Zach’s ugly mug (his face) Zach Leatherman

Obscurity, Security, and Captcha

November 01, 2007

On Ajaxian recently, there have been a few posts touting new and inventive replacements for the more traditional distorted and discolored “What does this image say?” Captcha gatekeeper for your web form. Of course these are all intended to provide a mechanism to tell the difference between an automated web bot that is spamming your web form and a human being.

Obviously there are some accessibility issues with Captcha images, in that they are useless to those that are vision impaired. Some sites provide an alternate link to an audio file that speaks a random word that you must then enter into the form.

One of the easiest ways to implement a Captcha on your site is to use the reCAPTCHA plugin. But that’s not what I’m going to talk about here. What I want to talk about is these new methods being introduced.

The first that was recently linked was a method that involved drag and drop to authenticate the user. Obviously this method is flawed, especially if the automated robot has access to fire JavaScript events. It does nothing but introduce a different door that the spammer may not have seen before. When this method gains any sort of popularity, or if a spammer decides to attack the site implementing this method specifically, it would not be difficult to bypass the Captcha. This is referred to in the computer world as “Security through Obscurity“. This is not good practice.

The next post I read was regarding an implementation that presented the user with 8 boxes, with one of those boxes colored differently with an invitation to find and click on the differently colored box. The was implemented by Passpack (a password hosting service — should be focused on security, right?). Correctly me if I’m wrong, but how is this difficult for the Spammer at all? The whole point of a Captcha is to distort the text inside the image so much that the image can’t be read by an Optical Character Recognition (OCR) program. Basically, they’ve simplified it down to a one pixel image, which is an infinitely easier optical recognition problem. You don’t even have to recognize characters, you can just see if the pixel is a 1 or a 0. Forgive me for asking, but is that problem NP complete?

I am all for having more friendly humane methods of Spam Bot detection. Just be wary of the methods you’re using. Are they actually secure, or are they just obscure?

< Newer
enterval, an automatic setInterval chainer.
Older >
Forward Compatibility and JavaScript

Zach Leatherman IndieWeb Avatar for https://zachleat.com/is a builder for the web at IndieWeb Avatar for https://cloudcannon.com/CloudCannon. He is the creator and maintainer of IndieWeb Avatar for https://www.11ty.devEleventy (11ty), an award-winning open source site generator. At one point he became entirely too fixated on web fonts. He has given 79 talks in nine different countries at events like Beyond Tellerrand, Smashing Conference, Jamstack Conf, CSSConf, and The White House. Formerly part of Netlify, Filament Group, NEJS CONF, and NebraskaJS. Learn more about Zach »

1 Comment

  1. Tara (PassPack) Disqus

    03 Nov 2007
    Hi there,I addressed PassPack's CAPTCHA on our blog, here's an excerpt:"Right now the captcha is very simple and works because no spam bot has actually taken the time to learn it."It doesn't actually fight spam bots, but it does have some other useful side effects so we're keeping it anyway for now. That may or may not change. We'll see.Cheers :)Tara
Shamelessly plug your related post

These are webmentions via the IndieWeb and webmention.io.

Sharing on social media?

This is what will show up when you share this post on Social Media:

How did you do this? I automated my Open Graph images. (Peer behind the curtain at the test page)