At 2:53 PM -0500 3/26/07, Richard Lynch wrote:
If the code is embedded in the audio filename, or as part of the HTML,
the CAPTCHA itself is kinda useless to a serious attack. The attacker
will simply read the code from the HTML/URL
I have not finished with the blind testing of my audio Captcha, so I
would rather not show an example at the moment. But the sound file is
assembled "on the fly" and always has the same name -- so, reading
the file "access.mp3" doesn't tell the hacker anything.
The key is in sessions and as such is relatively safe. Communication
between application and Captcha contains a confirmable unique token.
I think the technique is pretty secure.
You need the secret code to never actually leave your server for it to
stay secret.
That said, CAPTCHA can usually be broken by OCR by a serious attacker,
though that takes a little longer than simply reading the code from
HTML.
Presumably somebody somewhere could (or already has) hook up voice
recognition to an audio CAPTCHA and defeat that as well.
Well for that matter, a hacker could hire cheap labor read or listen to it.
The point is to make it difficult for bots to get to it. Anything a
computer can put create, another computer can interpret. The
technology lag between one to the other is always only temporary and
therein lies some temporary relief.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
