I am following up on (and correcting some minor technical mistakes in) my
previous post to this thread stating the theoretical attack is probably a
non-issue:
https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg09220.html
Specifically a probable way to block/disincentivize proxy display of the image
based turing test (challenge), is to serve the image and html for page from
HTTPS only. If the image is loaded by a proxy web page from a 2nd level domain
different from 2nd level domain of image, then browser will at least display a
warning, so displaying the image on proxy page will not go smoothly if at all.
Attempting to submit by script (a "hidden" small or obscured) frame (or window)
from a proxy web page from a different 2nd level domain will be denied by
security error in browser:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/om/xframe_scripting_security.asp
Submitting a form from a HTTPS web page with 2nd level domain different from
the receiving url will also cause at least a browser warning.
Theoretically an attacker could attempt to install and use a different client
on the visitor's computer, but each step away from normal use of the browser
increases visitor acquisition/attrition costs.
These techniques would likely increase the visitor acquisition/attrition costs
of such a theoretical porn site attack. Combining these techniques with
reasonable IPv4 address rate limiting would probably drastically increase the
number of visitors that would be needed and make the theoretical attack
uneconomical in spammer business (cost) model. Additionally AccuSpam adds
aging of whitelist entries (challenge needs to repeated periodically for same
sender) to exponentially increase the costs to the spammer.
I (we) disclaim any liability for using these techniques. Use and read this at
your own discretion and risk.
Shelby Moore
http://AccuSpam
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg