[horde] Login to Horde webmail with captcha -
Michael M Slusarz
slusarz at horde.org
Thu Jan 8 20:15:40 UTC 2015
Quoting ernesto dasa <edasa19 at gmail.com>:
> thank for your a answer.
>
> You ask me this question
>
> Do you really want to ask your users for a captcha each time they want to
> login?
> Or do you want to authenticate via captchas?
> And do you intend to deal with logins not via the web interface
> (ActiveSync, CalDAV etc)?
>
>
> and my answers are.
>
> Yes, I need ask my users for a captcha each time they want to login,
> becouse with this i eliminated any robots attack to my webmail. I want use
> captcha only for that.
This is not the right usage of CAPTCHAs, at least for IMP.
First, IMAP servers should provide the necessary authentication delay
decay necessary to prevent username/password probing. CAPTCHAs aren't
providing any additional security. (i.e. an attacker can attack IMP
slightly slower than directly attacking your IMAP server, so there's
no need to provide an additional slowdown mechanism at the web level
since you aren't even targeting the most likely break-in vector)
Why do you need to prevent a bot from logging in? The only reasonable
explanation is to limit/prevent sending of e-mail messages from the
account. And we already provide the rate limiting necessary for this
with mail logging in IMP. (If it's intended to be a defense against
reading your email, again the rate limiting is better done at the mail
server level).
So you are making it very annoying for a user to login without any
tangible benefit. There's a reason why CAPTCHAs have never been
implemented for IMP. (Look at the major webmail providers - none of
them require CAPTCHAs by default and all of them are surely attacked
on a constant basis.)
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list