Re: Going from simple to super CAPTCHA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 > On the other hand, if what you're trying to protect has no real
 significance, then no one is going to brother breaking your CAPTCHA.

Wrong. If you are protecting something completely worthless and your
using a popular blog or forum software then you will undoubtedly inherit
it's deficiencies regardless of the content of your site.

If you mean that your blog software inherits security deficiencies and thus open for spam injection and other such evil stuff, then I see your point. But, that's like putting makeup on a pig -- you can only cover up so much. The problem remains regardless.

---

Or constantly adapt. Sounds like fun :)

I agree -- fun and money. My only derivation from your path is trying to accommodate the visually disabled along the way.

---

 > However, if you insist on making a CAPTCHA for your site (as clients,
 not knowing better, sometimes insist), then also add an alternative
 "way in" for the visually disabled like so:

Now I'm not going to argue this point to any real depth. You obviously
don't have statistics for the efficacy of CAPTCHA and I don't want to
invoke erroneous logic by pointing out that if Slashdot, Yahoo, Google,
etc are all using it then it must have some usefulness :)

First, I would listen and consider your thoughts far more than I would follow after Slashdot, Yahoo, and Google practices. You're in the front lines and have first hand experience. They have their ultimate decisions diluted by management -- the brightest ideas have to pass through the dimmest minds to be implemented. The cutting edge is not sharpened by the dullest minds.

Second, as for the efficacy of CAPTCHA, true I don't have any statistics. But the following does give rise for concern:

http://sam.zoy.org/pwntcha/

Do graphic CAPTCHA's really work? I dunno, but from this it appears not.

So, in my mind, if you're going to do something that doesn't work anyway, then why punish the disabled?

----

 > http://sperling.com/examples/captcha/

 If you want the code, just ask and I'll provide.

 My thought is if you want to do image alteration, you might put your
 skills to better use by writing routines for various photographic
 effects, such as "Fish-Eye" or "Oval Cut-Outs" or whatever -- rather
 than beating the dead horse CAPTCHA.

I'm in a time crunch right now, I'll explore more options later ;)

Cheers,
Rob.

Arrgggg -- please don't release the Cracken.

I think we're pretty much all in agreement about the problem and what can, and cannot, be done. Your multi-CAPTCHA approach is certainly more difficult for a bot to crack than a single one, like changing session ID's in the middle of a user's visit to deter session high-jacking. But even that can be broken, am I not correct?

My point was not about the security of my method, but rather the accessibility of it.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux