简体繁体 English

电子邮件验证链接是个坏主意

[英]Is email verification with a link a bad idea

原文 2011-03-01 00:03:41 6 7 php/ security/ registration/ email-verification

In my registration process, the user registers, they get emailed a verification link, and if they click it, only then would their account be verified. 在我的注册过程中，用户注册，他们会通过电子邮件发送验证链接，如果他们点击它，那么他们的帐户才会被验证。 But isn't this verification method too easy for the bots? 但这种验证方法对于僵尸程序来说不是太容易了吗？

I think an email could be created by a bot, but for sure if the verification is just clicking a link, it could also be automated by a bot. 我认为电子邮件可以由机器人创建，但是如果验证只是点击链接，它也可以由机器人自动完成。 I'm not sure since I haven't done this and don't care to test it just to know, but my question is isn't this verification method flawed? 我不确定，因为我没有这样做而且不关心测试它只是为了知道，但我的问题是这个验证方法是不是有缺陷？

I'm thinking about sending the verification code to the user as a text which they would have to copy/paste manually into a form AND the form is captcha protected. 我正在考虑将验证码作为文本发送给用户，他们必须将其手动复制/粘贴到表单中，并且表单受验证码保护。 Is this a better idea? 这是一个更好的主意吗？ any flaws with it? 有任何缺陷吗？

7 个解决方案

Most of the suggestions are about verifying emails and using CAPTCHAs which of course you should do, but keep in mind that none of these methods is completely bulletproof. 大多数建议都是关于验证电子邮件和使用CAPTCHA，当然您应该这样做，但请记住，这些方法都不是完全无懈可击的。

Email verification 电子邮件验证

A bot can easily "click" on links in any email. 机器人可以轻松地“点击”任何电子邮件中的链接。 Copying and pasting something would be slightly more annoying for the bot author but not much. 复制和粘贴某些内容对于机器人作者来说会稍微烦人但不多。 Generally email verification is just that - email verification. 通常，电子邮件验证就是 - 电子邮件验证。

You verify if the email is likely to be controlled by whoever tries to register, but of course since email is usually sent in cleartext over untrusted TCP and relies on insecure DNS, then until we're all using DNSSEC and encrypt all traffic it will be easy to sniff emails and spoof servers and clients. 您验证电子邮件是否可能由尝试注册的人控制，但当然，因为电子邮件通常是通过不受信任的TCP以明文形式发送并依赖于不安全的DNS，然后直到我们都使用DNSSEC并加密所有流量它将是容易嗅到电子邮件和欺骗服务器和客户端。 The important thing to realize is that using email verification you get only a certain degree of confidence that whoever or whatever you are talking to is really a user of that email address. 要意识到的重要一点是，使用电子邮件验证，您只能获得一定程度的信心，无论您与谁交谈，无论是谁还是其他任何人都是该电子邮件地址的用户。

Turing test 图灵测试

Answering a question that only human should know the answer to would be still more annoying but considering that you probably wouldn't have an infinite number of questions, the bot author might redirect unknown question to a real human and use cached answers if any question repeats more than once. 回答一个只有人类应该知道答案的问题仍然会更烦人，但考虑到你可能不会有无数的问题，机器人作者可能会将未知问题重定向到一个真正的人类，如果有任何问题重复使用缓存的答案不止一次。 Answering a question like "what is 12+8" like I've seen in some websites lately as a Turing test is completely counterproductive since this question is actually easier for bots than for humans. 像我最近在一些网站上看到的“什么是12 + 8”这样的问题作为图灵测试是完全适得其反的，因为这个问题对于机器人来说实际上比对人类更容易 。 Probably the most popular Turing test for that are CAPTCHAs but here you also have to realize that they can be fooled. 可能最受欢迎的图灵测试是CAPTCHA，但在这里你也必须意识到它们可能被愚弄。

First of all people are showing methods of circumventing CAPTCHAs, for example see the Decoding reCAPTCHA talk from DEFCON 18. Many CAPTCHAs are much easier for robots to decipher since they are generated by algorithms that are trivial to reverse. 首先，人们正在展示绕过CAPTCHA的方法，例如参见DEFCON 18中的解码reCAPTCHA谈话。许多CAPTCHA更易于机器人解密，因为它们是由易于反转的算法生成的。 The reCAPTCHA distortions are also pretty simple but the words that they use are real scanned words that was hard for OCRs so in principle it should be much harder for bots, but it is not always the case. reCAPTCHA失真也很简单，但他们使用的单词是真正的扫描单词，对于OCR很难，所以原则上它应该对机器人来说要困难得多，但情况并非总是如此。

And there is also a possibility to display captchas that you want to guess on other websites and have people answer it for you. 并且还有可能在其他网站上显示您想要猜测的验证码，并让人们为您解答。 Also there is a black market of people actually solving captchas so if your bot author doesn't mind paying something like two cents for a dozen then no matter how hard it is for humans, actual humans will solve it anyway. 还有一个人们实际上解决验证码的黑市，所以如果你的机器人作者不介意花十二美分买十几美元，那么无论人类有多难，实际的人类无论如何都会解决它。

Bottom line 底线

The bottom line is that using any of the bot-stopping techniques will always be a compromise of how much would a bot owner (a spammer or anyone else who wants to register a lot of users in your system) be willing to spend time, effort and money to do it, and how much inconvenience for your users are you going to tolerate, because ultimately you will never be able to do any automated test to tell humans and bots apart without actually annoying humans and alienating people with disabilities (has anyone ever tried to guess the audio version of reCAPTCHA?), and still your bots may actually be human-powered, so not really bots but cyborgs, so to speak. 最重要的是，使用任何停止僵硬的技术将始终是一个妥协，即机器人所有者（垃圾邮件发送者或任何想要在您的系统中注册大量用户的人）愿意花多少时间，努力和金钱去做，以及你会容忍给你的用户带来多少不便，因为最终你永远无法做任何自动化测试来告诉人类和机器人分开而不会实际上惹恼人类并疏远残疾人（有任何人试图猜测reCAPTCHA的音频版本？），你的机器人实际上可能仍然是人力驱动的，所以不是机器人，而是机器人，可以这么说。

It's an arms race for which your honest users are paying a price. 这是一场军备竞赛，诚实的用户正在为此付出代价。 Please keep all of that in mind. 请记住所有这些。

The questions is what are you trying to verify? 问题是你想要验证什么？ When you send a link to an email address, what you can know is that whoever registered that account has access to the email address. 当您向电子邮件地址发送链接时，您可以知道注册该帐户的任何人都可以访问该电子邮件地址。 It doesn't tell you anything about them other than that. 除此之外，它没有告诉你任何关于它们的事情。

So yeah, bots can create an account, and use it for registration. 所以是的，机器人可以创建一个帐户，并将其用于注册。 If you want to stop bots, then yeah, a captcha is what you need to add. 如果你想停止机器人，那么，验证码是你需要添加的。 Note that there's little point in adding the code to copy/paste - that's both easy for a bot to do, and also doesn't gain you anything over the captcha. 请注意，添加复制/粘贴代码没有什么意义 - 这对于机器人来说既容易，也不会在验证码上获得任何好处。

As always, security and convenience are generally competing with each other. 一如既往，安全性和便利性通常相互竞争。

A link in an email simply validates that it is an active email address. 电子邮件中的链接只是验证它是活动的电子邮件地址。 Yes, it's easy for the bots to handle this. 是的，机器人很容易处理这个问题。 But is your service so valuable that bots will be attacking it? 但是你的服务是如此有价值以至于机器人会攻击它吗？

A CAPTCHA is always the way to go to ensure your users are human. CAPTCHA始终是确保您的用户是人的方式。 The additional coding and frustrations involved with it are a trade-off. 与之相关的额外编码和挫折是一种权衡。

In the end, keep things as simple as possible, but not simpler. 最后，尽量保持简单，但并不简单。

As pointed out already, you simply have some CAPTCHA validation. 正如已经指出的那样，您只需要一些CAPTCHA验证。

My suggestion is though do human validation before your app creates the user account and sends the verification email. 我的建议是在您的应用创建用户帐户并发送验证电子邮件之前进行人工验证。 Added value of your site can't easily be forced to just spam verification emails and create bogus waiting to be verified accounts. 您的网站的附加值不能轻易被强制为垃圾邮件验证电子邮件，并创建虚假等待验证帐户。

Nothing wrong with a link if you do that. 如果你这样做，链接没有错。

Yes, bots can enter emails and check the responses. 是的，机器人可以输入电子邮件并检查回复。 I've also heard of endeavors toward bots getting better at image recognition and answering captchas, although I can't say for sure how good they are. 我也听说过努力让机器人在图像识别和回答验证码方面做得更好，尽管我不能确定它们有多好。 If you are really really concerned, I would go with: 如果你真的很担心，我会选择：

Email verification 电子邮件验证
Captcha 验证码
Simple random questions (How many ears/fingers do most humans have?) 简单的随机问题（大多数人都有多少只耳朵/手指？）
Cell phone number that sends a code via SMS 通过短信发送代码的手机号码

The last one might prove to be the best in eliminating bots, but it will also limit who signs up for your website. 最后一个可能被证明是最好的消除机器人，但它也将限制谁注册您的网站。 Also, the more validations you have, the more you'll annoy users and the more you'll increase the barriers to getting them to sign up, which could also be a pretty big drawback. 此外，您拥有的验证越多，您对用户的骚扰就越多，您就越会增加让他们注册的障碍，这也可能是一个非常大的缺点。 Personally, I think captchas are a good balance of bot protection vs. user inconvenience. 就个人而言，我认为验证码是机器人保护与用户不便之间的良好平衡。

Are you verifying an email only or doing a full registration? 您是仅验证电子邮件还是进行完整注册？

I always verify the email account first. 我总是先验证电子邮件帐户。 then once verified complete the registration process. 然后一旦验证完成注册过程。

so add a captcha at the verify email step. 所以在验证电子邮件步骤中添加验证码。

In other words, ask the user to enter their email address, enter the captcha and submit the form. 换句话说，要求用户输入他们的电子邮件地址，输入验证码并提交表格。

That way only real people get the verification email sent. 这样，只有真人才能收到验证邮件。

It doesn't prevent human bots of course. 它当然不会阻止人体机器人。

DC DC

It also means you don't need to store failed/bad registration data. 这也意味着您不需要存储失败/错误的注册数据。

One problem is a user validating with one email address and then changing it during the registration process, I handle that this way.. 一个问题是用户使用一个电子邮件地址验证然后在注册过程中更改它，我这样处理..

When a user submits their email address the data is not stored at all. 当用户提交他们的电子邮件地址时，根本不存储数据。 Instead I use $validation_code = md5(trim($email)+$secret) to generate the verification code. 相反，我使用$validation_code = md5(trim($email)+$secret)来生成验证码。 That way they can't change the email address on the actual registration form. 这样他们就无法更改实际注册表单上的电子邮件地址。 The email and verification code is carried as a hidden field to the end to validate the email address. 电子邮件和验证码作为隐藏字段传送到最后以验证电子邮件地址。 if the email address is altered from the verified one, registration will fail as the md5 no longer matches. 如果电子邮件地址已经过验证，则注册将失败，因为md5不再匹配。

DC DC

I ran into similar problems with verification emails and testing. 我在验证电子邮件和测试方面遇到了类似的问题。 If you want to end-to-end test email verification try EmailE2E.com — it's free. 如果您想要端到端测试电子邮件验证，请尝试EmailE2E.com - 它是免费的。

You can send and receive emails from randomly generated inboxes via an API. 您可以通过API从随机生成的收件箱发送和接收电子邮件。

It's perfect for testing Firebase, Amazon Cognito, or other OAuth providers that use email verification codes during sign up. 它非常适合测试Firebase，Amazon Cognito或其他在注册过程中使用电子邮件验证码的OAuth提供商。 Plus it has clients in Java and JS. 此外，它还拥有Java和JS客户端。