WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 26 Aug 2005 15:32:49 +1000
CAPTCHAs have two major problems:a) high value systems using CAPTCHAs are already defeated using trivial techniques:
* supply a CAPTCHA to adult websites' "day pass". Works every time. Defeated by a human
b) Legal accessibility in most countries, and *particularly* AustraliaLegally, you must not disadvantage disabled users. This has been proven in court time and time again, such as the Sydney Olympics case.
http://www.contenu.nu/socog.htmlSo you *have* to have a secondary path, which is likely to be far more secure as it will typically involve thinking Turing machines (ie humans). However, what happens if you make it less secure? From a security path, if your disabled path is simpler than the primary path, the attacker wins. E.g. "I am not a terrorist card"
http://www.schneier.com/crypto-gram-0403.html#10CAPTCHAs are the wrong solution to a poorly articulated problem; we have to come up with something else. Personally, the reason we have CAPTCHAs (and honey nets, another pet hate of mine) is that we are far too lenient on the attackers.
The heirarchy of needs should be aimed at legitimate users, not attackers. Therefore, we need to target, remove and penalize attackers.
thanks, Andrew
Current thread:
- Defeating CAPTCHA robert (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- <Possible follow-ups>
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)