Google Recaptcha Remoteip说明 [英] Google recaptcha remoteip explanation
问题描述
在文档recaptcha的文档中,它表示 remoteip
参数是可选的,但我不明白它的用途,因为即使我发送的IP地址不同于REMOTE_ADDR,Google的响应仍然是有效的验证码。
In the documentation of recaptcha it says that the remoteip
argument is optional, but I don't understand its purpose, because even if I send a different IP than REMOTE_ADDR, the response from Google is still a valid captcha.
推荐答案
信息安全中已经要求 并且我还将在此处提供接受的答案。因为尚不清楚这主要是安全问题,所以:
It is already asked in Information Security and I will provide the accepted answer here, too. Because it is not clear that it is mainly a security issue:
因为可能存在一个DNS /主机重新路由,以允许验证码被恶意用户以不同的方式解析
Because there could be a DNS/hosts reroute in place to allow the captcha to be parsed differently by a malicious user
一种可能的情况是种植廉价劳动力来手动解决验证码,然后将其提交给表单。由于Recaptcha仅会提供图像,因此这是种种方法的懒惰方式。 (将请求的图像重定向到其他位置)。
One possible scenario is farming cheap labour to manually solve captchas and then submit them back with the form. Since the recaptcha only will serve the image once this is the lazy way to farm this out. ( redirect the requested image to elsewhere ).
如果请求图像的IP地址与请求页面的IP地址不同,则表明存在这种攻击方式。
If the IP address which requests the image is different to the IP address that requests the page then this would indicate this style of attack.
这篇关于Google Recaptcha Remoteip说明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!