrypt a message multiple times with different keys that all have the same character). XOR for encryption is insecure anyway and can quickly be broken. use sessions or some custom but server-side way to store the expected solution and don’t pass anything but a completely random session id to the user. if you absolutely want to avoid any server-side data storage, give a completely random ID to the user, take some parts of MD5($theID.$someSecredKey) and derive the angles from that (ie. use the first byte modulo 8 to find first image rotation, second byte modulo 8 for second image rotation etc. - and use some other byte to derive what kind of images you serve (icons, animals, …) as otherwise the attacker may reload until he hits an image he can easily solve.
Your key starts with “s” and using that, 4a430f4240460f424b430f4141460f4144430f4043430f430f4543 decrypts to 90|135|180|225|270|300|0|60, which gives me the number to submit without the need to look at the images.
Some of your images are hard to solve for humans (like the bug and the puppy) as their orientation is not really clear (the bug could be crawling and the puppy could be sitting).
otherwise, as i said - your captcha idea is great! currently, it only works because spammers are not trying to abuse it specifically, but you can fix that quite easily. The captcha could also have been attacked without the source (would just be more work - XOR encryption is quite obvious if you see multiple values, most starting with the same number) - but the source allowed me to point out what to improve.
Subscribe to RSS Feed
uiuiui
oh by the way, internet explorer is working (kind of) but firefox not
test
testagain
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes___________________
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes_____________
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes___________
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes_________
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes_______
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes_____
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes___
TheCaptchaAllowsToSolveItOnceAndUseItsPostValuesToSubmitMultipleTimes_
The idea of your captcha is great, however, it has a few flaws:
The hardest-to-fix flaw is that if the spammer can get the images, he can always do image-matching to find the right rotation. People REALLY need to use their own image sets.
The following flaws are more severe, but easier to fix:
your implementation does allow to send multiple comments using one captcha (just re-use the captcha_checkword). you will need some sort of persistency to avoid that. if you want to avoid a database, PHP sessions could work. would still require that a spammer solves a captcha once per website, but then he could spam away freely as often as he wants.
also, your encryption function only uses the first character of your key (try for yourself - encrypt a message multiple times with different keys that all have the same character). XOR for encryption is insecure anyway and can quickly be broken. use sessions or some custom but server-side way to store the expected solution and don’t pass anything but a completely random session id to the user. if you absolutely want to avoid any server-side data storage, give a completely random ID to the user, take some parts of MD5($theID.$someSecredKey) and derive the angles from that (ie. use the first byte modulo 8 to find first image rotation, second byte modulo 8 for second image rotation etc. - and use some other byte to derive what kind of images you serve (icons, animals, …) as otherwise the attacker may reload until he hits an image he can easily solve.
Your key starts with “s” and using that, 4a430f4240460f424b430f4141460f4144430f4043430f430f4543 decrypts to 90|135|180|225|270|300|0|60, which gives me the number to submit without the need to look at the images.
Some of your images are hard to solve for humans (like the bug and the puppy) as their orientation is not really clear (the bug could be crawling and the puppy could be sitting).
otherwise, as i said - your captcha idea is great! currently, it only works because spammers are not trying to abuse it specifically, but you can fix that quite easily. The captcha could also have been attacked without the source (would just be more work - XOR encryption is quite obvious if you see multiple values, most starting with the same number) - but the source allowed me to point out what to improve.
what if none of the pictures is vertical? hmmmpf -_-
Felicidades muy bueno
sdf
test
test
Test xD
hh
when you say “vertical” do you mean “in their upright position”. I wonder if it’s not working because I use Safari???
Hello! =)
I use Safari 4.0.4
It’s OK!
asdfsdf
sdsdfsdfsd sdf sdf
cool!
adadas
kjbjbbkbkbkj
TESTINMG
it seems funny
test
555
like it!
Just testing
nice
<zczxc
Que lindo este plu in