WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: Christopher Kunz <chrislist () de-punkt de>
Date: Wed, 31 Aug 2005 16:09:57 +0200
Glenn Euloth wrote:
IMHO, this solution is a step backward from Captcha.
I concur. The solution suggested by ESP-PIX is bad on many levels. a) As pointed out earlier, 72 possible solutions are far too few, since there is always a probability of 1/72 or higher that the test is defeated by coincidence. While clicking through the test, I had to answer "wire" twice, "camera" twice and "ticket" thrice, within maybe fourty tries. By just sticking to the first answer I ever gave in the test, "ticket", I'd have had a rough 3/40th success rate. b) Internationalization is a nightmare, and gets more nightmarish when the size of the data set is increased. I wouldn't want to translate, say, 10.000 nouns from english to german, just to have a usable CAPTCHA implementation. Furthermore, many of the images I saw had english text or related to information that is only accessible to english-speaking folks. OTOT, there might be language issues that involve synonymous use of words and stuff like that c) No gain for accessibility whatsoever. Blind people won't be able to tell that they're currently not seeing 4 images of goats. d) Copyright issues. The PoC implementation presented looks very much like the images were pulled off images.google.com. Legally obtaining a large enough copyright-free image collection would require use (and licensing) of stock images or similar. If there's just 1000 pictures, an attacker would go ahead and create a database of all images with their meanings, since there currently is a 1:1 image:meaning relation. That would cost the attacker maybe a day (or less, with the free-porn-scheme in place) and utterly defeat the ESP-PIX approach. e) Intelligence issues. Can anyone tell me why the solution to the attached image is "bone"? The spine in the top right picture is not prominent enough to make it distinctive, and I can't even figure out what that thing on the bottom right image is. A knee joint? No, the solution to the CAPTCHA problem is not ESP-PIX, I'm sure. A way to make it harder for the attacker could be the following: Devise a quick task, like "multiply three and six", "which color is the background?" or the default "enter the phrase 'foobar'" and embed that in the CAPTCHA. That way, the computing power needed for CAPTCHA cracking would increase (since the task is also deformed using the normal captcha mechanisms) and the attacker would have to create a parser for all tasks. This would probably scale terribly (on both sides), since graphics creation on the fly is resource intensive - but I can't think of any other way to keep graphical CAPTCHAs upright at the advent of PWNtcha. Just my €.02, --ck
Current thread:
- RE: [WEB SECURITY] Defeating CAPTCHA, (continued)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)