Comments on: CAPTCHA in Flex – Running Example

By: Andrei Ionescu

Andrei Ionescu — Sat, 28 Aug 2010 15:54:38 +0000

Hello Nick!
First of all…

These articles are only to show how you could implement this graphically.

Second… please read James Watkins comment a bit above and my answer to it if you didn’t already read it. Third… I understand that you are an exceptional programmer and I agree that it is not totally secure and/or spam free but I would be grateful to you if you could come with ideas to make it better considering your expertise. Thanks for comment.

By: Nick

Nick — Sat, 28 Aug 2010 00:34:10 +0000

Andrei, I can setup an HTTP + HTTPS proxy that sits between the Flash app running in my browser and your server, which receives the request from the app. I can watch exactly what is transmitted over the wire from Flash to your server. I can then write a bot in Perl, completely bypassing Flash to submit information to your server as much as I want.

Your notion of Flash being more secure is true for the trivial script kiddies… but is of absolutely no protection for someone who really wants to take advantage of your service.

By: Andrei Ionescu

Andrei Ionescu — Mon, 18 Jan 2010 09:05:31 +0000

Hello James. I agree with what you said. And more… Making automate submit “engines” on flash animation is quite hard and expensive to create. From this point of view flash it is by itself a bit more “secure” related to spam. It is harder to auto-submit a form made with using Flash than made using HTML. And if we add HTTPS things get even better. The article is not about securing your application but about how to make the form in a way that the spammers get reluctant to try spam through that form. Thanks for pointing this out.

By: James Watkins

James Watkins — Mon, 18 Jan 2010 06:48:57 +0000

You keep using the word “security” in the replies you’ve made. But I’m not sure if you’re using it in the right context. Let’s make something perfectly clear here: A captcha provides no security for the end user. HTTPS is a protocol that protects against eavesdropping and man-in-the-middle attacks. Captchas are for companies that want to reduce spam. These are two completely different things.

People who create or use bots that literally fill out forms and submit them are amateurs. Real power lies in hijacking the actual http requests, which is not a difficult thing to do. This is what PHP Guy meant about “hiding behind obscurity.” HTTP Requests are not hidden from tech savvy users. Not in the same way that a Bank vault’s software is hidden. On the contrary, HTTP Requests are easily accessed by simple plugins available for major web browsers. Any HTML developer is going to have a copy of that software for debugging purposes.

I know that you’re just illustrating how a captcha could be generated in flex. But the fact is simple: There is no protection against spam with a locally-generated turing test. Sure, it’s a deterrent: a hacker might see the captcha and THINK that it’s server-generated, but if they ever found out that it wasn’t, then you’d be in trouble.

Don’t you remember what happened to Twitter?
http://www.mediaite.com/online/twitter-password-breach-next-time-use-the-name-of-your-first-pet/
The moment you think nobody will find out, someone does and it’s all downhill from there.

By: handoyo

handoyo — Mon, 06 Jul 2009 08:24:41 +0000

Thanks a lot for the code you’ve provide..Keep up the nice work…

By: Andrei Ionescu

Andrei Ionescu — Sun, 07 Jun 2009 23:44:13 +0000

Hello PHP Guy, and thanks for comment. There is nothing about obscurity. It is about not knowing the insides of the application which should not be let known. In security field the first premise for a good security is not to let important internal things obvious to bad intended persons. Banks do that, companies keep secrets and there are other examples.

As you can read in a comment above…

These articles are only to show how you could implement this graphically.

So if you are concerned about securing your flex application with a CAPTCHA you could use this graphical approach and build your own server side. But for a good security you should use https protocol, and I’m sure you already know that, and I’m sure you know other ways to secure your application.

By: PHP Guy

PHP Guy — Sun, 07 Jun 2009 18:04:10 +0000

“In case of Flex/Flash to be able to submit to a web service (web service that is not easily visible) you need either to use a script that graphically recognizes inputs in flash player either to know, from inside, the web service and how to use it (which can be secured easily).”

This is just relying on security through obscurity which is a horrible idea.

By: Bharani Mani

Bharani Mani — Fri, 15 May 2009 08:56:51 +0000

Hello,
you can actually generate server side captcha. Just take the code in the function that generates captcha text and put it in php file. Save the generated captcha from php file in a database. The flex can get the captcha text through httpservice. By this way you can do captcha validation server side.

Thanks,
Bharani

By: Andrei Ionescu

Andrei Ionescu — Sun, 03 May 2009 14:59:35 +0000

Jason, I agree with what you said. This class is only for the client-side, only visual part. But a true CAPTCHA is integrated with the server-side which is not the point of these articles.

You can take this generator and use it to secure what you need by linking it with your submission process.

Regarding the Fiddler issue… you can use Fiddler or any other spying tool on any kind of connection to catch data. You need to encrypt the Captcha code with a sort of algorithm so even somebody uses Fiddler and gets data it will not be able to decrypt it.

I would extend the Captcha class to call a service and get the captcha code from the server and the display it not generating it on the client.

Other approach is to use https connection on you project so you won’t need CAPTCHA. But some people even so the connection is secured need to see that CAPTCHA to feel safe even though they are already safe without it. And by the way flash is better that html because there are not many robots to make automatic submissions.

These articles are only to show how you could implement this graphically.

Hope this clears out the mist.

By: Jason Benson

Jason Benson — Sun, 03 May 2009 05:53:14 +0000

Couldn’t the spammer easily use fiddler to find the service that Flex is submitting to. Without *some* level of server side validation you could be pretty open.

(I like it script but I’m not sure if it solves the issue. If you’re submitting to a webservice then won’t that service be discoverable by a determined spammer [and these days aren't they all determined]?)