Suggestions for the future on your web site: (was cookies, and
jgreco at ns.sol.net
Fri Jan 25 14:20:24 UTC 2013
> But defenses have to be *meaningful* defenses. Captchas are a pretend
> defense. They're wishful thinking. They're faith-based security.
They're a hook-and-eye latch.
Now, if you want to go installing a bank vault door to keep your dog
in the backyard, by all means, be my guest. Me, I'm frugal, so I'll
make the more reasonable investment of a hook-and-eye latch to keep
the gate closed.
> Moreover, like all defenses, they don't come for free. There are costs
> associated with them (both for those deploying them and for users of
> whatever service they're allegedly protecting). And beyond the obvious
> costs, as we've learned through bitter experience, "complexity" is not
> only a hidden cost but also sometimes the one that bites us in the ass by
> way of vulnerabilities.
> So given that we all know that (a) the express purpose of captchas is
> to determine whether or not a human is on the other end of the wire
> and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?
Not a given; your (a) is faulty. I already gave a trivial example of
a situation where the deployment was intended to detect and deter a
specific sort of automated exploit (more of a "prove you're a stupid
spam bot and therefore ignoreable" than a "prove you're human").
> Doubly so given that there are a fair number of visually-impaired
> people, blind people, and, oh, by the way, people using devices with
> rather small displays. Especially the last, recently. Why inflict
> this nonsense on them? Why try to offload the (admittedly) hard work
> of securing a resource onto the users, especially the users who are
> least-equipped to deal with it?
That depends on the CAPTCHA, I would imagine. Pretty sure that none
of the cases you list would have a problem with the CAPTCHA I described.
> And please: let's not even go to audio captchas. That's the sort of
> bag-on-the-side-of-a-bag hack that we all did our sophomore year but
> were too embarrassed to admit by the time we were seniors.
> We have much better defenses at our disposal. (Examples: BCP 38, the
> Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with
> rate throttling, checksum comparison.)
Each suitable for a particular range of purposes. And, as it turns
out, each generally varies in effectiveness as they age... it just
turns out that CAPTCHA has aged relatively poorly.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG