rails-选择验证码插件 [英] rails - Choosing captcha plugin
问题描述
Rails中有很多验证码插件,还有许多用于防止垃圾邮件和泛滥的解决方案.因此,这不仅是Rails的问题.
There are a lot of captchas plugins in Rails and also many types of solutions for preventing spamming and flooding. So it isn't only Rails question.
让我们看看我们拥有哪些类型的插件:
Let's see what types of plugins do we have:
1.经典图片验证码( zendesk的验证码,Simple_captcha,Validates_captcha,
1. Classic image captcha (zendesk's Captcha, Simple_captcha, Validates_captcha, winton's Captcha, Raptcha).
阳性:
- 可以有效地防止自动解密(不确定Simple_captcha,但是zendesk和winton的验证码似乎都无法实现,因为它们使用的是预先生成的图像(而不是按需),因此可能是垃圾邮件机器人可以在这些图像上学习.
阴性:
- 需要DB表(至少是Simple Captcha.还不错,但是使用后会清理吗?).
- 需要RMagick或类似的东西(对我来说不太实际,因为我已经在网站上拥有它了.)
- 手动解密失败(据我所知,$ 2/1000图片).
- 惹恼用户,并可能损害转化率.
2. ReCaptcha (验证码,机架验证码).
2. ReCaptcha (Recaptcha, Rack-recaptcha).
阳性:
- 可以有效地防止自动解密.
- 不需要Rmagick和DB表.
阴性:
- 对第三方网站进行api调用.
- 手动解密失败.
- 比以前更加烦人.
3.蜜罐(负验证码,陷阱门,反向验证码,蜜罐验证码,Bouncy_bots, invisible_captcha ).
3. Honey pots (Negative-captcha, Trap_door, Reverse_captcha, Honeypot-captcha, Bouncy_bots, invisible_captcha).
阳性:
- 用户不了解验证码提示.
- 不需要Rmagick和DB表.
阴性:
- 可能无法自动解密(是否有任何机器人可以识别此插件?).
- 手动解密失败.
4.基于文本的(人工翻译,Brain_buster和Gotcha).
4. Text-base (Humanizer, Brain_buster, Gotcha).
阳性:
- 不需要Rmagick和DB表(Brain_buster除外).
阴性:
- 可能无法自动解密.
- 手动解密失败.
- 有点烦人(可以本地化).
5.其他(Acts_as_snook)
5. Other (Acts_as_snook)
阳性:
- 用户不了解验证码提示.
- 不需要Rmagick和DB表.
阴性:
不知道是否存在,因为它非常不寻常.但是我认为,在洪水泛滥的情况下,这可能会引起一些问题,因为有时可能需要对帖子进行审核.
Don't know if there any because it's very unusual. But I think it may cause problems in case of flooding, as it can require post's moderation in some times.
6.类似于Akismet的解决方案(不知道其效率).
阳性:
- 用户不了解验证码提示.
- 不需要Rmagick和DB表.
阴性:
- 对第三方网站进行api调用.
- 将用户的详细信息发送到第三方网站(非常糟糕).
我还应该对我的网站说几句话.用户只有在ajax请求之后才能看到受保护的表单(例如,在将商品放入购物车后).现代的机器人有能力执行Ajax请求和存储Cookie吗?
I also should say a few words about my site. Users can see protected form only after an ajax request (after putting something to cart for example). Are modern bots have abilities to do ajax requests and storing cookies?
推荐答案
洪水与垃圾邮件是一个不同的问题.您绝对应该在应用程序中建立围绕限速的逻辑,例如,可以使用验证来检查用户在最近15分钟内未下达2个以上订单.
Flooding is a different problem from spam. You should definitely build the logic around rate limiting into your application, you can do this using validation to check that the user hasn't, for example, placed more than 2 orders in the last 15 minutes.
关于验证码,您选择的任何插件都可能很棒.我不认为必须将RMagick安装为肯定的还是否定的,真的很容易上手.如果是我选择的话,我的第一个直觉是选择Recaptcha,这是所有人中最讨厌的.
In regards to captchas any of the plugins you select are most likely going to be great. I wouldn't think of having to install RMagick as a positive or negative, it really isn't that hard to get working. If it was me choosing, my first instinct would be to go with recaptcha, it's the least annoying of them all.
垃圾邮件是另一个问题,通常是可以绕过验证码的人类用户输入的. Akismet非常适合捕获垃圾邮件,一定要看看它,您可以将其与Recaptcha之类的东西结合使用.
Spam is another issue, it's often entered by human users who can bypass your captcha. Akismet is great for catching spam, definitely take a look at it, you can use it in conjunction with something like recaptcha.
最后,现代机器人非常复杂.远远超出我们任何人的预期.他们可以完全自动化浏览器,使用OCR读取验证码文本并生成垃圾内容,即使是最复杂的过滤器也可以绕过.也就是说,这并不是要阻止所有垃圾邮件/机器人",而是要使进入门槛足够高,以至于临时用户不值得这样做.
Finally, modern bots are very sophisticated. Far more sophisticated than any of us probably expect. They can fully automate browsers, use OCR to read captcha text and generate spammy content that will bypass even the most sophisticated filters. That said, it's not about "stopping all spam/bots" it's about making the barrier to entry just high enough that it isn't worth it for the casual user.
这篇关于rails-选择验证码插件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
