Re: Script Based Attacks & Form Hacks

[Andrew van der Stock <vanderaj () greebo net>]

CAPTCHA implementations need to be aware of their accessibility  
requirements. I strongly recommend against CAPTCHAs as they prevent  
disabled users from accessing your site. There are many legal cases,  
including against the Olympics organizers SOCOG in 2000, which prove  
that you may not disregard your obligations to disabled access.

It may be enough to provide an e-mail link or alternative accessible  
mechanism for disabled users to use as an alternative path ... as  
long as that path ends up with full access to your site, which was  
the fundamental reasoning behind the SOCOG fines and remediation order.

Lastly, one of the most effective anti-CAPTCHA tactics I've seen  
regularly used is "free day passes" to adult web sites. The time to  
crack CAPTCHAs is less than 30 seconds for groups with extensive  
numbers of sites or affiliates. Plus, from the attacker's point of  
view, a human does the OCR step. This is a complete defeat of the  
CAPTCHA system for sites which have something of value to attackers  
(link spam, etc).

thanks,
Andrew

On 22/07/2005, at 5:46 PM, Vicente Aguilera wrote:

> Hi,
>
> CAPTCHA is a good solution to prevent automatic form submissions, but: