Making CAPTCHA accessible to people with disabilities. What approaches have you used? - forms

I'm nearing the completion of migrating our existing website to a CMS and I've just finished creating all the various contact forms. The CMS I'm using has CAPTCHA built into it's form builder, which is great, but the only method available is the "decipher-the-noisy-image" method.
This approach works well, but it limits access for people who might have reading or sight disabilities. I've worked around this by having a "help" page which allows those with disabilities to contact us by telephone and I'm considering having a single-field form which says "Send us your email address and we'll contact you". Accessibility is of particular importance to me as a web developer, but from an organisational perspective; so is reducing the amount of form spam we receive.
So what I'd like to know is, has anyone in the community had any experience with other CAPTCHA methods and how have you managed to make them accessible to people with disabilities?

As a blind person I find that recaptcha is one of the better CAPTCHA services out there as far as an audio option. The issue with using sms as the only alternative is the fact that many visually impaired users don't have cell phones that allow them to read text messages.

A good captcha, like reCAPTCHA, usually includes an audio CAPTCHA. Also I have seen a site that will
send a SMS message and you enter the code in the sms (Google-gmail will do this).
I am very interested in this because I am implementing a CAPTCHA in jQuery right now.

Many sites, including this one I believe, have an option to play noisy audio with embedded spoken numbers, as an audio equivalent to the traditional CAPTCHA image.
I find the result pretty spooky, actually. Reminds me of numbers stations.

As Michael said, audio with each character of the CAPTCHA text spoken for better or worse is a common option provided. If your CMS is PHP-based or if PHP is available on the hosting infrastructure you are using anyway, here's an open source CAPTCHA application with an audio download option:
http://www.phpcaptcha.org/
I've implemented a production site with phpcaptcha, and it works as advertised.

Related

Why do some pop-up ads redirect through multiple domains?

I noticed a lot of shady websites use ads with multiple redirects before showing the content of the ad.
I do not want to link to any of these (propably) illegal content distribution sites, but this effect is easily found when browsing through streaming sites for TV series and stuff like that.
Basically, it works like this:
User interaction (mostly click) opens popup
popup shows firstdomain.com without content
redirects to seconddomain.com
redirects to thirddomain.com
...
finally shows the ad, often a legit one, but this varies from sports betting to adult social media
Is there any upside to these multiple redirects? And why are they set up this way?
You're likely to be thrown from one TDS to another
A TDS is a web based gate that is able to redirect users to various
content depending on who they are. A TDS is able to make a decision on
where to send a user based on criteria such as their geo-location,
browser, operating system, and whether or not they have been sent the
malicious content already. There are many legitimate uses of TDSes,
but there are also specific TDSes (Sutra, BlackOS, NinjaTDS etc.)
written for malware actors
Also from here:
As discussed above, TDS are not malicious elements per se within the
Internet ecosystem, as they are very useful for the operation of
e-commerce and online marketing, but also constitute a good malware
distribution platform.
...
To avoid detection and make it difficult to track these downloads, it
is possible to link several TDSs between them

Is there a guideline for accessibility (such as 508 compliance) in email correspondence?

I am building an application that will have a number of notifications going out via email. Is there a guideline on making the content of the email accessible to screen readers and other similar tools?
You raise a good point. There has been a web accessibility guidelines for a long time now (since back in the late 90s I think) however email accessibility guidelines have been largely ignored.
While accessibility can be determined by mail clients in terms of how they render HTML emails (which people are trying to rectify similar to a browser standard), it is important to design your emails so that they are accessible for all display technologies.
A few have attempted to set some guidelines:
The TEN Standard
Dave Chaffey
Hope that helps.
Maybe a bit late for you, but your question is still relevant today. You can start with W.c.a.g. guidelines, but keep in mind not everything is applicable in email.
The email accessibility checker I developed is optimized for email HTML, and may be easier to use: http://www.accessible-email.org
It tests your email for different accessibility feautures which are possible in email and it will tell you what accessibility features are missing. (if any)

Clickable email-links encryption? How to do them?

I would like to know if and how it is possible to create a clickable email-link for websites, that are "encrypted" in a way emailspiders can't collect them and it is still possible for living users to click it to open in email-clients or even copy it.
I saw some links that were done in javascript but I on't know how they did this and how "safe" they are.
thank you in advance for any reply
Most approaches to this are splitting the address across multiple elements and inserting extra formatting; then for JS-enabled browsers, they use JavaScript to turn it back into an e-mail address.
The poster example for this is SpamSpan, which even has several "levels" of obfuscation - each level progressively less and less resembles an e-mail in the source code, yet it still manages to piece it back together by JS. Although some spambots today are supposedly capable of executing JavaScript, te vast majority doesn't - and the e-mails are still human-readable with JS off. An advantage of JS-assisted de/obfuscation is that it doesn't rely on external servers, you just need to (simply) integrate the JS library.
Another approach is taken by reCAPTCHA Mailhide - the e-mail is revealed only after solving a CAPTCHA (same type as for normal reCAPTCHA). This is less convenient for the user, but practically safe against robots. A disadvantage of this is that it depends on reCAPTCHA's servers (in essence, on Google) - some people are dead-set against any external dependencies.
This would be a very simple and effective way:
Scramble email addresses
All it does is convert it into ASCII, and all you need to do is insert it where your email address would go!
Although there are more (crazily) secure ways you can choose, this would be the simply option. You can also try this solution, it uses JavaScript to protect your email.
Hope this helps!

Email obfuscation question

Yes, I realize this question was asked and answered, but I have specific questions about this that I feel were not clear on that thread and I'd prefer not to get lost in the shuffle on another thread as well.
Previous threads said that rendering the email address to an image the way Facebook does is overkill and unprofessional user experience for business/professional websites. And it seems that the general consensus is to use a JavaScript document.write solution using html entities or some other method that breaks up and/or makes the string unreadable by a simple bot. The application I'm building doesn't even need the "mailto:" functionality, I just need to display the email address. Also, this is a business web application, so it needs to look/act as professional as possible. Here are my questions:
If I go the document.write route and pass the html entity version of each character, are there no web crawlers sophisticated enough to execute the javascript and pull the rendered text anyway? Or is this considered best practice and completely (or almost completely) spammer proof?
What's so unprofessional about the image solution? If Facebook is one of the highest trafficked applications in the world and not at all run by amateurs, why is their method completely dismissed in the other thread about this subject?
If your answer (as in the other thread) is to not bother myself with this issue and let the users' spam filters do all the work, please explain why you feel this way. We are displaying our users' email addresses that they have given us, and I feel responsible to protect them as much as I can. If you feel this is unnecessary, please explain why.
Thanks.
It is not spammer proof. If someone looks at the code for your site and determines the pattern that you are using for your email addresses, then specific code can be written to try and decipher that.
I don't know that I would say it is unprofessional, but it prevents copy-and-paste functionality, which is quite a big deal. With images, you simply don't get that functionality. What if you want to copy a relatively complex email address to your address book in Outlook? You have to resort to typing it out which is prone to error.
Moving the responsibility to the users spam filters is really a poor response. While I believe that users should be diligent in guarding against spam, that doesn't absolve the person publishing the address from responsibility.
To that end, trying to do this in an absolutely secure manner is nearly impossible. The only way to do that is to have a shared secret which the code uses to decipher the encoded email address. The problem with this is that because the javascript is interpreted on the client side, there isn't anything that you can keep a secret from scrapers.
Encoders for email addresses nowadays generally work because most email bot harvesters aren't going to concern themselves with coding specifically for every site. They are going to try and have a minimal algorithm which will get maximum results (the payoff isn't worth it otherwise). Because of this, simple encoders will defeat most bots. But if someone REALLY wants to get at the emails on your site, then they can and probably easily as well, since the code that writes the addresses is publically available.
Taking all this into consideration, it makes sense that Facebook went the image route. Because they can alter the image to make OCR all but impossible, they can virtually guarantee that email addresses won't be harvested. Given that they are probably one of the largest email address repositories in the world, it could be argued that they carry a heavier burden than any of us, and while inconvenient, are forced down that route to ensure security and privacy for their vast user base.
Quite a few reasons Javascript is a good solution for now (that may change as the landscape evolves).
Javascript obfuscation is a better mouse trap for now
You just need to outrun the others. As long as there are low hanging fruit, spammers will go for those. So unless everyone starts moving to javascript, you're okay for now at least
most spammers use http based scripts which GET and parse using regex. using a javascript engine to parse is certainly possible but will slow things down
Regarding the facebook solution, I don't consider it unprofessional but I can clearly see why purists may disagree.
It breaks accessibility standards (cannot be parsed by browsers, voice readers or be clicked.
It breaks semantic construct (it's an image, not a mailto link anymore)
It breaks the presentational layer. If you increase browser default font size or use high contrast custom CSS, it won't apply to the email.
Here is a nice blog post comparing a few methods, with benchmarks.
http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/

Programmatically Fax from Internet form

I'm new to programming, and my only area of expertise is web design/simple development on platforms like wordpress/expression engine. (Yea, you guys can laugh).
I have a new client who currently receives medical faxes through an online form (the user fills out a form concerning their prescriptions and once submitted, it faxes the info).
I'm completely redesigning their site, and I'm not sure how online faxing works.
Has anybody dealt with internet faxing? How does it work? Does/can it go through email?
And is it possible to send a fax through a form with javascript/php or route it through email?
Don't pay for it! All you need is a modem on the server and a standard phone line. Then set up a fax print driver under your os (you can do it on windows and unix).
The unix way is mgetty/sendfax : http://mgetty.greenie.net/doc/mgetty_3.html#SEC3
The Windows way : http://support.microsoft.com/kb/306657
There are other ways but unless you can't get a phone line you'd be mad to pay fees for it.
Would it not be helpful to look at how it is currently being done, that way you can learn a thing or two about the process before trying to go do it again? That way you can find if it is using any special libraries or techniques or services to send the fax and you can then either duplicate the code or use it as a template to get started on your own solution.
All of what your asking is possible. I would recommend finding a service provider who can send the fax for you. They all have different interfaces requirements and pricing. I used to use DataOnCall which is now called Fax.com
They had a web service which we would post the document to be faxed plus additional information. They were a preety reasonable service. This was several years ago so I can't speak how they currently fair.
Take a look at eFax's SDK. I haven't used it, but it looks like it might be useful to you.
Yes, you can send faxes via email through several services; this link seems to have some useful information. I worked at a company previously that did this same sort of thing, and while I don't recall the exact service we used, most of them are very similar, and they work reasonably well.