IETF member Dave Aronson wrote:
Pars Mutaf [mailto:pars(_dot_)mutaf(_at_)gmail(_dot_)com] writes:
> On 9/26/07, John L <johnl(_at_)iecc(_dot_)com> wrote:
...
> > approaches that depend on something like a CAPTCHA to
> > work don't have much of a long term future.
>
> I respect your opinion but it says that one day we won't be able to tell
> humans and computers apart.
While that may or may not be true, it's not the only mechanism by which
CAPTCHAs can be defeated.
First, many poor implementations aren't really all that difficult to OCR.
Second, many sites use a very limited set of images, whether static or
generated, making it easy to fingerprint them and build a database of correct
responses.
Third, the responses are generally short enough that the "keyspace" of
correct responses is short enough to brute-force. (Yes, I know it's usually
changed after each try (though again some poor implementations don't), so
it's not the typical dictionary-style of brute force attack. Even so, each
response stands the same chance of success, making infinite retries still
viable.) Remember, if it's automated, no attacker really cares how many
tries it takes, so long as it is likely to succeed within a reasonable number
of tries. Lockouts and such can hellp with this, but again, a lot of sites
don't bother.
Last, and most amusingly, I've seen rumors that some spambots and suchlike
farm it out, by using CAPTCHAs that were, ahem, CAPTCHA'd from elsewhere, to
control access to things such as porn sites, relying on the horndogs to solve
them in close enough to real time that the originating site will accept it.
Even if this isn't really happening, or even feasible, it's a clever idea
IMHO.
Upshot: CAPTCHAs are not to be relied upon for anything really important
(such as preventing even a possibly-inadvertent DDoS attack on cellphone
users' patience), not now and certainly not when designing a protocol that
may be in use for decades to come. Moore's Law will bite you HARD.
Captcha's that require visual acuity and pattern recognition more easily
discriminate against the visually impaired then they do robots. There
are other flavors of Captcha which have similar issues for the deaf,
color blind, non-print-literate, differing linguistic background from
the author, poor empathy skills etc.
The degenerate condition for turing tests is an arms race between the
robots and the captcha designers making it progressively harder to prove
that you are in fact a human, which just makes the process of
identifying yourself as such all the more annoying.
-Dave
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf