[ZendTo] Re: Question on Captcha use

Jules Jules at Zend.To
Tue Feb 21 13:34:20 GMT 2012 

Tim,

On 17/02/2012 18:15, Clements, Timothy wrote:
>
> Hi, Jules,
>
> I'm really impressed with this product and the ease of use.  I do have 
> one question, however, which may be related to the level of security 
> required.
>
> I have Captcha set up and I understand why you would use it for 
> someone outside the organization who wants to initiate the sending of 
> a file.  However, when it is a matter of someone within the 
> organization initializing a drop off or pick up, I would think the 
> email with the coded link would ensure against bot attacks, and it 
> would not be necessary to have someone complete the Captcha challenge 
> in those cases.  Can you address that briefly, or alternatively, would 
> you consider making use of Captcha in those cases optional?
>
In the "download" process, you can disable the captcha by setting
'humanDownloads' => false,
in preferences.php.

The reason for it being there is that if the email containing the link 
gets into the wild, anyone anywhere (and include malware robots in there 
too!) can download the file as many times as they like. My own ZendTo 
deployment here has already had at least 1 Distributed Denial-of-Service 
(DDoS) attack that was done by exploiting this loophole. Hence the 
"humanDownloads" setting to stop it. Feel free to disable it, but don't 
complain if you get DDoS-ed! :-)
>
> Thanks again for a well-designed product.
>
I'm glad you like it. Sorry I have taken so long to respond to your 
email, things have been very busy and tiring here and I haven't had the 
time to quite keep up with all my email.

Cheers,

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20120221/ee59a7b0/attachment.html

More information about the ZendTo mailing list