Suggestions for the future on your web site: (was cookies, and

Rich Kulawiec rsk at
Fri Jan 25 12:40:50 UTC 2013

On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
> However, as part of a "defense in depth" strategy, it can still make
> sense.  

Brother, you're preaching to the choir.  I've argued for defense in depth
for longer than I can remember.  Still am.

But defenses have to be *meaningful* defenses.  Captchas are a pretend
defense.  They're wishful thinking.  They're faith-based security.

Moreover, like all defenses, they don't come for free.  There are costs
associated with them (both for those deploying them and for users of
whatever service they're allegedly protecting).  And beyond the obvious
costs, as we've learned through bitter experience, "complexity" is not
only a hidden cost but also sometimes the one that bites us in the ass by
way of vulnerabilities. 

So given that we all know that (a) the express purpose of captchas is
to determine whether or not a human is on the other end of the wire
and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?

Doubly so given that there are a fair number of visually-impaired
people, blind people, and, oh, by the way, people using devices with
rather small displays.  Especially the last, recently.  Why inflict
this nonsense on them?  Why try to offload the (admittedly) hard work
of securing a resource onto the users, especially the users who are
least-equipped to deal with it?

And please: let's not even go to audio captchas.  That's the sort of
bag-on-the-side-of-a-bag hack that we all did our sophomore year but
were too embarrassed to admit by the time we were seniors.

We have much better defenses at our disposal.  (Examples: BCP 38, the
Spamhaus DROP list,, passive OS fingerprinting combined with
rate throttling, checksum comparison.)


More information about the NANOG mailing list