Or maybe just make filling it out optional, and if they don't give a question, there won't be anti-spam enabled.stevemaury wrote:A default set of questions is no good, as no matter how many you have, they can be broken by anyone with access to the phpBB installation files, which is everyone.
Admittedly making an installation requirement of configuring Q&A would make the process longer and perhaps more difficult. Perhaps an override?
By default, phpBB must be configured to require a question at registration to combat spam. The method offered, if properly used, is very effective. However, if this is a local installation, or an intranet or one with closed registration, or for any other reason you wish to override that, you can do so by by checking the box below that says "I love spam" (just kidding - "I do not want to enable spambot countermeasures at this time")
[RFC] Q&A plugin by default
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: [RFC] Q&A plugin by default
Re: [RFC] Q&A plugin by default
I think a nag in acp index would be sufficient.
Re: [RFC] Q&A plugin by default
I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.
Formerly known as Unknown Bliss
No unsolicited PMs please except for quotes.psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
- callumacrae
- Former Team Member
- Posts: 1046
- Joined: Tue Apr 27, 2010 9:37 am
- Location: England
- Contact:
Re: [RFC] Q&A plugin by default
+1Unknown Bliss wrote:I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.
Re: [RFC] Q&A plugin by default
Why not just place multiple input@type=checkbox or input@type=radio for the user to choose?
Just make a warning (in red and bold) if the user chooses not to use any captcha.
If the user chooses Q&A, ask for Q's and A's to add.
If the user chooses ReCaptcha, state that there's a need for an application key and also show the instructions about how that application key can be obtained.
If the user chooses one of the other 3 (default) captcha, show the lack of security it means.
If the user chooses none, warn that it's a ludicrous option unless it's a test forum.
Just make a warning (in red and bold) if the user chooses not to use any captcha.
If the user chooses Q&A, ask for Q's and A's to add.
If the user chooses ReCaptcha, state that there's a need for an application key and also show the instructions about how that application key can be obtained.
If the user chooses one of the other 3 (default) captcha, show the lack of security it means.
If the user chooses none, warn that it's a ludicrous option unless it's a test forum.
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: [RFC] Q&A plugin by default
EDIT: Ticket
I believe the best way to go about this is:
- New page following server settings with a "Skip" button at the top and a "Next" button at the bottom. Skip never takes any input on that page into account, it just moves to the next page.
- If no question/answer is entered, use current default captcha (or no captcha)
- If only question or only answer is entered, error to ask for the empty one
- Otherwise, continue.
And a Skip button should be similarly added to the Server Settings page, since that page generally needs no changes to it anyway.
Would it be possible to find/write code for a spam bot and have it test the question that is entered, both during install and later on? If it can crack the question, we could warn the admin that the question is too easy. Of course I have no idea how spam bots work, what language they are programmed in, etc, but I figured I'd toss this out there.
I believe the best way to go about this is:
- New page following server settings with a "Skip" button at the top and a "Next" button at the bottom. Skip never takes any input on that page into account, it just moves to the next page.
- If no question/answer is entered, use current default captcha (or no captcha)
- If only question or only answer is entered, error to ask for the empty one
- Otherwise, continue.
And a Skip button should be similarly added to the Server Settings page, since that page generally needs no changes to it anyway.
Would it be possible to find/write code for a spam bot and have it test the question that is entered, both during install and later on? If it can crack the question, we could warn the admin that the question is too easy. Of course I have no idea how spam bots work, what language they are programmed in, etc, but I figured I'd toss this out there.
-
- Support Team
- Posts: 40
- Joined: Sat Aug 30, 2008 12:44 am
Re: [RFC] Q&A plugin by default
I think the way to handle question difficulty is to give a couple of examples, making it clear that the examples should not actually be used.
Like this:
Like this:
BAD
What is 2 + 2
What color is the sky?
Who is President of the USA?
_________________________________-
GOOD
Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x
Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board
Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?
Q: Click this link and type the name of the animal in the picture.
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [RFC] Q&A plugin by default
In the short term, I tend to agree with Oleg.Oleg wrote:I think a nag in acp index would be sufficient.
The best solution would be a refactor of the installer to add optional pages (with a "Skip" option) to the end. This would also make it possible to change some of the currently required fields to optional. Without significantly refactoring the installer, however, the simple solution is to display a nag on the ACP index telling administrators that their forum is currently susceptible to spam. Something this simple could even be done in the 3.0 line, I think.
I also recently created an anchor to information on spam (which may eventually turn into a dedicated page): http://www.phpbb.com/support/spam/
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [RFC] Q&A plugin by default
It should be noted that:stevemaury wrote:GOOD
Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x
Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board
Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?
"Type the last three characters of the following segment: fy7g3yd"
is equivalently difficult for a bot to do as:
"Type '3yd' into the box"
Unless a large portion of phpBB administrators use the exact syntax, bots will be unable to figure out what is being asked. On the other hand, if we make this a default recommendation, someone will write a bot to target these kinds of questions, looking specifically for keywords like "one, two, three, four" and "first, last, middle", which, even with a 25% success rate, will result in a breach.
If these kinds of sample questions are offered, they should be generic enough that people don't use them as-is or with minor variations, else we'll end up with the problem above.
Re: [RFC] Q&A plugin by default
Maybe this is a crazy idea, but Q&A should parse BBcode (only [ b], [ i], [ u] and [color]) to create more complex questions. Examples:
The sky is blue, but this text is ...?
------------------------
I the sentence: "Choose what is right, not what is easy." What words are bold?