Those extra entries, the CAPTCHAs, visitors have to make to prove they are human are annoying enough, but they also don’t solve the problem they were intended to solve. Here’s a Flex way to get rid of them and make your visitor experience even better.

Andy Brice recently posted some good examples of some bad CAPTCHAs recently, and the first comments were more technical (e.g., how to interpret the images) than insightful (e.g., are these really needed?).  A relatively recent web impedimenta, these have the ability to signal distrust to a visitor, in effect inviting them to go elsewhere.

CAPTCHA is a made up acronym based on the word capture, and is short for Completely Automated Public Turing test to tell Computers and Humans Apart. Sometimes called a reverse Turing test, CAPTCHA’s original purpose was an attempt to block automatic web form submittals. These can occur after a programmatic examination of a web page finds a submit button, along with the form field names in an html page. Unfortunately, requiring a visitor to enter something that, presumably, only a human can perceive does not stop a false submittal, even a denial of service attack, if the submit button or a POST action equivalent can be found.

Flex objects do not expose any such hot button or other invitation to attack. They  can be used not only to eliminate the need for another entry by a visitor to prove themselves to the web site, but also to make the resulting action seamless within the larger content or message container, even if it is an html page.

Any scrapper program can easily find tags in an html page, but it takes much more in time and resources to deconstruct an swf file. Even then, finding the actionable control is no small task, and requires much more analysis and pattern matching than looking for string matches. While Google is reputed to be able to read swf files to look for keywords, the ability for even sophisticated hackers to accomplish do the same is somewhat remote. It will always be easier, quicker, and more profitable to scan text as html for vulnerabilities than to swim through nested byte codes in attempt to extract meaning.

There are some simple and direct ways to make this even more secure. The first is to do the web service exchange in a secure context, such as SSL. The second is to validate the misspelled referer property. And, not least, add a user-agent value that contains an encrypted time stamp of, say, ten minutes.

Using Flex to cloak input that a visitor considers sensitive, like an email address, provides excellent online security at little cost. It also eliminates additional keystrokes that a visitor would have to enter. And, not least, it removes the implication that the visitor has to prove their humanity, and the bad connotations and results that go with that.

A Word From Our Sponser

Stop Toxic Email From The Bad Guys Before It Can Get Close To Your PC! Our  ePAL for email security is a barrier between the outside world and your regular email program

Tags: Adobe, captcha, flex, online security, swf files, turing test

This entry was posted on Tuesday, April 7th, 2009 at 0:50 and is filed under Software That Works. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.