Suggestions for the future on your web site: (was cookies, and

Joe Greco jgreco at
Thu Jan 24 15:50:15 UTC 2013

> On Wed, Jan 23, 2013 at 01:20:07PM +0100,  . wrote:
> > CAPTCHAS are a "defense in depth" that reduce the number of spam
> > incidents to a number manageable by humans.
> No, they do not.  If you had actually bothered to read the links that
> I provided, or simply to pay attention over the last several years,
> you would know that captchas are not any kind of defense at all.
> They're like holding up tissue paper in front of a tank: worthless.
> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work.  They're wrong, of course: their captchas are just as worthless
> as everyone else's.  They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)

This is a fairly common mistake.

Security isn't about prevention, it's about deterrence.

If you have a locked screen door, someone can still trivially break 
the screen and unlock it.

If you have a glass door, a brick.

If you have a hollow core wood door, a shoulder.

If you have a solid core wood door, a sledge.

If you have a steel door, a prybar.

If you have a safe-style door, explosives.

If you're Fort Knox, a larger military force.  :-)

Basically there is no door that cannot be overcome with sufficient
force; the point of a door is not to absolutely prevent a bad guy
from entering under all circumstances, but rather to deter the 
average attacker to go bother the neighbors instead.  You can do
many things to augment your physical security, unpickable locks,
reinforced doors, motion sensor lights, alarm systems, etc. but all
of these are merely enhancers that are designed to make a criminal
look for an easier target.  A determined and properly resourced
attacker who is determined to attack a given resource is going to
be successful eventually.

And that's where the so-called argument against CAPTCHAs falls apart.

A CAPTCHA doesn't need to be successful against every possible threat,
it merely needs to be effective against some types of threats.  For
example, web pages that protect resources with a CAPTCHA are great at
making it much more difficult for someone with l33t wget skills from 
scraping a website.

It isn't a high bar anymore, it isn't a strong defense anymore.  All
quite true, so I'll even agree with your inevitable answer that many
websites are using CAPTCHA as protection against attacks that it is
no longer capable of guarding against.  Agreed!

However, as part of a "defense in depth" strategy, it can still make
sense.  It's much more of a locked screen door at this point, but if
you've got threats that can be easily deterred, then it's still viable.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list