Simple Comments Release Notes: v.930 (1/2)
Simple Comments Release Notes: v.930
[This is a release bulletin for the Simple Comments script. For general information pertaining to the script, including the latest release download, system requirements, etc., visit the Simple Comments main page.]
Simple Comments v.930 adds several new features, including optional CAPTCHA authentication on comment submissions, RSS format comment feeds, the ability for administrators to reply to a comment from directly within the comment approval screen, and the ability to take care of your cat while you're away on vacation.
Ok, we may have exaggerated a bit with the cat. But I hope you'll find the remaining enhancements in the new version--as well as the usual round of bug fixes and updates--useful in your own Simple Comments deployments.
Comment Validation with CAPTCHA
If you've worked with any type of Web form before, then you're probably familiar with the CAPTCHA acronym, which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." CAPTCHAs take many shapes and forms; but perhaps one of the most known and recognizable asks a would-be form submitter to enter a series of characters that are presented within a graphic image, such as this one:
The idea is that graphically displayed characters, while easy enough for us humans to decipher, can be very difficult (but unfortunately for our purposes, not impossible) for computer programs to analyze. The graphic distortion and angling of the characters as seen in the above example are common in these types of tests; making them even more difficult for bot-based submission tools to crack. Unfortunately, these distortions are sometimes so effective that human beings have a hard time reading the graphic, too.
Due to the distortion, image-based CAPTCHAs can sometimes be difficult to pass for even the most able human being; and for those with visual disabilities (i.e., the blind) they can be next to impossible to use. As a result, image-based CAPTCHAs are not without their share of some controversy on the Web; with those strongly in favor and those strongly against. And in the middle of it all, CAPTCHA-based projects continue to flourish: Both their creation and their subsequent "cracking" lead to advances in the creation of artifical intelligence applications. For more information on the science behind the CAPTCHAs, we refer you to The CAPTCHA Project at Carnegie Mellon University.
With the new release, Simple Comments includes an optional CAPTCHA mechanism that will provide a validation image similar to the image above with each comment submission. If you enable this feature in your Simple Comments deployment, would-be submitters need to successfully submit the numbers presented in the CAPTCHA image before the system will accept the comment for processing. The system we're using is actually provided as a free service by captchas.net. In brief, here's how their system works:
First, you must sign up for a free account on the captchas.net site. The site owners ask you to notify them if your usage is likely to be high (say, 50K captcha images a day or more) before you go live.
When you sign up for the service, you'll be given a user account name and a "secret key." For reasons that will be obvious momentarily, you must protect this secret key just as you would a confidential password!
To request an image display, you first generate a random string of characters. Then you send this random string, along with your account name, as a URL to the captchas.net servers. For example:
(No, my user account is not doodah. Just an example.) The captchas.net server combines the random string you provided and your secret key (which they've stored on their side), applies a mathematical formula, and presents the resulting image with the appropriate characters. The formula itself is published on the captchas.net Web page; since it requires the same secret key on both sides of the operation, there's no need to have to hide the formula used.
As an aid to those with visual disabilities, you can also request an audio version of the captcha (which is also slightly distorted, to try and foil the bot-writers).
When the user submits the form along with their guess at what the graphic displays, you apply the same mathemetical formula to the combination of your copy of the secret key plus the random string you generated. Compare the results of your operation to the user's guess; if they're the same the user is assumed to be a human being. (You should also make sure that the random string was actually generated by your script and is not too old; so bot submitters can't flood your script with sequential attempts to guess the word that would be displayed with a particular random string).
Though straightforward, the captchas.net service actually has many features. You can select the size of the resulting graphic, the number of characters displayed in the graphic (though we felt that the default size of 240x80 was indeed the best choice for the default of 6 characters), and you can also select which characters are used in the actual graphic display (though you're limited to letters and numbers). On this last point, we recommend (and Simple Comment defaults to) the use of numbers only in your captchas. We found many characters were difficult to distinguish in the image displays as well as difficult to hear in the audio versions of the captchas.
Multiple new parameters are now supported in the
config.xml file to enable
the display of CAPTCHA images on your Simple Comments submission forms; I refer you to the
README included with the Simple Comments distribution for full details. By
default, the CAPTCHA system in Simple Comments is not enabled; so you'll need to alter these
parameters to suit your taste if you want to use it (and you'll need to provide your own user
account name and secret key that you got from captchas.net, anyway). To see how the system
works out-of-the-box (but with CAPTCHAs enabled) have a look at our test page.
If you'd like to use the captchas.net service in your own Perl creations, you can
download and use the
CaptchasDotNet module as described on the
captchas.net site; or use our own
CommentCaptchas module now included
within the Simple Comments distribution. Note, however, that the two systems aren't
identical; as I opted to do some things internally differently in the Simple Comments
version of the module. This means you can't use one as a drop-in replacement for the other.
The captchas.net site also has drop-in modules/classes for use with other languages, as
well; including PHP, ASP, and JSP.
Another suggestion from one of our users was the Akismet service, which actually ranks each comment posting as to the likelihood that it's spam. This sounds like a very interesting concept; but since the Akismet service is free only for personal blogs, I decided to go with the captchas.net service, instead. If there's enough interest in adapting Simple Comments to work with Akismet, I'll revisit that possibility for a future release.
What else is new in Simple Comments v.930? How about a nice helping of RSS feeds...
Created: April 27, 2007
Revised: April 27, 2007