[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Fake Captcha Protection
- From: "Rohit Lists" <rklists@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Fake Captcha Protection
- Date: Thu, 8 May 2008 13:24:13 -0400
Last post from me: anyone have experience with this implementation?
http://marss.co.ua/AdvancedImageBasedBotDetector.aspx
On Thu, May 8, 2008 at 1:15 PM, Rohit Lists <rklists@xxxxxxxxx> wrote:
> Actually PWNtcha (http://libcaca.zoy.org/wiki/PWNtcha) is now freely
> available: svn co svn://svn.zoy.org/libcaca/pwntcha/trunk pwntcha
>
>
>
> On Wed, May 7, 2008 at 9:20 PM, Stephan Wehner <stephanwehner@xxxxxxxxx> wrote:
>> On Wed, May 7, 2008 at 4:27 PM, Rohit Lists <rklists@xxxxxxxxx> wrote:
>>> If I understand your question correctly, you're asking what would stop
>>> the attacking tool from enumerating all the possible combinations of
>>> parameters - that's a good point, and I suppose it depends on how many
>>> combinations are actually offered. On the other hand, it looks like
>>> some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
>>> be able to break captchas with many different parameters.
>>
>> I meant to emphasize ...enumerating lots of combinations of
>> parameters .... __in your scheme?__
>> In my experience it is easy to come up with some non-linear
>> distortions, using lots of parameters, but
>> a combination of parameters which yield a still readable CAPTCHA is
>> more difficult.
>>
>>> Your project seems like an interesting alternative. I'd definitely
>>> like to see how the project turns out and how effective it is at
>>> stopping OCR-based attacks.
>>
>> Greg Mori (the gimpy link above) said about the
>> http://preview.stephansmap.org/sign_up coffee-cup CAPTCHA, "It's a
>> pretty good CAPTCHA". But I think it wouldn't last a year. There are
>> more things you can do with photos, but first I should finish other
>> details of that website (thanks all for signing up! :-)
>>
>> Those OCR-based attacks are sadly not publicly available (for good
>> reasons), so I can't test it out.
>>
>> Another feature on the preview.stephansmap.org site, which I haven't
>> seen elsewhere, is called "three-for-one-captcha". After solving one
>> CAPTCHA the next two are filled out already. (The idea is, if someone
>> pays for CAPTCHA solving/has an automatic solver, three-for-one or
>> conventional "one-for-one" will not make any difference, while it
>> saves effort for the honest human website visitor.)
>>
>> If anyone knows a CAPTCHA mailing list, please let me know.
>>
>> Stephan
>>
>>
>> --
>> Stephan Wehner
>>
>> -> http://stephan.sugarmotor.org
>> -> http://www.thrackle.org
>> -> http://www.buckmaster.ca
>> -> http://www.trafficlife.com
>> -> http://stephansmap.org
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|