HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Seems... sketchy?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • LincLinc Detroit Admin
    edited September 2014

    @hgtonight said:
    Seems... sketchy?

    I wandered thru the code briefly. All I noticed was:

    1. This is adding a synchronous remote call for every comment & discussion.
    2. It is broadcasting the user's email address with the call.

    Neither of these things is any different than Akismet, but then again I know who's running Akismet (WordPress) and that their service is stable & trustworthy. I don't understand the benefit of using this over Akismet.

  • @Linc said:
    Neither of these things is any different than Akismet, but then again I know who's running Akismet (WordPress) and that their service is stable & trustworthy. I don't understand the benefit of using this over Akismet.

    Akismet uses much less checks than Keypic, for example we use CSRF https://en.wikipedia.org/wiki/Cross-site_request_forgery

    By the way, we don't check email addresses and usernames anymore (You see it in code for backward compatibility reasons)

  • @hgtonight said:
    Seems... sketchy?

    Maybe it is, remember this is the version 1.0 ( which software was complete at version 1.0? )

    I hope this is the first of many versions.

  • LincLinc Detroit Admin
    edited September 2014

    @keypic said:
    Akismet uses much less checks than Keypic, for example we use CSRF

    We have CSRF built into Vanilla's core actions via the TransientKey, so adding a second token check is redundant.

    I noticed the "How Does It Work" page talks about that token checking, but doesn't actually say much of anything about how spam is detected. Can you elaborate on the service or where more details exist?

  • @Linc

    I know Vanilla have just CSRF builtin, but this is part of our anti-spam process, so it is necessary put the second one.

    Spam detecting is a different job day by day, so it is not useful document it, it will change very frequently.

    By the way, try it, and tell me what do you think, I will be very happy to speak with someone who try Keypic Vanilla plugin, this is the only way we have to improve our service and our Vanilla plugin.

  • x00x00 MVP
    edited September 2014

    This is not a Turing check so therefore, nowadays it is trivial to run a javascript/dom engine as part of a spam bot or even a comprehensive client, also alternatively you can scrape, request, scrape request for the same effect.

    I think it is an interesting plugin but not a replacement for CAPTCHA, but then many CAPTCHA aren't good Turing checks.

    By virtue of not checking the human part, it is already relying on technology available to bots, even if some are slow to catch up.

    grep is your friend.

    Bleistivt
Sign In or Register to comment.