On 29 Aug 2008, at 15:15, tedd wrote:
At 9:07 AM +0100 8/29/08, Stut wrote:
On 29 Aug 2008, at 03:45, tedd wrote:
These are what I've come up with:
http://webbytedd.com/aa/assorted-captcha/
Just curious tedd, but what do you mean by "CAPTCHA's show the
world that you really haven't thought this out". If you have a
better alternative I'd love to hear about it.
-Stut
-Stut :
I claim that for most web sites, they don't need a CAPTCHA -- so why
use one? CAPTCHA's carry a lot of accessibility baggage.
There are many of high profile sites that don't use CAPTCHA (i.e.,
Eric Meyers, Chris Shiflett). Instead they have developed other
methods, such as attending to their sites and monitoring post.
I concede that if an evil-doer wants to make things hard on you by
automated posting, then it's an uphill battle that can be
effectively fought by using a CAPTCHA. But I claim there has to be a
better way.
While I've been working on the problem (on/off) for several years, I
haven't found an acceptable solution. Of course, better minds than
mine have tried and failed, but I always think that I might do
better -- a flaw in my personality, I just don't know any better.
In any event, I've approached on the problem from two sides:
1. To create a CAPTCHA that would be difficult for automated systems
to break but easy for the user to navigate -- my Arrow CAPTCHA is
the best I could create. However, I'm sure with a little effort from
someone like you or Rob, it can be broken.
In addition, my arrow CAPTCHA is for the sighted and that leaves out
a lot of people. My Audio CAPTCHA works well for the blind, but that
too can be broken.
2. To create a server-side method that monitors who's making the
post, frequency of the posts, and content of the post before
allowing the post. While I'm not finished, this is something that I
continue to work on. I think that direction shows the most
opportunity for success.
So, when I say "CAPTCHA's show the world that you really haven't
thought this out", that's what I mean. I still haven't thought this
out either. But I think there'a better solution and I'll keep
working trying to find one.
I agree with some of what you're saying here, but only to a certain
extent. CAPTCHA's are a tool that can be applied to any number of
different situations, so a blanket statement like that cannot possibly
apply. For some situations they are absolutely required (example
coming up), for others they're certainly not the best answer.
The main project I work on at the moment is a classified ad site and
it has CAPTCHA's in three places. The first is when you place an ad.
If this wasn't there we'd have a much more difficult job dealing with
scam and spam ads, something we can't currently afford to throw more
effort at. This is an example of making it a little bit harder for
automated posting to happen, but we know it's not 100% effective and
we have other mechanisms in place to catch stuff that gets past it,
but it's a good first step and knocks out the really stupid attempts.
The other two places are when a user contacts us for support, and when
someone sends a message to another user about one of their ads.
Without the CAPTCHA both of these suffer from a huge amount of aimless
automated postings. This is the main thing a CAPTCHA does for any site.
Out there in the wide wide world there are numerous scripts that
simply crawl the web looking for forms to post to on the off-chance
it's going to turn out to be unprotected. Depending on the form
handler this can result in anything from them posting content on a
website with a view to getting SEO juice to being able to use the form
as a mail proxy. These scripts don't care if each post works, they
just try because it's nearly free to do so. In the above scenarios not
having the CAPTCHA there to stop them would result in spam in our
support system and even worse than that, spam in users mailboxes.
So I agree that CAPTCHA's do not and cannot solve the problem of
unwanted form submissions, but they're a damn good start. Whatever we
do, the simple fact that we want users to be able to do something
means that anyone can do it whether they have good intentions or bad,
but we can put up as many obstacles to automation as normal users can
live with. CAPTCHA's are only a defence against automation, not bad
people and that's a very important thing to understand.
As for attending to sites and monitoring posts, that's all very well
until you end up dealing with >10k posts a day. Our CAPTCHA's stop
over 70% of form submissions on my site and I thank $DEITY they're
there because otherwise I'd never sleep (not that I do that much
anyway).
The reason I asked the question is that your comments on that page
imply that only lazy developers use them when this is far from the
truth. They are a valuable tool and until something better comes along
I'm gonna use them as part of my sites defences, unless you're
volunteering to moderate >7k messages for me for free? Didn't think
so ;)
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
