[nfbcs] More About CFFormProtect

Fri Mar 2 22:26:15 UTC 2012

Peter,

This information is pretty much what I read on their site several months ago.  I do not wish to engage 
in an argument about this product because frankly I think it is a good approach for many situations and 
it is the kind of out of the box thinking that might hold some promise for us.  What I am uneasy with is 
the claim that this product would solve all of our CAPTCHA problems if it were generalized.  There could 
be more beneath the surface of this product that is not being disclosed, though, and I am open to that.

To explain myself, this product really needs a form with a number of fields to be useful.  If one has a 
contact form where one can leave comments, for example, this product is going to work very well.  I 
believe that it might work in many cases where someone is filling out a form to apply for something like 
an e-mail address, for example.  It would be interesting to get someone like Google who gets lots of 
hits to experiment with logic like this to see how well it works.  Where I don't see it working well is 
where a captcha is the primary control on a page or when it is used in conjunction with a user-id and a 
password.  In cases like that, there isn't much in terms of keywords to be analyzed, and sighted persons 
are more likely to tab between user-id and password and press ENTER.  I believe that their web site also 
points out somewhere else in more detail that some effort must be made to not lock blind people out by 
rejecting a form that only uses keyboard interaction.  Fortunately, screen readers can move mouse 
pointers which means we could move the mouse if we had to.  This would be less convenient than using the 
TAB key but would be a whole lot better than dealing with a CAPTCHA.  Unfortunately, though, If screen 
readers can move the mouse pointer, so can spammers.  It isn't worth their time now, but it is almost a 
given that if this kind of protection were to become common, mouse movement would be part of their 
toolkit.  What has to be grudgingly accepted is that spammers and hackers are often smarter than most of 
us who have programmed computers and written software.  This is why this CAPTCHA business is so 
difficult to resolve.

Again, though, my point is not to tear down this product.  I think it is an example of an interesting 
approach and it also likely works well in many situations.  I also am not ignoring the possibility that 
if this product is attacked that it might be able to evolve in ways that are beyond my imagination and 
avoid some of the pitfalls I've listed above.  At this point, though, I just don't think it is realistic 
to suggest that this product will solve all situations where CAPTCHAs are used, and I also think that 
even when it does, it isn't going to work to tell someone that rather than putting up a CAPTCHA, just 
switch to Cold Fusion.  However, it doesn't seem to me that there is any concept here that is uniquely 
tied to Cold Fusion.  Suggesting that other platforms make something similar available seems realistic, 
and if you have any contacts with people who have developed this product, ask them how they feel they 
could do if they are trying to block automated entry of user-id and passwords.  Maybe they are ahead of 
me on that.  I don't claim to have all the answers.

Best regards,

Steve Jacobson

On Fri, 2 Mar 2012 15:22:40 -0600, Mary Donahue wrote:

>Good afternoon again everyone,

> 

>       Below is more about CFFormProtect and how it works.

> 

>From the Web Site:

>http://www.goziggy.com/2011/05/17/protecting-form-from-spam-with-cfformprote
>ct/

> 

>Protecting Forms with CFFormProtect
><http://www.goziggy.com/2011/05/17/protecting-form-from-spam-with-cfformprot
>ect/> 

>By  <http://www.goziggy.com/author/admin/> Justin Scott on May 17, 2011 

> 

>One of the things that web developers have to deal with on a regular basis
>is abuse of the applications we write. Anything that is made available on
>the public Internet (and even private Intranets in some cases) will be
>subject to probing and attack. One "attack" vector that spammers like to use
>is automated form submissions.

>The idea is that if you have a contact form on a website, the information
>entered into that form will be forwarded to a human being for review and
>action. It may also end up getting pushed into a database and displayed
>somewhere else on the site. Since the spammers work on sheer numbers, they
>will do whatever they can to get their message in front of as many people as
>possible using any means necessary. With web forms, if their content ends up
>getting displayed on the website then it has the added benefit of providing
>them with additional "link juice
><http://thekeywordacademy.com/link-juice-explained> " pointing back to their
>website. More links mean a higher ranking, and higher rankings mean more
>visitors, and therefore more sales. It's a nasty game they play.

>Anyone who has been building websites with public forms for any amount of
>time knows that spam bots will come by and regularly submit garbage and spam
>into forms. The traditional response has been to put a CAPTCHA into the form
>and make people figure out the words or numbers that have been distorted in
>ways that make them visible to human eyes, but that OCR software may have
>trouble figuring out. These are annoying, unfriendly, and if poorly
>implemented can be a roadblock to people with visual impairments. Services
>such as reCAPTCHA <http://www.google.com/recaptcha>  have done a good job at
>making CAPTCHA more friendly and accessible, but still get in the way of the
>user. For most websites, using a CAPTCHA does not make the customer
>experience any better and is there for the sole purpose of protecting the
>website.

>A Better Way

>A while back, someone in the ColdFusion community (Jake Munson
><http://www.techfeed.net/blog/> ) got sick of dealing with CAPTCHA
>implementations and wrote CFFormProtect <http://cfformprotect.riaforge.org/>
>. This little gem consists of a ColdFusion component which can be called
>when a form is displayed, and then again when the form processing code is
>called. It essentially includes some JavaScript code on the form page, as
>well as a hidden form field. The JavaScript code tracks basic user behaviors
>such as use of the keyboard and mouse. When the form is submitted, it packs
>up this information, along with some other metrics, and sends it along with
>the submitted information.

>On the processing side, it inspects the metrics and assigns scores to each
>one. If it did not detect mouse movement, some points are added. If it
>didn't detect keyboard use, some points are added. If certain keywords are
>found, points are added. And so on. It can also talk to external spam
>services such as Akismet <http://akismet.com/>  and make a more detailed
>inspection if you want to go that route. In the end, if the points "earned"
>by the submission go over a certain amount, it's considered spam and you can
>take a different action on the input rather than the normal submission
>process.

>Collecting and analyzing data points and metrics like this is very effective
>and much more convenient for end users than a CAPTCHA could ever be. The
>best part is that CFFormProtect takes all of about five minutes to put in
>place on a ColdFusion website running on ColdFusion MX 6 or higher (we're at
>version 9 as of this writing, so pretty much everyone should be able to use
>it).

>Tools like this continue to make ColdFusion developers some of the most
>productive developers around, and help me "wow" my clients by solving an
>annoying problem for them without having to resort to putting a burden on
>the potential customers. Everybody wins, except the spammers, of course.

> 

>Peter Donahue

>_______________________________________________
>nfbcs mailing list
>nfbcs at nfbnet.org
>http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>To unsubscribe, change your list options or get your account info for nfbcs:
>http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/steve.jacobson%40visi.com