CAPTCHA is NOT a Turing test, or even close
"IETF member Dave Aronson" <ietf2dave@davearonson.com> Wed, 26 September 2007 13:12 UTC
Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaWgr-0008HE-Ku; Wed, 26 Sep 2007 09:12:33 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaWgp-0007CR-R3 for ietf@ietf.org; Wed, 26 Sep 2007 09:12:32 -0400
Received: from webmail3.speakeasy.net ([69.17.117.50] helo=webmail3.sea5.speakeasy.net) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IaWgj-0006S8-8e for ietf@ietf.org; Wed, 26 Sep 2007 09:12:25 -0400
Received: (qmail 13481 invoked from network); 26 Sep 2007 13:12:24 -0000
Received: from localhost (HELO webmail3) ([127.0.0.1]) (envelope-sender <ietf2dave@davearonson.com>) by localhost (qmail-ldap-1.03) with SMTP for <ietf@ietf.org>; 26 Sep 2007 13:12:24 -0000
Received: from 67.105.229.98 (unverified [67.105.229.98]) by webmail3 (VisualMail 4.0) with WEBMAIL id 18365; Wed, 26 Sep 2007 13:12:24 +0000
From: IETF member Dave Aronson <ietf2dave@davearonson.com>
To: ietf@ietf.org
Importance: Normal
Sensitivity: Normal
Message-ID: <W1147714931183651190812344@webmail3>
X-Mailer: Mintersoft VisualMail, Build 4.0.111601
X-Originating-IP: [67.105.229.98]
Date: Wed, 26 Sep 2007 13:12:24 +0000
Organization: Aronson Consulting Enterprises (http://www.davearonson.com)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 2.6 (++)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc:
Subject: CAPTCHA is NOT a Turing test, or even close
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
Pars Mutaf [mailto:pars.mutaf@gmail.com] writes: > On 9/26/07, John L <johnl@iecc.com> wrote: ... > > approaches that depend on something like a CAPTCHA to > > work don't have much of a long term future. > > I respect your opinion but it says that one day we won't be able to tell > humans and computers apart. While that may or may not be true, it's not the only mechanism by which CAPTCHAs can be defeated. First, many poor implementations aren't really all that difficult to OCR. Second, many sites use a very limited set of images, whether static or generated, making it easy to fingerprint them and build a database of correct responses. Third, the responses are generally short enough that the "keyspace" of correct responses is short enough to brute-force. (Yes, I know it's usually changed after each try (though again some poor implementations don't), so it's not the typical dictionary-style of brute force attack. Even so, each response stands the same chance of success, making infinite retries still viable.) Remember, if it's automated, no attacker really cares how many tries it takes, so long as it is likely to succeed within a reasonable number of tries. Lockouts and such can hellp with this, but again, a lot of sites don't bother. Last, and most amusingly, I've seen rumors that some spambots and suchlike farm it out, by using CAPTCHAs that were, ahem, CAPTCHA'd from elsewhere, to control access to things such as porn sites, relying on the horndogs to solve them in close enough to real time that the originating site will accept it. Even if this isn't really happening, or even feasible, it's a clever idea IMHO. Upshot: CAPTCHAs are not to be relied upon for anything really important (such as preventing even a possibly-inadvertent DDoS attack on cellphone users' patience), not now and certainly not when designing a protocol that may be in use for decades to come. Moore's Law will bite you HARD. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- CAPTCHA is NOT a Turing test, or even close IETF member Dave Aronson
- Re: CAPTCHA is NOT a Turing test, or even close Joel Jaeggli
- RE: CAPTCHA is NOT a Turing test, or even close Hallam-Baker, Phillip