The WebForm Defender

Does your website have any forms for visitors to fill out? Can visitors send you email? Do you take email addresses for mailing lists? Do have a blog? Do you accept membership sign-ups on your website? Can visitors send email from your website, even so much as a "contact us" link? If you can answer yes to any of these, then you should consider some form of CAPTCHA to prevent abuse of your website's resources. WebForm Defender is proven and easy to use.

Definitely! That is one of the main advantages to WebDefender. A professionally crafted package, already tested, very easy to add to your own websites.

Once you have purchased WebForm Defender you will be granted access to the support pages and community blog. WebForm Defender is very easy to use, but problems can always come up. In the support pages and the community blog you will find the answers to your questions.

Your web site needs to be to be able to run PHP, version 4 or later, with the "GD libraries" (graphics libraries) installed. That should be available through just about any web host, so chances are excellent you have everything you need already to run WebForm Defender. If you are no sure, however, contact your web host.

Installation consists of copying the files to your website, and following a few simple instructions. The entire process should take less than 10 minutes.

It helps by making it very hard for bots, viruses, worms, spiders and other malicious automatons to attack your website while posing as real users. But CAPTCHA is not a total security solution for your entire website. It offers a certain kind of protection only. There are other ways a web site might be "hacked" or abused, where CAPTCHA would not be an appropriate deterrent. Here, we are offering you protection of your web forms and, consequently, the data your visitors may enter on those forms, or the resources your website may have access to.

Unfortunately, no. It is not. As yet, there is no perfect solution, certainly not a simple one. The hackers and cyber-terrorists keep learning better techniques, forcing security measures to have to also continue improving. But think of it like a padlock on your garage: it won't really keep a determined thief out, but why make it easier for him than you have to? If 99% of possible thieves are deterred, then that's an effective bargain.

Yes. Almost everything about Defender is configurable. There are in fact many ways CAPTCHAs might be displayed that we may not have shown you so far in this web site. For example:

In the Pro version you will be able to specify your own fonts. Any ttf (true-type font) will work with WebDefender. We recommend using unusual fonts, but they should also be easily legible to the visitor. If you do use your own font files be sure to test the resulting CAPTCHA images thoroughly for ease of use. Show them to your friends for reactions. If a CAPTCHA image can not be read by a real person then it is worthless as a security measure.

You can get a quick estimate of how fonts will look by using the Font Chart tool, included with your package in WebForm Defender Pro. It will show you each font in the /fonts directory with a sample CAPTCHA image beside it. To access the font chart tool, go to [your domain]/[defender]/fontchart.php.

Example:
www.mydomain.com/defender/fontchart.php

We aiming for the end of October, 2009.

If you purchase the standard version now, before the official release of the pro version, you will receive an automatic upgrade to the Pro version. This is a special, limited promotion. After the release date, there will be small fee for the upgrade.

There are three additional types of CAPTCHA challenge coming with the Pro Version. But... for product marketing reasons, you'll have to wait to find out what they are.

Short answer: they are all three different from the two types offered in WebDefender Standard. One might even be brand new. (At least, we haven't seen it any where before, and we're very excited to be offering it.)

All types of CAPTCHA have their advantages and their drawbacks. A major advantge with Defender is the ability to randomly mix up the type of challenge being shown, making it impossible for malware to predict what sort of challenge it will be facing.

Yes. As long as they are actually your own web sites, you may use the one license for all of them, as long as you do not modify the code or remove the links to webform defender website. If you wish to do those things, you may acquire a higher level license that allows you to "brand" the system as your own. Your license is non-transferrable, though. If you are helping some one to set up his web site(s) he will need to acquire his own license for WebForm Defender.

WebForm Defender does not use cookies. They are not secure enough for this type of application.

If the visitor has javascript turned off, then the pre-validate function will not work. Post-validate will work just fine, however. You could even set up Defender to run both ways, though there is no really good reason to do so. The principal advantage of pre-validate is that you need modify only one file to add Defender to your web form.

At this time, it is estimated that between 5% - 10% of all internet users run with javascript disabled, even though javascript itself is not, and has never been a security problem. (It is active-x controls, which can be separately disabled, that open the door for security problems.) It is considered good form to allow for those folks who do not use javascript. At the very least, a "you must have javascript enabled to continue" message would be more professional. WebForm Defender, if you choose to require javascript (it's a setting in WebForm Defender), will post such a message for you.


This issue can be avoided altogether by using Post-Validation instead of Pre-Validation. (See Example 2 for a description of what Post-Validation is.)

Opinions vary, but we have gone to some lengths to make pre-validation as secure as possible. The typical problem with validating the CAPTCHA prior to submitting the form would be that the security phrase is actually somewhere in the code for the web page. This is not the case with WebForm Defender. The expected security phrase is not in the web page. The CAPTCHA entry is handed off to WebForm Defender in a secure fashion and the web page is simply told "Yes" or "No". The web page never knows exactly what the expected security phrase is.

Can this mechanism be attacked directly? No: it is self-protecting against the expected forms of attack.

So, short version: is Pre-Validation less secure than Post-Validation? We do not think so. In neither case is the security phrase available outside of WebDefender itself, and that never leaves your web server.

We will be offering audio CAPTCHA in the future. It is more complicated to setup and to make secure, but it is the only option (currently) for the visually impaired to still be able to pass a CAPTCHA challenge. After the WebDefender Pro version is released, we will turn our attention to the audio problem.

Kitten CAPTCHA is a very clever alternative to CAPTCHA, that was meant to solve the legibility problems of distorted text, while still making it very, very difficult for bots to get through the security challenge.


Unfortunately, it is relatively easy for malware to learn the entire library of images, unless 1) the library is extremely large (1,000's of pictures) and, 2) the library is constantly changing. In other words, it requires constant maintenance. (There are perhaps ways in which some automation could be combined with a basic image library to produce an essentially endless sequence of semi-random images, but (that we know of) this hasn't been done -- yet.)

The hackers of the world are fierce, determined, and too clever. Unfortunately, "cute" lost this round.