ietf-asrg
[Top] [All Lists]

re: [Asrg] Its all over for Challenge Response

2004-02-12 11:54:55
At 12/2/2004 10:02 Thursday, AccuSpam wrote:
Specifically a probable way to block/disincentivize proxy display of the image based turing test (challenge), is to serve the image and html for page from HTTPS only. If the image is loaded by a proxy web page from a 2nd level domain different from 2nd level domain of image, then browser will at least display a warning, so displaying the image on proxy page will not go smoothly if at all. Attempting to submit by script (a "hidden" small or obscured) frame (or window) from a proxy web page from a different 2nd level domain will be denied by security error in browser:

Using a pretty simple PHP script, the CAPTCHA can be embedded into a new image which is then delivered to the client, no matter if you use HTTP or HTTPS; the final request from the client has nothing to do with the original request to the CAPTCHA image.

Andreas

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg