Hhlc hhlc.eish! → 0.5.5 (Bug fix galore)

Comments and changes to this ticket

• 

  Matias Korhonen May 14th, 2009 @ 10:24 PM

  • State changed from “new” to “open”

  I've just spent an inordinate amount of time looking at different anti-bot solutions for Rails and I haven't managed to find anything we'd actually want to use.

  The best I idea I have at the moment is to implement out own solution.

• 

  Matias Korhonen May 14th, 2009 @ 10:24 PM

  • Assigned user set to “Matias Korhonen”
• 

  Matias Korhonen May 14th, 2009 @ 11:48 PM

  How about something like this for a simple math problem? It isn't really complicated, but I think our site is small enough for it to be sufficient.

  def math_puzzle
      number1 = rand(10)
      number2 = rand(10)
      operator = rand(3)
      salt = MATH_SALT
      
      case operator
          when 0
            question = "What is " + number1.to_s + " multiplied by " + number2.to_s + "?"
            answer = number1 * number2
          when 1
            question = "What is " + number1.to_s + " plus " + number2.to_s + "?"
            answer = number1 + number2
          when 2
            question = "What is " + number1.to_s + " minus " + number2.to_s + "?"
            answer = number1 - number2
      end
  
      answer_hash = Digest::SHA1.hexdigest("#{salt}:#{answer.to_s}")
  
      {:question => question, :answer_hash => answer_hash}
  end
    
  def verify_answer?(user_answer, answer_hash)
    salt = MATH_SALT
    user_hash = Digest::SHA1.hexdigest("#{salt}:#{user_answer.to_s}")
    
    if user_hash == answer_hash
      return true
    else
      return false
    end
  end
  

  I believe there's a plugin or gem which allows you to convert integers into words, so we could use that to make it harder to parse...

• 

  Matias Korhonen May 15th, 2009 @ 12:31 AM

  We're being too clever about this. Our site isn't some high volume site that's going to get lots of attempts to create new users. What we will get are random bots that try their luck...

  I think we should use negative captchas instead of bothering the user.

  See the Ruby on Rails Security Guide - 7.3 CAPTCHAs

  And Ned Batchelder’s blog post

  I propose that we use a combination of a couple of honey pots and a time stamp.

  If you can figure out an easy way of doing it, we could randomize the field names (there's a plugin called 'Negative Captcha', but you have to change a lot of things to use it).

• 

  Matias Korhonen May 16th, 2009 @ 02:46 PM

  Or we could solve this and #101 by sending a validation email... (at least for the registration page)

• 

  Joao Carlos August 20th, 2009 @ 08:14 PM

  • Assigned user changed from “Matias Korhonen” to “Joao Carlos”
• 

  Matias Korhonen September 3rd, 2009 @ 01:01 PM

  • Assigned user changed from “Joao Carlos” to “Matias Korhonen”
• 

  Matias Korhonen September 4th, 2009 @ 09:57 AM

  This will be resolved once we get rid of reCAPTCHA... (see #101 and #154)

• 

  Joao Carlos September 7th, 2009 @ 12:43 AM

  (from [e82a9d02f4246eef99918892e35a55e24f697fd7]) Removed ReCAPTCHA from the user registration [#101] [#116] http://github.com/jcxplorer/hhlc/commit/e82a9d02f4246eef99918892e35...

• 

  Matias Korhonen September 7th, 2009 @ 04:09 PM

  • State changed from “open” to “testing”
• 

  Matias Korhonen September 7th, 2009 @ 11:52 PM

  (from [20f122d979ae922cf7ff6a8e0510071eb651a8ab]) Removed ReCaptcha [#116][#154] http://github.com/k33l0r/hhlc/commit/20f122d979ae922cf7ff6a8e051007...

• 

  Matias Korhonen September 8th, 2009 @ 07:37 PM

  • State changed from “testing” to “resolved”