ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: CAPTCHA is NOT a Turing test, or even close

2007-09-26 10:44:59
from [Hallam-Baker, Phillip] [Permanent Link] 
CAPTCHA is by definition an attempt to create a Turing test, its what the T 
stands for.

The question is whether 1) a particular CAPTCHA is an effective Turing test and 
2) whether an effective Turing test is an effective security measure.

The answer to the first question is usually yes and the answer to the second 
is, yes but only against a casual attacker. Professional Internet Criminals buy 
technology to defeat CAPTCHA from specialists. The prices paid are not very 
high given the amount of effort required. Note that this effect was anticipated 
by the original authors, the original subtitle of the paper is 'How lazy 
cryptographers do AI'.

http://www.captcha.net/captcha_cacm.pdf



From a security point of view it absolutely does make a difference if we are 
dealling with a few tens of thousands of hard core professional criminals or 
several million script kiddies. Most car alarms can be defeated by the 
professional thief but they significantly reduce the ability/temptation of 
kids to steal a car to go joy riding.


If I have an asset that is worth $X to a professional criminal and a control 
that will cost >> X to defeat the asset is reasonably secure.


From a security research point of view, yes anyone who puts up a CAPTCHA 
scheme and claims it is absolutely secure should expect to be hit by a few 
tomatoes. 


Yes I have been critical of a few particular CAPTCHA schemes and shown how the 
security claims made are not sustained. But please don't apply the security 
considerations we apply to the design of cryptographic security protocols as 
essential criteria that every security protocol must meet. Crypto is in a 
separate class because the tools we have are so good that we can reasonably 
expect to design protocols that are secure from cryptanalytic attack. That is 
not the case for security applications and in particular when we consider the 
user experience.

CAPTCHA can certainly be very effective if your objective is to stop ballot 
stuffing or casual trolling/spam. It is not a foolproof control against a 
professional criminal. But we have other ways to deal with those.



-----Original Message-----
From: IETF member Dave Aronson [mailto:ietf2dave(_at_)davearonson(_dot_)com] 
Sent: Wednesday, September 26, 2007 9:12 AM
To: ietf(_at_)ietf(_dot_)org
Subject: CAPTCHA is NOT a Turing test, or even close

Pars Mutaf [mailto:pars(_dot_)mutaf(_at_)gmail(_dot_)com] writes:

 > On 9/26/07, John L <johnl(_at_)iecc(_dot_)com> wrote:
...
 > > approaches that depend on something like a CAPTCHA to  > 

work don't have much of a long term future.

 >
 > I respect your opinion but it says that one day we won't 
be able to tell  > humans and computers apart.

While that may or may not be true, it's not the only 
mechanism by which CAPTCHAs can be defeated.

First, many poor implementations aren't really all that 
difficult to OCR.

Second, many sites use a very limited set of images, whether 
static or generated, making it easy to fingerprint them and 
build a database of correct responses.

Third, the responses are generally short enough that the 
"keyspace" of correct responses is short enough to 
brute-force.  (Yes, I know it's usually changed after each 
try (though again some poor implementations don't), so it's 
not the typical dictionary-style of brute force attack.  Even 
so, each response stands the same chance of success, making 
infinite retries still viable.)  Remember, if it's automated, 
no attacker really cares how many tries it takes, so long as 
it is likely to succeed within a reasonable number of tries.  
Lockouts and such can hellp with this, but again, a lot of 
sites don't bother.

Last, and most amusingly, I've seen rumors that some spambots 
and suchlike farm it out, by using CAPTCHAs that were, ahem, 
CAPTCHA'd from elsewhere, to control access to things such as 
porn sites, relying on the horndogs to solve them in close 
enough to real time that the originating site will accept it. 
 Even if this isn't really happening, or even feasible, it's 
a clever idea IMHO.

Upshot: CAPTCHAs are not to be relied upon for anything 
really important (such as preventing even a 
possibly-inadvertent DDoS attack on cellphone users' 
patience), not now and certainly not when designing a 
protocol that may be in use for decades to come.  Moore's Law 
will bite you HARD.

-Dave

--
Dave Aronson
"Specialization is for insects."  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: why can't IETF emulate IEEE on this point?, Paul Hoffman
Next by Date:  Re: Third Last Call: draft-housley-tls-authz-extns, Tim Polk
Previous by Thread:  Re: CAPTCHA is NOT a Turing test, or even close, Joel Jaeggli
Next by Thread:  Re: [IPFIX] draft-ietf-ipfix-protocol-26.txt, Scott O. Bradner
Indexes:  [Date] [Thread] [Top] [All Lists]