The web for me is a hobby where standards and best practices are daily bread. Security is a concern that everybody must be aware of its details for IT in general, and the web in particular, to be a safer place. My life, on the other hand, is that of a regular Lebanese citizen where politics and social issues are discussed on a daily basis. I hope you enjoy reading my blog and make sure to drop me a comment about any topic you find interesting.
How Does the Visual Code work?
Printable Versionvictor | 23 January, 2006 11:39
Generate a Unique ID
The first step is to generate a unique ID that serves as the basis for all future generation of visual code. This ID must be related to a timestamp that is valid for a relatively short period of time. In my blog's case, the ID is valid for one hour. In other words, yes, you can spam my blog using the same ID for one hour before it becomes invalid but I can live with that to avoid using databases to make sure that each id is used only once.
Generate a Secure Code from the ID
Once the ID is ready, two steps are done:
1- The ID is written into a hidden field (inside the form) and will get submitted with the form data.
2- The ID is passed to the Visual Code Generation formula that generates a code out of it (explained below) and displays the image based on the code.
How To Generate the Code
In my case, I am using a hash to generate the code.
The hash is generated as follows:
md5(PASSWORD_PART1 + ID + PASSWORD_PART2)
The password is very long and weird (e.g. 238s8df823847___ASdflaskdfj__ASDFjalskdjfASDF93498sarf) so you can feel free to try to guess it ;)
The password is split somewhere NOT in the middle, concatenated to the Generated ID and hashed to produce a 32 long Hexadecimal MD5 hash.
A 6-Character long substring is taken from the Hash and given to the visual code generation formula that produces a PNG image out of it. This code was taken from the PHP-BB Forum library. What I liked about this code is that it arbitrarily pushes the text to the left-right to make it harder for Visual-Code-Guessing scripts to read the value in there.
Form is Ready
The form so far is ready and includes the hidden ID as well as the image code that was generated. The visual code itself is not saved anywhere in there and, thus, to be able to guess it, the script must either read the image or try to reverse the hash. Reversing the hash requires either guessing the password (a very long string in this case) or trillions of years to finish random guessing (except if luck is involved). If luck is involved and a tool guessed the code, I wouldn't mind posting a comment for a lucky intruder ;) Nothing serious is being damaged here anyways!
Form is Submitted: Revalidate the Code
Once the form is submitted, the form data is sent along with the hidden ID and the Visual Code that was entered by the user.
The ID is taken, validated based on a certain timestamp generation formula to make sure the id was generated sometime soon, the Visual Code is re-calculated (same steps as above) and compared to the given visual code.
If the two codes match, Welcome to Heaven and your comment will appear. If they don't match, see you later and sorry for wasting your and my time.
Is This Really Secure and Bullet Proof?
For a personal blog where spammers requrire posting some comments for SEO, I think this is more than enough security.
If my blog was a more security-critical system, this simple visual code would be one of many other security checking countermeasures to be performed.
A rule of thumb in security is: Why would you protect a 100 USD item with a 10,000 USD countermeasure. If the countermeasure was broken, you would have lost more than if the 100 USD item was stolen ;)
Security |
Next | 
Previous |
Comments (0) | 
Trackbacks (0)
- The Future of Web Programming
- Search Engine Optimization Conception
- PHP-GTK: Is PHP Seeking Java and .NET Competition?
- Emerald Who's Who is a Scam
- Lebanese Prisoners: Who Betrayed Who?
Comments
Menu
Search
Calendar
| « | February 2012 | » | ||||
|---|---|---|---|---|---|---|
| Mo | Tu | We | Th | Fr | Sa | Su |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | ||||
Who am I?
I am experienced in Internet technologies, Web Services and Online Interactive solutions. I am very interested in challenges related to web services engineering especially complex and hybrid online solutions (Intranet, Extranet, e-Commerce, etc.) and algorithms (search engines, security, etc.)
I am experienced in security as well. My expertise is mainly in network and Internet security. I am also experienced in the fields of cryptography, security assessment techniques, security design (policies, profiles, architectures, etc.) as well as security auditing and ethical hacking.
I am a Linux fan (by nature :). Period.
Poll
Recently...
- The New Facebook Sneak Peaks
- NASA Satellite to Crash Back to Earth this September
- Google Desparate for Gmail?
- Shortcuts to Official Exam Results on www.schoolnet.edu.lb
- 10 Dirty Little Secrets You Should Know About Working in IT
- Turkish Airport Smoking Terrace
- 10-10-10 10:10: TEN DIGITAL CHEERS!
- Alfa Statement Roaming Charges
- Google Analytics vs Log File Based Statistics
- Ziad Baroud Spamming?
- A Couple of Amazing Tricks!
- A New Speed Radar That You Cannot Fool!
- Standard Chartered Email & Website Phishing
- Huge Lighters Security Alert
- Few Blog Updates to Share
- NetDesignPlus in Kuwait
- Hidden Fees with Malev Hungarian Airlines Online Booking System
- IEEE High Availability Database Workshop
- Halloween 2009
- One-Million Dolar Picture