[WEB SECURITY] Fake Captcha Protection

Rohit Lists rklists at gmail.com
Thu May 8 13:24:13 EDT 2008


Last post from me: anyone have experience with this implementation?
http://marss.co.ua/AdvancedImageBasedBotDetector.aspx



On Thu, May 8, 2008 at 1:15 PM, Rohit Lists <rklists at gmail.com> wrote:
> Actually PWNtcha (http://libcaca.zoy.org/wiki/PWNtcha) is now freely
> available: svn co svn://svn.zoy.org/libcaca/pwntcha/trunk pwntcha
>
>
>
> On Wed, May 7, 2008 at 9:20 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
>> On Wed, May 7, 2008 at 4:27 PM, Rohit Lists <rklists at gmail.com> wrote:
>>> If I understand your question correctly, you're asking what would stop
>>>  the attacking tool from enumerating all the possible combinations of
>>>  parameters - that's a good point, and I suppose it depends on how many
>>>  combinations are actually offered. On the other hand, it looks like
>>>  some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
>>>  be able to break captchas with many different parameters.
>>
>> I meant to emphasize  ...enumerating lots of combinations of
>> parameters .... __in your scheme?__
>> In my experience it is easy to come up with some non-linear
>> distortions, using lots of  parameters, but
>> a combination of parameters which yield a still readable CAPTCHA is
>> more difficult.
>>
>>>  Your project seems like an interesting alternative. I'd definitely
>>>  like to see how the project turns out and how effective it is at
>>>  stopping OCR-based attacks.
>>
>> Greg Mori (the gimpy link above) said about the
>> http://preview.stephansmap.org/sign_up coffee-cup CAPTCHA, "It's a
>> pretty good CAPTCHA". But I think it wouldn't last a year. There are
>> more things you can do with photos, but first I should finish other
>> details of that website (thanks all for signing up! :-)
>>
>> Those OCR-based attacks are sadly not publicly available (for good
>> reasons), so I can't test it out.
>>
>> Another feature on the preview.stephansmap.org site, which I haven't
>> seen elsewhere, is called "three-for-one-captcha". After solving one
>> CAPTCHA the next two are filled out already. (The idea is, if someone
>> pays for CAPTCHA solving/has an automatic solver, three-for-one or
>> conventional "one-for-one" will not make any difference, while it
>> saves effort for the honest human website visitor.)
>>
>> If anyone knows a CAPTCHA mailing list, please let me know.
>>
>> Stephan
>>
>>
>> --
>> Stephan Wehner
>>
>> -> http://stephan.sugarmotor.org
>> -> http://www.thrackle.org
>> -> http://www.buckmaster.ca
>> -> http://www.trafficlife.com
>> -> http://stephansmap.org
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list