Suggestions for the future on your web site: (was cookies, and

Joe Greco jgreco at ns.sol.net
Fri Jan 25 14:20:24 UTC 2013


> But defenses have to be *meaningful* defenses.  Captchas are a pretend
> defense.  They're wishful thinking.  They're faith-based security.

They're a hook-and-eye latch.

Now, if you want to go installing a bank vault door to keep your dog
in the backyard, by all means, be my guest.  Me, I'm frugal, so I'll
make the more reasonable investment of a hook-and-eye latch to keep
the gate closed.

> Moreover, like all defenses, they don't come for free.  There are costs
> associated with them (both for those deploying them and for users of
> whatever service they're allegedly protecting).  And beyond the obvious
> costs, as we've learned through bitter experience, "complexity" is not
> only a hidden cost but also sometimes the one that bites us in the ass by
> way of vulnerabilities. 
> 
> So given that we all know that (a) the express purpose of captchas is
> to determine whether or not a human is on the other end of the wire
> and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?

Not a given; your (a) is faulty.  I already gave a trivial example of
a situation where the deployment was intended to detect and deter a 
specific sort of automated exploit (more of a "prove you're a stupid
spam bot and therefore ignoreable" than a "prove you're human").

> Doubly so given that there are a fair number of visually-impaired
> people, blind people, and, oh, by the way, people using devices with
> rather small displays.  Especially the last, recently.  Why inflict
> this nonsense on them?  Why try to offload the (admittedly) hard work
> of securing a resource onto the users, especially the users who are
> least-equipped to deal with it?

That depends on the CAPTCHA, I would imagine.  Pretty sure that none
of the cases you list would have a problem with the CAPTCHA I described.

> And please: let's not even go to audio captchas.  That's the sort of
> bag-on-the-side-of-a-bag hack that we all did our sophomore year but
> were too embarrassed to admit by the time we were seniors.
> 
> We have much better defenses at our disposal.  (Examples: BCP 38, the
> Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with
> rate throttling, checksum comparison.)

Each suitable for a particular range of purposes.  And, as it turns 
out, each generally varies in effectiveness as they age...  it just
turns out that CAPTCHA has aged relatively poorly.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the NANOG mailing list