How to increase the confidence that the button was pressed by a live user on the site and get rid of the captcha?
Captcha is known to all. Also, everyone knows that it is a big problem for both programmers and users. She doesn't like it either! It has to be used as needed!
In this article I would like to try to give an analysis of the problem and how to solve it and give an example of one programmer's method that I have been successfully using for many years in my projects. In addition, I would like to make the article interesting for reading a wide range of specialists.
The last proposed method is controversial , but judge for yourself!
We have a simple form with a submit type button.
')
This is the easiest canonical option. We fill out the form, press the submit type button, and the form elements are transferred to a script by some method for processing.
The spammer does not strain with the filling of the fields, but immediately, directly, calls the necessary script with the necessary parameters. In this case, it is difficult to determine whether the person pressed the button or the script was called directly.
It is necessary that the names of the fields in the form have no semantic meaning. Did not have the names " name ", " last-name ", " tel ", " mail " and so on. Robotic spammer scripts are guided by this. In my experience of observing spam robots, they fill in those fields that know how to fill out, and those fields where they are difficult, leave empty, or insert the trump phrase "Antispam SUXXX". Over the long years of testing, no robot has filled in the “ntspm” field in my test form. In other words, if you make a form with only one important but incomprehensible field for a robot, for example, instead of a field with the name “login” use the name “l__in_001”, the robot cannot fill this field. At least the probability of this is quite high.
You can go ahead and program your forms so that the names of the fields will change every day. For example, you can take a normal field name, for example, “telephone”, add “fingerprints” to it in the form of today's number, take the resulting md5-hash string as the most productive hash, and use it as a field name for the specified number .
This is all programmed once, it works all the time, and this is the real method of getting rid of robots.
Well, honestly, putting myself in the place of a spammer, I can not find a simple and fast way to overcome this method. Only manually, every day to figure out which fields are currently valid and change the code of the robot.
Simple form. All as in the method of "variable fields", but processed by Ajax. The button, which used to be the type "submit", now we have the type "button". By clicking on the button, a JavaScript script is triggered, which sends the entire form at once, or individual fields of this form to the server.
What is the essence of protection? The fact that robots do not know how to upload and process JavaScript scripts. Robots are server animals, and JavaScript scripts are client animals. Here comes the inconsistency of technology. Our beasts live in different cages. And this method has not given a single misfire on my website articles. He worked perfectly and still works. But there is a nuance.
If the site is hyper-popular, or is made on a popular engine, then the spam of such a site is reduced for a spammer to very simple and understandable actions. You only need to manually give a comment to the site of interest once and see in the debugger which backend is started and which parameters are passed to it. Then make changes to the scripts of their robots and that's it! The backend is called with the parameters exactly as it would have caused the Ajax. As a result, we again have no confidence that the button was clicked on the site by a live user.
But the “Ajax button” method can be combined with the “variable field” method, which will definitely enhance the protection to quite adequate values.
The “Ajax Button” method can be further enhanced. Every time we can contact our backend with a new name. We can change the name of the backend every day, just as the above suggested changing the field names. Probably, changing the name of the backend is even easier. Imagine, in order to spam you, you will need to manually change the script every day. No, I don't think anyone will do this.
We can prohibit direct call backend. This is a weak defense, but sometimes it works. I personally banned this using the session mechanism.
This is the very method that seems controversial to me. I use it for some specific sophistication and aesthetic strangeness and singularity (my personal opinion). What is its essence?
Before you delve, I want to get a little distracted.
Let's assume that we have a hidden input on the form. Before we send the form to the server, we fill this input with something and by the presence of this “something” we judge - we had a robot or a human. The proposed move is some modification of the “Ajax button” method. The point is to use a client script that is not available to the robot. But we are immediately forced to notice that the method will work well only if the contents of this field will always be different. Doesn't the usual captcha work?
A lot of comments were given to my previous article about methods of protecting a site on a public hosting. Some of them had the leitmotif that it is impossible to fight against burglary, because you are always hacked if someone really needs it. I agree with this conclusion, but I do not agree with the fact that it is not necessary to fight! Exactly the same keynote is present on the forums of car alarms. There the situation is very similar. The essence of the vulnerability is that you press the button on the key fob, your code is intercepted by the receiver from a nearby car with tinted windows, swallowed by it, the security code is replaced and your car is armed with someone else's code! Everything! Worthless is the price of your alarm! Then our colleagues in the field of car alarms came up with the following method of solving the problem. And what if the key fob sends to the car not the “ Armed with code such and such ” command, but the question “ Can you arm with the code with such and such code? ” And if the answer is positive, then the car alarm responds. "I am arming with this code and sending it back for verification ." The key fob checks the match code sent, sent back, and if they match, then the machine is armed with yours, not someone else's code. Problem solved. And if they do not match, then the request just needs to be repeated. Car lover does not even know.
Can a similar method solve the captcha question?
I tried!
Are there any weak points? Yes there is. A spammer can make a program that will send a request for a code, then substitute this code in his package. But this will be an individual robot for your website, and something tells me that for a simple website, for an online store and even for a decent online store, no one will write such a program specifically. Break off! And if we combine this method with amplifiers from previous methods, then we can bring the degree of recognition of the robot to a very high percentage. I'm afraid to poke my finger into the sky like that, but I would give 98.5 percent. Just because there are so many problems for a spammer that, honestly, it is easier to go to a living person and send everything you need with pens. Of course, captcha in the case of a living person will not help.
It seems to me that you can get rid of captcha! Thereby, you can make the life of your users a little easier and simultaneously increase the conversion of your site.
On duty, I often go to the Word Search service from Yandex. There is now a captcha for each request. If this is a method of slowing down the user, like " Think again! Maybe you really do not need this info? ", Then it is understandable. But if this is really protection from robots, then why not put a regular button that says "Continue" and use one of the above methods with amplifiers?
Let's make the Internet a little more convenient!
My spam collector . This site is not for people! Its design is intended to demonstrate this. In it (via the link “add announcement”) the “allow me to enter” method is implemented without amplifiers. For many years, no "span" was not. But in fairness I want to clarify that there were no “spans” on the “Ajax button” method without amplifiers. And the robots always visit me the same, and they are all without frills, which is a great pity.
In this article I would like to try to give an analysis of the problem and how to solve it and give an example of one programmer's method that I have been successfully using for many years in my projects. In addition, I would like to make the article interesting for reading a wide range of specialists.
The last proposed method is controversial , but judge for yourself!
Variable field method
We have a simple form with a submit type button.
')
This is the easiest canonical option. We fill out the form, press the submit type button, and the form elements are transferred to a script by some method for processing.
The spammer does not strain with the filling of the fields, but immediately, directly, calls the necessary script with the necessary parameters. In this case, it is difficult to determine whether the person pressed the button or the script was called directly.
Possible methods of struggle
It is necessary that the names of the fields in the form have no semantic meaning. Did not have the names " name ", " last-name ", " tel ", " mail " and so on. Robotic spammer scripts are guided by this. In my experience of observing spam robots, they fill in those fields that know how to fill out, and those fields where they are difficult, leave empty, or insert the trump phrase "Antispam SUXXX". Over the long years of testing, no robot has filled in the “ntspm” field in my test form. In other words, if you make a form with only one important but incomprehensible field for a robot, for example, instead of a field with the name “login” use the name “l__in_001”, the robot cannot fill this field. At least the probability of this is quite high.
You can go ahead and program your forms so that the names of the fields will change every day. For example, you can take a normal field name, for example, “telephone”, add “fingerprints” to it in the form of today's number, take the resulting md5-hash string as the most productive hash, and use it as a field name for the specified number .
This is all programmed once, it works all the time, and this is the real method of getting rid of robots.
Well, honestly, putting myself in the place of a spammer, I can not find a simple and fast way to overcome this method. Only manually, every day to figure out which fields are currently valid and change the code of the robot.
Ajax Button Method
Simple form. All as in the method of "variable fields", but processed by Ajax. The button, which used to be the type "submit", now we have the type "button". By clicking on the button, a JavaScript script is triggered, which sends the entire form at once, or individual fields of this form to the server.
What is the essence of protection? The fact that robots do not know how to upload and process JavaScript scripts. Robots are server animals, and JavaScript scripts are client animals. Here comes the inconsistency of technology. Our beasts live in different cages. And this method has not given a single misfire on my website articles. He worked perfectly and still works. But there is a nuance.
If the site is hyper-popular, or is made on a popular engine, then the spam of such a site is reduced for a spammer to very simple and understandable actions. You only need to manually give a comment to the site of interest once and see in the debugger which backend is started and which parameters are passed to it. Then make changes to the scripts of their robots and that's it! The backend is called with the parameters exactly as it would have caused the Ajax. As a result, we again have no confidence that the button was clicked on the site by a live user.
But the “Ajax button” method can be combined with the “variable field” method, which will definitely enhance the protection to quite adequate values.
The “Ajax Button” method can be further enhanced. Every time we can contact our backend with a new name. We can change the name of the backend every day, just as the above suggested changing the field names. Probably, changing the name of the backend is even easier. Imagine, in order to spam you, you will need to manually change the script every day. No, I don't think anyone will do this.
We can prohibit direct call backend. This is a weak defense, but sometimes it works. I personally banned this using the session mechanism.
A method that I would call "allow me to enter"
This is the very method that seems controversial to me. I use it for some specific sophistication and aesthetic strangeness and singularity (my personal opinion). What is its essence?
Before you delve, I want to get a little distracted.
Retreat number 1
Let's assume that we have a hidden input on the form. Before we send the form to the server, we fill this input with something and by the presence of this “something” we judge - we had a robot or a human. The proposed move is some modification of the “Ajax button” method. The point is to use a client script that is not available to the robot. But we are immediately forced to notice that the method will work well only if the contents of this field will always be different. Doesn't the usual captcha work?
Retreat number 2
A lot of comments were given to my previous article about methods of protecting a site on a public hosting. Some of them had the leitmotif that it is impossible to fight against burglary, because you are always hacked if someone really needs it. I agree with this conclusion, but I do not agree with the fact that it is not necessary to fight! Exactly the same keynote is present on the forums of car alarms. There the situation is very similar. The essence of the vulnerability is that you press the button on the key fob, your code is intercepted by the receiver from a nearby car with tinted windows, swallowed by it, the security code is replaced and your car is armed with someone else's code! Everything! Worthless is the price of your alarm! Then our colleagues in the field of car alarms came up with the following method of solving the problem. And what if the key fob sends to the car not the “ Armed with code such and such ” command, but the question “ Can you arm with the code with such and such code? ” And if the answer is positive, then the car alarm responds. "I am arming with this code and sending it back for verification ." The key fob checks the match code sent, sent back, and if they match, then the machine is armed with yours, not someone else's code. Problem solved. And if they do not match, then the request just needs to be repeated. Car lover does not even know.
Can a similar method solve the captcha question?
I tried!
Integrated algorithm of the form
- The form is filled with data.
- The submit button is pressed.
- A request is sent to the server by the Ajax type “I am going to register a user.”
- The server registers the request in a database or in a simple file, registers the time of the request and the time when the request becomes invalid, for example, 30 seconds. After that, the request code as a string (hash) is sent back.
- Our client script writes this code to our input hidden named "ntspm" and boldly sends all the parameters to the server.
- The server takes the code from the hidden parameter. It checks for its presence in the list of registered codes, checks whether the time has expired, whether the type of operation is the same, and if everything coincided - registers the user in full confidence that it was a living person.
Are there any weak points? Yes there is. A spammer can make a program that will send a request for a code, then substitute this code in his package. But this will be an individual robot for your website, and something tells me that for a simple website, for an online store and even for a decent online store, no one will write such a program specifically. Break off! And if we combine this method with amplifiers from previous methods, then we can bring the degree of recognition of the robot to a very high percentage. I'm afraid to poke my finger into the sky like that, but I would give 98.5 percent. Just because there are so many problems for a spammer that, honestly, it is easier to go to a living person and send everything you need with pens. Of course, captcha in the case of a living person will not help.
Summary
It seems to me that you can get rid of captcha! Thereby, you can make the life of your users a little easier and simultaneously increase the conversion of your site.
On duty, I often go to the Word Search service from Yandex. There is now a captcha for each request. If this is a method of slowing down the user, like " Think again! Maybe you really do not need this info? ", Then it is understandable. But if this is really protection from robots, then why not put a regular button that says "Continue" and use one of the above methods with amplifiers?
Let's make the Internet a little more convenient!
Links
My spam collector . This site is not for people! Its design is intended to demonstrate this. In it (via the link “add announcement”) the “allow me to enter” method is implemented without amplifiers. For many years, no "span" was not. But in fairness I want to clarify that there were no “spans” on the “Ajax button” method without amplifiers. And the robots always visit me the same, and they are all without frills, which is a great pity.
Source: https://habr.com/ru/post/264131/
All Articles