nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 26 Jan 2013 21:37:40 -0600
On 1/26/13, Michael Thomas <mike () mtcc com> wrote:
Rich Kulawiec wrote:On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:However, as part of a "defense in depth" strategy, it can still make sense.
But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security.
Hm.. see, what we have here is a theory, that because some major sites' CAPTCHA implementations have been broken (in some cases, mainly by attacking the audio version), that all CAPTCHA implementations are necessarily vulnerable. And then, because of that.... all CAPTCHAs are worthless, just because some significant CAPTCHA implementations have been defeated with good success. [And then those Captchas got quickly revised, so they are no longer defeated] So what we have here, are two leaps of logic.... (1) CAPTCHAs used by a few popular websites were defeated in some cases, and some folks have published materials about techniques for defeating CAPTCHAs, therefore, we are to believe that all CAPTCHA implementations are inherently necessarily easily enough to break. The concept has a few holes in it, because it is possible the websites whose CAPTCHAs were defeated, had implementation-specific issues, and it is possible that CAPTCHAs exist that could be fundamentally harder to defeat efficiently. It may be a flawwed supposition that all CAPTCHA implementations are necessarily so similar, that the same attacks work. This may be coming, but It is not accepted fact, or a compelling idea, that text-based CAPTCHAs are yet trivial to defeat. It's entirely possible, that some types of CAPTCHA will become trivial to defeat, and others will present major challenges for an abuser. And, the second leap of logic was: (2) If a CAPTCHA is as easily broken as (1), then a considerable number of the attackers who target a site for abuse will be able to break it and do so (therefore, resulting in a defeat). [identical-misconception] The concept is equivalent to the idea, that all RSA based encryption worthless, because just some 512 bit RSA private key was defeated through factoring, by an attacker with sufficient cash to spend. Therefore, any site relying on a RSA-based SSL implementation is insecure, since RSA encryption is faith-based security [/identical-misconception]
Oh, I dunno. I run a website that has a fairly low volume forums that occasionally gets a drive by spamming. I'm pretty sure that if I implemented even a naive captcha it would go back to zero.
[snip] Yes. I would agree, that the CAPTCHA is likely to be successful in that case. If you would implement, and measure the amount of spam rates from automated bots both before and after implementing, then you would have a datapoint, in regards to CAPTCHA effectiveness :)
Mike
-- -JH
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...), (continued)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Mike A (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and David Barak (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Rich Kulawiec (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Michael Thomas (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jimmy Hess (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jean-Francois Mezei (Jan 30)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and . (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Howard (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)