Adapt a new Captcha system (General)

by yns00k ⌂, Portugal, Sunday, May 31, 2009, 00:41 (5451 days ago)

The current CAPTCHA System is trivial to be passed, I would like to suggest that IN ADDITION to the current: Mathematical CAPTCHA and Graphical CAPTCHA included, you could add a third option: reCAPTCHA http://recaptcha.net.

why reCAPTCHA?

# It's Free! Yep, reCAPTCHA is free.
# It's Useful. Why waste the effort of your users? reCAPTCHA helps to digitize books.
# It's Accessible. reCAPTCHA has an audio test that allows blind people to freely navigate your site.
# It's Secure. Most other CAPTCHA implementations can be easily broken.
# It's Popular. Over 100,000 sites use reCAPTCHA, including household names like Facebook, Ticketmaster, and Craigslist.

Security

reCAPTCHA has the highest security standards. Many other implementations of CAPTCHAs use undistorted text, or text with only minor distortions. These implementations are vulnerable to simple automated attacks. Others, such as MAPTCHA, consist of asking text-based arithmetic questions like "what is 1+1". These can be trivially broken by an attacker.

Adaptive Security

reCAPTCHA is a Web service. That means that all the images are generated and graded by our servers. In addition to the convenience that this provides (you don't have to run costly image generation scripts on your own servers), this also provides an extra level of protection: our CAPTCHAs can be automatically updated whenever a security vulnerability is found. For example, if somebody writes a program that can read our distorted images, we can add more distortions in very little time, and without Web masters having to change anything on their side. This is significantly more secure (and convenient) than having to re-install a CAPTCHA every time a vulnerability is found.
IP Address Detection

Our service also includes IP address filtering and detection. If we determine that a given IP address is successfully solving too many CAPTCHAs in a certain period of time, the address is immediately flagged for review. In addition, by providing CAPTCHA services to many customers we obtain a global view of spamming attacks, allowing us to react quickly to security threats.

--
So it would be much more secure against automatic registration or posting!

All information for creating the code I think is available here: http://recaptcha.net/resources.html Of course you will need to provide the interface for adding the public and the private key for the service to work.

Adapt a new Captcha system

by Shemckel, Friday, June 05, 2009, 13:45 (5446 days ago) @ yns00k

I find the reCaptha digits hard to read! Also, I think the math question is the ultimate, its easy for a human and IMPOSSIBLE for a bot to figure out. A bot has no idea that 1+7= 8

Adapt a new Captcha system

by yns00k, Sunday, June 07, 2009, 09:27 (5444 days ago) @ Shemckel

I find the reCaptha digits hard to read! Also, I think the math question is the ultimate, its easy for a human and IMPOSSIBLE for a bot to figure out. A bot has no idea that 1+7= 8

Well I think that most reCaptcha images are pretty easy to read! (but they also have sound, and you can ask for a new challenge if that one is impossible for you)

Also, computers make trillions of calculations per second... why calculate 1+7 should be difficult for some bot? According to http://recaptcha.net/security.html "others, such as MAPTCHA, consist of asking text-based arithmetic questions like "what is 1+1". These can be trivially broken by an attacker." If they are not broken right now (probably they are!) they can bypass it pretty easily in the future.

reCAPTCHA I suggest to be just one more option that the administrator can use if it starts getting fake registrations, or spam messages.

Adapt a new Captcha system

by Auge, Sunday, June 07, 2009, 14:49 (5444 days ago) @ yns00k

Hello

... I think the math question is the ultimate, its easy for a human and IMPOSSIBLE for a bot to figure out. A bot has no idea that 1+7= 8


Also, computers make trillions of calculations per second... why calculate 1+7 should be difficult for some bot? According to http://recaptcha.net/security.html "others, such as MAPTCHA, consist of asking text-based arithmetic questions like "what is 1+1". These can be trivially broken by an attacker." If they are not broken right now (probably they are!) they can bypass it pretty easily in the future.

A human attacker can break a math captcha but he can break an image captcha too. But if there is no semantic interconnection (HTML-wise) between the question and the form field for the answer, I would doubt, that a machine/bot can break a math captcha, especially if the mathematical formula is "hidden" in a sentence ("What is 1+1?" vs. "1+1").

Tschö, Auge

Adapt a new Captcha system

by yns00k, Sunday, June 07, 2009, 17:39 (5444 days ago) @ Auge

A human attacker can break a math captcha but he can break an image captcha too. But if there is no semantic interconnection (HTML-wise) between the question and the form field for the answer, I would doubt, that a machine/bot can break a math captcha, especially if the mathematical formula is "hidden" in a sentence ("What is 1+1?" vs. "1+1").

Tschö, Auge

My main concern is the automatic bots. Humans can always brake the security, unless their is some kind of IP origin verification... if you are from some country that is always causing problems or at least being used for criminal activities... you can possible block them, but is currently not easy because you can block IP's, but you can not just drop down an list of country's and block them, or just allowed some country... it could one more option, if it's possible to integrate that too. They can use proxys, is true, but proxies have to much problems, and are much slower in most cases... and it's possible to add protection against (known) proxies.

About mathematical formula, I'm not a programmer my self, but I can imagine if they can brake most of images, they can much easier brake some question asking "What is 1+1?" or "What is 1 + 1?" or "Say to me, 1 more 1 is how much?", they have just to detect where is the numbers an what is the type of calculations.

Adapt a new Captcha system

by Auge, Monday, June 08, 2009, 12:57 (5443 days ago) @ yns00k

Hello

I don't want to argue against another captcha system, I only want to explain where IMHO the pros for math captchas are located.

Humans can always brake the security, ... you can possible block them, but is currently not easy because you can block IP's, but you can not just drop down an list of country's and block them, or just allowed some country... it could one more option, if it's possible to integrate that too. They can use proxys, is true, but proxies have to much problems, and are much slower in most cases... and it's possible to add protection against (known) proxies.

Ok, you can block IP-ranges but I think, that this is not a solution. What, if a good guy from that IP-range wants to post in the forum? But I see, you know this problems.

About mathematical formula, I'm not a programmer my self, but I can imagine if they can brake most of images, they can much easier brake some question asking "What is 1+1?" or "What is 1 + 1?" or "Say to me, 1 more 1 is how much?", they have just to detect where is the numbers an what is the type of calculations.

They have to know where to search. Thatswhy:

... if there is no semantic interconnection (HTML-wise) between the question and the form field for the answer ...

But I know, that's only another type of security by obscurity. And: yes, it is breakable.

Tschö, Auge

Adapt a new Captcha system

by yns00k, Monday, June 08, 2009, 14:11 (5443 days ago) @ Auge

... if there is no semantic interconnection (HTML-wise) between the question and the form field for the answer ...


But I know, that's only another type of security by obscurity. And: yes, it is breakable.

Tschö, Auge

But in a case like a pre-made forum, that will likely be around everywhere in the same place of the forum code... so bad programmer (bot programmer author) will likely have no great problems on making that relation between the question and the place to be dropped the answer. I would like really like to believed they can't do that... but I think they probably can... so reCaptcha may be just another alternative (should the current ones implement failed), if such threat appears to brake the security.

Adapt a new Captcha system

by JooJoo, Friday, June 19, 2009, 05:17 (5432 days ago) @ yns00k

If it was a problem, many users of MLF would be asking for a change. Having used the math question challenge, for several years on my forum, NO bot has broken this and posted in my forum. So, you need to prove there is a problem with the current math challenge. Bottom line, the math challenge anti-spam works!

Adapt a new Captcha system

by yns00k, Friday, June 19, 2009, 18:33 (5432 days ago) @ JooJoo

Even phpBB (http://www.phpbb.com/blog/2009/06/10/phpbb-306-plans/) is going to add this kind of protection!

I don't need to prove nothing! I'm just asking a new system to protect this now and for the future.

Adapt a new Captcha system

by owl, Monday, July 06, 2009, 10:30 (5415 days ago) @ yns00k
edited by owl, Monday, July 06, 2009, 10:38

I've been using Mylittleforum with Akismet and Mylittleforums Image Captcha for the last 2-3 months and not one spam user has registered, I personally think we should exhaust all developmental options available to us before we start rampaging Mylittleforum with yet more 3rd party software. Mylittleforum is supposed to be little and the most appealing thing about Mylittleforum is that it's simple, light and easy to use and not bloated, lets keep it that way.

Say NO to reCAPTCHA.

RSS Feed of thread