Suggestions for the future on your web site: (was cookies, and

Jimmy Hess mysidia at
Sun Jan 27 03:37:40 UTC 2013

On 1/26/13, Michael Thomas <mike at> wrote:
> Rich Kulawiec wrote:
>> On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
>>> However, as part of a "defense in depth" strategy, it can still make
>>> sense.

>> But defenses have to be *meaningful* defenses.  Captchas are a pretend
>> defense.  They're wishful thinking.  They're faith-based security.

Hm.. see, what we have here is a theory,  that because some major
sites' CAPTCHA implementations have been broken (in some cases, mainly
by attacking the audio version),   that all CAPTCHA implementations
are necessarily vulnerable.    And then, because of that....  all
CAPTCHAs are worthless,  just because some significant CAPTCHA
implementations have been defeated with good success.

[And then those Captchas got quickly revised, so they are no longer defeated]

So what we have here, are two leaps of logic....

(1) CAPTCHAs used by a few popular websites were defeated in some
cases, and some folks have published materials about techniques for
defeating CAPTCHAs, therefore, we are to believe that all CAPTCHA
implementations are inherently necessarily easily enough to break.

The concept has a few holes in it,  because it is possible the
websites whose CAPTCHAs were defeated, had implementation-specific
issues, and it is possible that CAPTCHAs exist that could be
fundamentally harder to defeat efficiently.

It may be a flawwed supposition that all CAPTCHA implementations are
necessarily so similar, that the same attacks work.

This may be coming, but  It is not accepted fact, or a compelling
idea, that text-based CAPTCHAs are yet trivial to defeat.

It's entirely possible, that some types of CAPTCHA will become trivial
to defeat, and others will present major challenges for an abuser.

And,  the second leap of logic was:

(2) If a CAPTCHA is as easily broken as (1),  then a considerable
number of the attackers who target a site for abuse will be able to
break it  and do so   (therefore, resulting in a defeat).

The concept is equivalent to the idea,  that all RSA based encryption
worthless, because just some 512 bit RSA private key was defeated
through factoring, by an attacker with sufficient cash  to spend.

Therefore, any site relying on a RSA-based SSL implementation is
insecure, since RSA encryption is faith-based security

> Oh, I dunno. I run a website that has a fairly low volume forums that
> occasionally gets a drive by spamming. I'm pretty sure that if I implemented even a naive
> captcha it would    go back to zero.

Yes.    I would agree, that the CAPTCHA is likely to be successful in that case.

If you would implement, and measure the amount of spam rates from
automated bots both before and after implementing, then you would have
a datapoint,  in regards to CAPTCHA effectiveness :)

> Mike

More information about the NANOG mailing list