@mcm: apart from explaining a user how to set his browser to provide client auth with ssl, I don't think that pyhonaywhere lets you use client-side ssl auth. @joe: talking about "annoy", a 24 hour stop would surely make me angry. The problem here is stop bots, with this you have to manually unregister them anyway @villas: js execution lets you execute some server-side code that needs to be executed by the client too. Let the bots figure out that they need to reverse a string and send only the half of it deciphering your js function....just loading a js environment they loose roughly a 70% of processing power.
I think that honeypot + timestamp + js execution are transparent to the end user and keep the vast majority of bots out. Every captcha solution needs to trim out a large percentage of unwanted behaviours. a 100% proof solution only comes with high-grade security, but let's face it, web2pyslices.com doesn't need to be a banking site. On Sunday, June 16, 2013 12:07:41 PM UTC+2, Michele Comitini wrote: > > As an alternative method there is a very robust solution: client auth > using a x509 client certificate. As a user installing the certificate is > simpler than answering questions or reading weird captchas and he can > forget about it, the browser does all the auth by itself using the SSL/TLS > protocol, but it all depends on usage scenarios. You need a PKI that > generates a pkcs12 certificate+private key archive and let the user install > it on its browser. For my needs I have written a simple PKI here for > web2py: > > https://code.google.com/p/simpatica/ > > The code is really simple. The advantage is that certificate generation > can be automated during registration process of any web2py app. There are > other and better PKI implementations around, much more complex to manage, > but it depends on how much security and features you need. To avoid > browser complaints about insecure certificates, just use your server > private key that you use in your PKI, to request a cheap or free server > certicate (startssl.com is a good one), install it on your web server > along with the private key and you are done. Web2py supports x509 auth out > of the box with rocket, but you can use most ssl enabled servers: apache, > nginx, cherokee and many others. > > mic > > > 2013/6/16 Joe Barnhart <[email protected] <javascript:>> > >> At least one site i use regularly implemented a 24-hour posting delay. >> Sign up today and your posting ability starts tomorrow. It was a little >> annoying to newbies but it really zeroed the spam! >> >> -- Joe >> >> >> On Saturday, June 15, 2013 12:40:50 PM UTC+8, rochacbruno wrote: >>> >>> Hi, >>> >>> recently we are having too many spams posted on web2pyslices.com >>> >>> I am deleting one by one, but started to be difficult to track this. >>> >>> We need to implement a captcha system or any other kind of spam blocking. >>> >>> is there any volunter? to do this for user registration form and also >>> for article post form? >>> >>> I am in a rush between work and medical treatments, I tried but I really >>> have no time now to develop this. >>> >>> If anybody can take this, please email me ans I give you access to the >>> development version of the code on pythonanywhere. >>> >>> Thanks. >>> >>> []'s >>> >>> --- >>> >>> Bruno Rocha >>> http://github.com/rochacbruno >>> http://rochacbruno.com.br >>> http://terraqueos.org >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
