[WEB SECURITY] Fake Captcha Protection

Stephan Wehner stephanwehner at gmail.com
Wed May 7 21:20:19 EDT 2008

On Wed, May 7, 2008 at 4:27 PM, Rohit Lists <rklists at gmail.com> wrote:
> If I understand your question correctly, you're asking what would stop
>  the attacking tool from enumerating all the possible combinations of
>  parameters - that's a good point, and I suppose it depends on how many
>  combinations are actually offered. On the other hand, it looks like
>  some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
>  be able to break captchas with many different parameters.

I meant to emphasize  ...enumerating lots of combinations of
parameters .... __in your scheme?__
In my experience it is easy to come up with some non-linear
distortions, using lots of  parameters, but
a combination of parameters which yield a still readable CAPTCHA is
more difficult.

>  Your project seems like an interesting alternative. I'd definitely
>  like to see how the project turns out and how effective it is at
>  stopping OCR-based attacks.

Greg Mori (the gimpy link above) said about the
http://preview.stephansmap.org/sign_up coffee-cup CAPTCHA, "It's a
pretty good CAPTCHA". But I think it wouldn't last a year. There are
more things you can do with photos, but first I should finish other
details of that website (thanks all for signing up! :-)

Those OCR-based attacks are sadly not publicly available (for good
reasons), so I can't test it out.

Another feature on the preview.stephansmap.org site, which I haven't
seen elsewhere, is called "three-for-one-captcha". After solving one
CAPTCHA the next two are filled out already. (The idea is, if someone
pays for CAPTCHA solving/has an automatic solver, three-for-one or
conventional "one-for-one" will not make any difference, while it
saves effort for the honest human website visitor.)

If anyone knows a CAPTCHA mailing list, please let me know.


Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list