[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Fake Captcha Protection
- From: "Rohit Lists" <rklists@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Fake Captcha Protection
- Date: Thu, 8 May 2008 13:15:50 -0400
Actually PWNtcha (http://libcaca.zoy.org/wiki/PWNtcha) is now freely
available: svn co svn://svn.zoy.org/libcaca/pwntcha/trunk pwntcha
On Wed, May 7, 2008 at 9:20 PM, Stephan Wehner <stephanwehner@xxxxxxxxx> wrote:
> On Wed, May 7, 2008 at 4:27 PM, Rohit Lists <rklists@xxxxxxxxx> wrote:
>> If I understand your question correctly, you're asking what would stop
>> the attacking tool from enumerating all the possible combinations of
>> parameters - that's a good point, and I suppose it depends on how many
>> combinations are actually offered. On the other hand, it looks like
>> some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
>> be able to break captchas with many different parameters.
>
> I meant to emphasize ...enumerating lots of combinations of
> parameters .... __in your scheme?__
> In my experience it is easy to come up with some non-linear
> distortions, using lots of parameters, but
> a combination of parameters which yield a still readable CAPTCHA is
> more difficult.
>
>> Your project seems like an interesting alternative. I'd definitely
>> like to see how the project turns out and how effective it is at
>> stopping OCR-based attacks.
>
> Greg Mori (the gimpy link above) said about the
> http://preview.stephansmap.org/sign_up coffee-cup CAPTCHA, "It's a
> pretty good CAPTCHA". But I think it wouldn't last a year. There are
> more things you can do with photos, but first I should finish other
> details of that website (thanks all for signing up! :-)
>
> Those OCR-based attacks are sadly not publicly available (for good
> reasons), so I can't test it out.
>
> Another feature on the preview.stephansmap.org site, which I haven't
> seen elsewhere, is called "three-for-one-captcha". After solving one
> CAPTCHA the next two are filled out already. (The idea is, if someone
> pays for CAPTCHA solving/has an automatic solver, three-for-one or
> conventional "one-for-one" will not make any difference, while it
> saves effort for the honest human website visitor.)
>
> If anyone knows a CAPTCHA mailing list, please let me know.
>
> Stephan
>
>
> --
> Stephan Wehner
>
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|