Some general Articles on keypic itself

peregrine

http://keypic.com/?tid=homepage_how_does_it_work

http://www.networkworld.com/article/2225794/securityeypic--replacing-captcha-without-annoying-/security/keypic--replacing-captcha-without-annoying-users--updated-.html

http://www.networkworld.com/article/2225829/data-centercrewing-up-your-brand--why-keypic-doesn/data-center/screwing-up-your-brand--why-keypic-doesn-t-get-it.html

https://wordpress.org/plugins/keypic/

hgtonight

Seems... sketchy?

Linc

@hgtonight said:
Seems... sketchy?

I wandered thru the code briefly. All I noticed was:

1. This is adding a synchronous remote call for every comment & discussion.
2. It is broadcasting the user's email address with the call.

Neither of these things is any different than Akismet, but then again I know who's running Akismet (WordPress) and that their service is stable & trustworthy. I don't understand the benefit of using this over Akismet.

keypic

@Linc said:
Neither of these things is any different than Akismet, but then again I know who's running Akismet (WordPress) and that their service is stable & trustworthy. I don't understand the benefit of using this over Akismet.

Akismet uses much less checks than Keypic, for example we use CSRF https://en.wikipedia.org/wiki/Cross-site_request_forgery

By the way, we don't check email addresses and usernames anymore (You see it in code for backward compatibility reasons)

keypic

@hgtonight said:
Seems... sketchy?

Maybe it is, remember this is the version 1.0 ( which software was complete at version 1.0? )

I hope this is the first of many versions.

Linc

@keypic said:
Akismet uses much less checks than Keypic, for example we use CSRF

We have CSRF built into Vanilla's core actions via the TransientKey, so adding a second token check is redundant.

I noticed the "How Does It Work" page talks about that token checking, but doesn't actually say much of anything about how spam is detected. Can you elaborate on the service or where more details exist?

keypic

@Linc

I know Vanilla have just CSRF builtin, but this is part of our anti-spam process, so it is necessary put the second one.

Spam detecting is a different job day by day, so it is not useful document it, it will change very frequently.

By the way, try it, and tell me what do you think, I will be very happy to speak with someone who try Keypic Vanilla plugin, this is the only way we have to improve our service and our Vanilla plugin.

x00

This is not a Turing check so therefore, nowadays it is trivial to run a javascript/dom engine as part of a spam bot or even a comprehensive client, also alternatively you can scrape, request, scrape request for the same effect.

I think it is an interesting plugin but not a replacement for CAPTCHA, but then many CAPTCHA aren't good Turing checks.

By virtue of not checking the human part, it is already relying on technology available to bots, even if some are slow to catch up.