Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at: - https://www.kamailio.org/wiki/start?do=register
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all of them, but at least part of it?
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
Some ideas about improving the security of the site:
1. Drop http connections for authentication pages 2. Fix the kamailio.org certificate. At the moment the identity of the domain can't be established as there is no issuer chain provided with it.
From Firefox information page:
" kamailio.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer) "
Marius
On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists 4lists@gmail.com wrote:
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all of them, but at least part of it?
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
______________________________**_________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-**devhttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
On 4/1/13 9:13 PM, Marius Zbihlei wrote:
Some ideas about improving the security of the site:
- Drop http connections for authentication pages
Not sure how much it will help, as the bots were able to create accounts by solving the captcha. HTTPS is no longer something hard to get in any application. So far so good with the new system, no spammer got that familiar with Kamailio modules :-), but there were few new valid accounts.
- Fix the kamailio.org http://kamailio.org certificate. At the
moment the identity of the domain can't be established as there is no issuer chain provided with it.
From Firefox information page:
You actually need to fix Firefox -- I struggled yesterday a bit with same situation. The certificate is actually new, generated yesterday and signed by CACert.org. The previous one was selfsigned, from openser times, expired for few years.
I had to try other browsers to check if works, because Firefox was displaying some error. Then I went back to stable channel from beta channel without any success, even removing the old certificate from firefox preference. To solve it, I cleared the cache.
Let me know if works for you in the same way.
Cheers, Daniel
" kamailio.org http://kamailio.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer) "
Marius
On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists <4lists@gmail.com mailto:4lists@gmail.com> wrote:
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know. Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work. Does anybody knows a library/system that implement such approach not all of them, but at least part of it? Edson. Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu: Hello, as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day. The extra question is asked just after CAPTCHA, see it at: - https://www.kamailio.org/wiki/start?do=register Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful. If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated. Cheers, Daniel PS. This registration system will last, is not for April 1. _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org <mailto:sr-dev@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Hello,
Comments inline
On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla miconda@gmail.comwrote:
On 4/1/13 9:13 PM, Marius Zbihlei wrote:
Some ideas about improving the security of the site:
- Drop http connections for authentication pages
Not sure how much it will help, as the bots were able to create accounts by solving the captcha. HTTPS is no longer something hard to get in any application. So far so good with the new system, no spammer got that familiar with Kamailio modules :-), but there were few new valid accounts.
Well,
I would be very nice for the https://www.kamailio.org to work (at the moment it returns an 200 OK with an empty HTML Page). Also, I consider bad security practice to allow traffic that is uncrypted for login forms, but I agree it has small benefits.
- Fix the kamailio.org certificate. At the moment the identity of the
domain can't be established as there is no issuer chain provided with it.
From Firefox information page:
You actually need to fix Firefox -- I struggled yesterday a bit with same situation. The certificate is actually new, generated yesterday and signed by CACert.org. The previous one was selfsigned, from openser times, expired for few years.
I had to try other browsers to check if works, because Firefox was displaying some error. Then I went back to stable channel from beta channel without any success, even removing the old certificate from firefox preference. To solve it, I cleared the cache.
I have tried with both Chrome and Firefox, both normal and Incognito mode. Same error. I believe the problem is with the server.
The server provides the correct certificate (I've downloaded it), but it must provide also an intermediate certificate signed with CaCert RootCA. The client only has the Root CA, so for authentication of the cert the intermediate one is needed.
I guess https://www.globalsign.com/support/install/install_apache.phpprovides a solution ( Note that the root CA might not make sense)
- Your virtual host section will need to contain the following directives: - *SSLCACertificateFile* – This will need to point to the appropriate GlobalSign root CA certificate. - *SSLCertificateChainFile* – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above. - *SSLCertificateFile* – This will need to point to the end entity certificate (the one you have called "mydomain.crt") - *SSLCertificateKeyFile* – This will need to point to the private key file associated with your certificate.
Let me know if works for you in the same way.
Cheers, Daniel
" kamailio.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer) "
Marius
On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists 4lists@gmail.com wrote:
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all of them, but at least part of it?
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, April 16-17, 2013, Berlin
Hello,
On 4/1/13 9:57 PM, Marius Zbihlei wrote:
Hello,
Comments inline
On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
On 4/1/13 9:13 PM, Marius Zbihlei wrote:Some ideas about improving the security of the site: 1. Drop http connections for authentication pagesNot sure how much it will help, as the bots were able to create accounts by solving the captcha. HTTPS is no longer something hard to get in any application. So far so good with the new system, no spammer got that familiar with Kamailio modules :-), but there were few new valid accounts.Well,
I would be very nice for the https://www.kamailio.org to work (at the moment it returns an 200 OK with an empty HTML Page). Also, I consider bad security practice to allow traffic that is uncrypted for login forms, but I agree it has small benefits.
You can access the login forms via https and it is recommended to use https for logging it, as mentioned on the front page of dokuwiki -- I just said that the https vs http does not bring benefits against spammers.
2. Fix the kamailio.org <http://kamailio.org> certificate. At the moment the identity of the domain can't be established as there is no issuer chain provided with it. From Firefox information page:You actually need to fix Firefox -- I struggled yesterday a bit with same situation. The certificate is actually new, generated yesterday and signed by CACert.org. The previous one was selfsigned, from openser times, expired for few years. I had to try other browsers to check if works, because Firefox was displaying some error. Then I went back to stable channel from beta channel without any success, even removing the old certificate from firefox preference. To solve it, I cleared the cache.I have tried with both Chrome and Firefox, both normal and Incognito mode. Same error. I believe the problem is with the server.
It is working fine for me over https, tried both firefox and chrome. I replaced the certificate because the previous one was expired and mentioning openser. CACert is not a default trusted authority anyhow, I choose that instead of another self signed certificate because CACert has some popularity out there in the open source space.
So, you don't really get to the content via https? Or is just that the browser does not trust it?
Cheers, Daniel
The server provides the correct certificate (I've downloaded it), but it must provide also an intermediate certificate signed with CaCert RootCA. The client only has the Root CA, so for authentication of the cert the intermediate one is needed.
I guess https://www.globalsign.com/support/install/install_apache.php provides a solution ( Note that the root CA might not make sense)
Your virtual host section will need to contain the following directives:
|*SSLCACertificateFile*| – This will need to point to the appropriate GlobalSign root CA certificate.
|*SSLCertificateChainFile*| – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above.
|*SSLCertificateFile*| – This will need to point to the end entity certificate (the one you have called "mydomain.crt")
|*SSLCertificateKeyFile*| – This will need to point to the private key file associated with your certificate.
Let me know if works for you in the same way.
Cheers, Daniel
" kamailio.org <http://kamailio.org> uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) " Marius On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists <4lists@gmail.com <mailto:4lists@gmail.com>> wrote: Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know. Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work. Does anybody knows a library/system that implement such approach not all of them, but at least part of it? Edson. Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu: Hello, as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day. The extra question is asked just after CAPTCHA, see it at: - https://www.kamailio.org/wiki/start?do=register Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful. If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated. Cheers, Daniel PS. This registration system will last, is not for April 1. _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org <mailto:sr-dev@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev-- Daniel-Constantin Mierla -http://www.asipto.com http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> -http://www.linkedin.com/in/miconda Kamailio World Conference, April 16-17, 2013, Berlin -http://conference.kamailio.com -
On 4/1/13 10:06 PM, Daniel-Constantin Mierla wrote:
[...]
I would be very nice for the https://www.kamailio.org to work (at the moment it returns an 200 OK with an empty HTML Page). Also, I consider bad security practice to allow traffic that is uncrypted for login forms, but I agree it has small benefits.
You can access the login forms via https and it is recommended to use https for logging it, as mentioned on the front page of dokuwiki -- I just said that the https vs http does not bring benefits against spammers.
Forgot to tell that https://www.kamailio.org remained linked to the previous website portal system (based on mongodb which was shut down few months later after the current one using wordpress was put live). So https://www.kamailio.org/w/ is working, pointing to the current website portal. I will redirect / to /w/ as well for https.
Daniel
Hello Daniel,
You were right in the end. After installing the Intermediate certificate and the RootCA certificate for CACert (this was the missing one) it works, but only for kamailio.org URLs not www.kamailio.org.
Great about pointing https://kamailio.org to the right page.
Cheers Marius
On Mon, Apr 1, 2013 at 9:06 PM, Daniel-Constantin Mierla miconda@gmail.comwrote:
Hello,
On 4/1/13 9:57 PM, Marius Zbihlei wrote:
Hello,
Comments inline
On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla < miconda@gmail.com> wrote:
On 4/1/13 9:13 PM, Marius Zbihlei wrote:
Some ideas about improving the security of the site:
- Drop http connections for authentication pages
Not sure how much it will help, as the bots were able to create accounts by solving the captcha. HTTPS is no longer something hard to get in any application. So far so good with the new system, no spammer got that familiar with Kamailio modules :-), but there were few new valid accounts.
Well,
I would be very nice for the https://www.kamailio.org to work (at the moment it returns an 200 OK with an empty HTML Page). Also, I consider bad security practice to allow traffic that is uncrypted for login forms, but I agree it has small benefits.
You can access the login forms via https and it is recommended to use https for logging it, as mentioned on the front page of dokuwiki -- I just said that the https vs http does not bring benefits against spammers.
2. Fix the kamailio.org certificate. At the moment the identity ofthe domain can't be established as there is no issuer chain provided with it.
From Firefox information page:
You actually need to fix Firefox -- I struggled yesterday a bit with same situation. The certificate is actually new, generated yesterday and signed by CACert.org. The previous one was selfsigned, from openser times, expired for few years.
I had to try other browsers to check if works, because Firefox was displaying some error. Then I went back to stable channel from beta channel without any success, even removing the old certificate from firefox preference. To solve it, I cleared the cache.
I have tried with both Chrome and Firefox, both normal and Incognito mode. Same error. I believe the problem is with the server.
It is working fine for me over https, tried both firefox and chrome. I replaced the certificate because the previous one was expired and mentioning openser. CACert is not a default trusted authority anyhow, I choose that instead of another self signed certificate because CACert has some popularity out there in the open source space.
So, you don't really get to the content via https? Or is just that the browser does not trust it?
Cheers, Daniel
The server provides the correct certificate (I've downloaded it), but it must provide also an intermediate certificate signed with CaCert RootCA. The client only has the Root CA, so for authentication of the cert the intermediate one is needed.
I guess https://www.globalsign.com/support/install/install_apache.phpprovides a solution ( Note that the root CA might not make sense)
- Your virtual host section will need to contain the following
directives:
- *SSLCACertificateFile* – This will need to point to the appropriate
GlobalSign root CA certificate.
- *SSLCertificateChainFile* – This will need to point to the
appropriate intermediate root CA certificates you previously created in Step 1 above.
- *SSLCertificateFile* – This will need to point to the end entity
certificate (the one you have called "mydomain.crt")
- *SSLCertificateKeyFile* – This will need to point to the private key
file associated with your certificate.
Let me know if works for you in the same way.
Cheers, Daniel
" kamailio.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer) "
Marius
On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists 4lists@gmail.com wrote:
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all of them, but at least part of it?
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, April 16-17, 2013, Berlin
-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, April 16-17, 2013, Berlin
Hello,
On 4/1/13 10:25 PM, Marius Zbihlei wrote:
Hello Daniel,
You were right in the end. After installing the Intermediate certificate and the RootCA certificate for CACert (this was the missing one) it works, but only for kamailio.org http://kamailio.org URLs not www.kamailio.org http://www.kamailio.org.
to understand you are looking to get it as trusted connection, right? The cn in certificate is kamailio.org, perhaps it needs to get alternative names in for www, etc... I was just looking to get the encryption, as said, before was an expired self signed certificate.
Redirection of https / should be now in place.
Cheers, Daniel
On 4/1/13 7:55 PM, Edson - Lists wrote:
Just as a side note, I've seem anti-spambots 'captcha systems' (just see, not implemented, nor know about a library that implement it) that use a dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it. Questions can be: type just the letters, type just the numbers, type numbers and letters in pre-defined order (left-to-right,up-down,etc), number of colors, of groups, color on the booton right, etc... The combination are limited on the imagination. And the best: it increment in exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all of them, but at least part of it?
I haven't seen so far by myself, but indeed should be much more secure than classic captcha, at least for spambots. I coded the requiz plugin (as I named the one asking questions) for dokuwiki by looking at the captcha module. I had the idea and the rest was just stripping captcha and adding few bits to it. I am not real php developer to go more into image processing or what so ever. Anyhow, being open source is the main benefit here, one can take it to the next level independently of the initial developer.
On the other hand, I am aware of services offered by people/companies in countries with low wages. So practically there are humans creating the accounts and they the pass forward usernames/passwords to spamming companies. For your idea, just knowing basic English should be sufficient to break it, for requiz on project's wiki they have to learn a bit about kamailio. I do have already several ideas to improve its protection, I just want to see how long it takes for spammers to break it in current version... If anyone is interested, we can discuss about it, I give the ideas, you code! :-)
Btw, the plugin is available on dokuwiki site (well, April 1 seems to be applied there, too): - https://www.dokuwiki.org/plugin:requiz
Cheers, Daniel
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site requires to answer a project related question. Captcha was useless as spam bots were lately going through it easily, creating accounts in a rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
Hopefully the questions are simple enough to allow good people to register and difficult enough for spambots to give up. It is not a very sophisticated system, let's see if there will be any efforts in reverse engineering to break in with bots. So far no new spammer account. If they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to sr-dev mailing list and it will be investigated.
Cheers, Daniel
PS. This registration system will last, is not for April 1.
-
Daniel-Constantin Mierla -
Edson - Lists -
Marius Zbihlei