Suggestions for the future on your web site: (was cookies, and

Joe Greco jgreco at
Fri Jan 25 14:20:24 UTC 2013

> But defenses have to be *meaningful* defenses.  Captchas are a pretend
> defense.  They're wishful thinking.  They're faith-based security.

They're a hook-and-eye latch.

Now, if you want to go installing a bank vault door to keep your dog
in the backyard, by all means, be my guest.  Me, I'm frugal, so I'll
make the more reasonable investment of a hook-and-eye latch to keep
the gate closed.

> Moreover, like all defenses, they don't come for free.  There are costs
> associated with them (both for those deploying them and for users of
> whatever service they're allegedly protecting).  And beyond the obvious
> costs, as we've learned through bitter experience, "complexity" is not
> only a hidden cost but also sometimes the one that bites us in the ass by
> way of vulnerabilities. 
> So given that we all know that (a) the express purpose of captchas is
> to determine whether or not a human is on the other end of the wire
> and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?

Not a given; your (a) is faulty.  I already gave a trivial example of
a situation where the deployment was intended to detect and deter a 
specific sort of automated exploit (more of a "prove you're a stupid
spam bot and therefore ignoreable" than a "prove you're human").

> Doubly so given that there are a fair number of visually-impaired
> people, blind people, and, oh, by the way, people using devices with
> rather small displays.  Especially the last, recently.  Why inflict
> this nonsense on them?  Why try to offload the (admittedly) hard work
> of securing a resource onto the users, especially the users who are
> least-equipped to deal with it?

That depends on the CAPTCHA, I would imagine.  Pretty sure that none
of the cases you list would have a problem with the CAPTCHA I described.

> And please: let's not even go to audio captchas.  That's the sort of
> bag-on-the-side-of-a-bag hack that we all did our sophomore year but
> were too embarrassed to admit by the time we were seniors.
> We have much better defenses at our disposal.  (Examples: BCP 38, the
> Spamhaus DROP list,, passive OS fingerprinting combined with
> rate throttling, checksum comparison.)

Each suitable for a particular range of purposes.  And, as it turns 
out, each generally varies in effectiveness as they age...  it just
turns out that CAPTCHA has aged relatively poorly.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list