带有链接的电子邮件验证是个坏主意吗 [英] Is email verification with a link a bad idea

问题描述

在我的注册过程中，用户注册后，他们会收到一个验证链接的电子邮件，如果他们点击它，他们的帐户才会被验证.但是这种验证方法对机器人来说是不是太容易了?

In my registration process, the user registers, they get emailed a verification link, and if they click it, only then would their account be verified. But isn't this verification method too easy for the bots?

我认为电子邮件可以由机器人创建，但可以肯定的是，如果验证只是点击一个链接，它也可以由机器人自动完成.我不确定，因为我没有这样做，也不想测试它只是为了知道，但我的问题是这种验证方法是不是有缺陷?

I think an email could be created by a bot, but for sure if the verification is just clicking a link, it could also be automated by a bot. I'm not sure since I haven't done this and don't care to test it just to know, but my question is isn't this verification method flawed?

我正在考虑将验证码作为文本发送给用户，他们必须手动将其复制/粘贴到表单中，并且该表单受验证码保护.这是一个更好的主意吗?它有什么缺陷吗?

I'm thinking about sending the verification code to the user as a text which they would have to copy/paste manually into a form AND the form is captcha protected. Is this a better idea? any flaws with it?

推荐答案

大多数建议都是关于验证电子邮件和使用 CAPTCHA，你当然应该这样做，但请记住，这些方法都不是完全万无一失的.

Most of the suggestions are about verifying emails and using CAPTCHAs which of course you should do, but keep in mind that none of these methods is completely bulletproof.

>

电子邮件验证

机器人可以轻松地点击"任何电子邮件中的链接.对机器人作者来说，复制和粘贴某些内容会稍微烦人，但不会太多.通常电子邮件验证就是这样 - 电子邮件验证.

A bot can easily "click" on links in any email. Copying and pasting something would be slightly more annoying for the bot author but not much. Generally email verification is just that - email verification.

您验证电子邮件是否可能由尝试注册的人控制，但当然，由于电子邮件通常通过不受信任的 TCP 以明文形式发送并且依赖于不安全的 DNS，因此直到我们都使用 DNSSEC 并加密所有流量嗅探电子邮件和欺骗服务器和客户端将很容易.需要意识到的重要一点是，使用电子邮件验证，您只能获得一定程度的信心，即与您交谈的任何人或任何东西确实是该电子邮件地址的用户.

You verify if the email is likely to be controlled by whoever tries to register, but of course since email is usually sent in cleartext over untrusted TCP and relies on insecure DNS, then until we're all using DNSSEC and encrypt all traffic it will be easy to sniff emails and spoof servers and clients. The important thing to realize is that using email verification you get only a certain degree of confidence that whoever or whatever you are talking to is really a user of that email address.

回答一个只有人类应该知道答案的问题会更烦人，但考虑到您可能不会有无限多的问题，机器人作者可能会将未知问题重定向到真人并使用缓存的答案，如果任何问题都会重复不止一次.像我最近在一些网站上看到的图灵测试一样，回答诸如什么是 12+8"之类的问题完全适得其反，因为这个问题对于机器人来说实际上比对人类更容易.可能最流行的图灵测试是 CAPTCHA，但在这里您还必须意识到它们可能会被愚弄.

Answering a question that only human should know the answer to would be still more annoying but considering that you probably wouldn't have an infinite number of questions, the bot author might redirect unknown question to a real human and use cached answers if any question repeats more than once. Answering a question like "what is 12+8" like I've seen in some websites lately as a Turing test is completely counterproductive since this question is actually easier for bots than for humans. Probably the most popular Turing test for that are CAPTCHAs but here you also have to realize that they can be fooled.

首先，人们展示了绕过 CAPTCHA 的方法，例如参见 DEFCON 18 中的 Decoding reCAPTCHA 演讲.许多 CAPTCHA 对机器人来说更容易破译，因为它们是由微不足道的算法生成的扭转.reCAPTCHA 失真也很简单，但它们使用的单词是真实的扫描单词，这对 OCR 来说很难，所以原则上对机器人来说应该更难，但情况并非总是如此.

First of all people are showing methods of circumventing CAPTCHAs, for example see the Decoding reCAPTCHA talk from DEFCON 18. Many CAPTCHAs are much easier for robots to decipher since they are generated by algorithms that are trivial to reverse. The reCAPTCHA distortions are also pretty simple but the words that they use are real scanned words that was hard for OCRs so in principle it should be much harder for bots, but it is not always the case.

还有可能在其他网站上显示您想猜测的验证码，并让人们为您解答.还有一个人实际解决验证码的黑市，所以如果你的机器人作者不介意为一打支付两美分，那么无论对人类来说有多难，实际的人类都会解决它无论如何.

And there is also a possibility to display captchas that you want to guess on other websites and have people answer it for you. Also there is a black market of people actually solving captchas so if your bot author doesn't mind paying something like two cents for a dozen then no matter how hard it is for humans, actual humans will solve it anyway.

最重要的是，使用任何机器人阻止技术始终是机器人所有者(垃圾邮件发送者或其他想要在您的系统中注册大量用户的任何其他人)愿意花费多少的妥协这样做的时间、精力和金钱，以及您将容忍给您的用户带来多少不便，因为最终您将永远无法进行任何自动化测试来区分人类和机器人，而不会真正惹恼人类并疏远残疾人(有没有人试过猜测 reCAPTCHA 的音频版本?)，而且你的机器人实际上可能是人力驱动的，所以可以这么说，不是真正的机器人而是半机械人.

The bottom line is that using any of the bot-stopping techniques will always be a compromise of how much would a bot owner (a spammer or anyone else who wants to register a lot of users in your system) be willing to spend time, effort and money to do it, and how much inconvenience for your users are you going to tolerate, because ultimately you will never be able to do any automated test to tell humans and bots apart without actually annoying humans and alienating people with disabilities (has anyone ever tried to guess the audio version of reCAPTCHA?), and still your bots may actually be human-powered, so not really bots but cyborgs, so to speak.

这是一场军备竞赛，您的诚实用户为此付出了代价.请记住所有这些.

It's an arms race for which your honest users are paying a price. Please keep all of that in mind.

这篇关于带有链接的电子邮件验证是个坏主意吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！