How do I protect my contact form with a CAPTCHA?
There are two main types of CAPTCHAs, also known as a Completely Automated Public Turing test to tell Computers and Humans Apart. Either can be used to deter the Tinfoil Security scanner and help prevent unwanted email or comment spam.
1) Active CAPTCHAs:
Active CAPTCHAs are common challenge-response puzzles that are relatively easy for a human to solve but difficult for a program or bot. We recommend using a common widget like that provided by
http://www.google.com/recaptcha. Like any other security solution, the best practice is to use a well known library where possible over creating a possibly vulnerable solution in-house.
Currently the Tinfoil Security scanner won't attempt to solve the CAPTCHA, but instead will flag and ignore the forms protected by one.
2) Negative CAPTCHAs:
A negative CAPTCHA takes the opposite approach: presenting a puzzle that is unlikely for a human to solve but easy and tempting for a program to do so. This is typically used when one wants a CAPTCHA to be invisible to humans and is typically implemented by providing a hidden honey-pot input. This input is marked as hidden and thus invisible to most humans but easily seen by programs that parse the HTML of your website. Programs like the Tinfoil Security scanner will fill out the input, but a human is unlikely to do so. On the backend, the form submission can be rejected if the input is filled out and thus would catch many programs red-handed.
A good reference on this technique and variations can be found at http://nedbatchelder.com/text/stopbots.html, and a common library for ruby-based applications is at https://github.com/subwindow/negative-captcha.