ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

re: [Asrg] Its all over for Challenge Response

2004-02-08 21:49:18
from [AccuSpam] [Permanent Link] 
This rumored threat is probably a non-issue.  The IPv4 rate limiting could be
applied to any challenge (turning test) _submitted_ over IP (differentiate
"submission" from "accessing" the challenge content).  There are probably more
cost effective attacks for spammers to exploit:

http://www.accuspam.com/faq.php#as_automate

"...because spammers would not be able to amass enough unique IPv4 addresses
(at reasonable cost) to defeat significantly, useful volumes in their economic
model...AccuSpam's challenge method is most often not a response but a normal
visit to contact form..."

Note implicit requirement is to not serve (be able to access) the same
challenge twice in succession, so that the hijacked client can not use
Javascript to submit the challenge in an auxillary window or frame.  However,
note the exploit could work to the extent that if the client was made to submit
the challenge (not by proxy), i.e. the porn visitor did not receive what was
promised for his work or the porn content was always loaded (irrespective of
results of challenge submission) in side window or frame.  Theoretically it
might be possible to write a script that ran in auxillary window or frame which
could wait on timer to check the validity of the results of the challenge
submission by parsing the returned content in the other companion window or
frame.  I think serving the challenge over HTTPS would be sufficient so the
browser's security system prevents access from script in other window or frame
(url containing different domain).  Whether such client hacks could produce
popular porn sites (see volume requirements argument as well in link above), is
highly dubious.  The challenge results could return frame busting HTML and/or
insure they were on frame or window of sufficient size to interfere with
attempted client hacks.

Shelby Moore
http://AccuSpam.com



spammers have found a way to break C/R schemes that have a 'turing test'
component.

You simply set up a free porn web site and get people to crack the turing
tests in return for seeing the porn.

http://yro.slashdot.org/article.pl?sid=04/01/28/1344207&mode=flat&tid=111&ti
d=126&tid=172&tid=95&threshold=1

            Phill 



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Re: Documents for LMAP BOF, Hallam-Baker, Phillip
Next by Date:  Re: [Asrg] Re: Documents for LMAP BOF, Jon Kyme
Previous by Thread:  Re: [Asrg] Its all over for Challenge Response, Seth Breidbart
Next by Thread:  re: [Asrg] Its all over for Challenge Response, AccuSpam
Indexes:  [Date] [Thread] [Top] [All Lists]