ietf
[Top] [All Lists]

Re: IETF web site behind CloudFlare

2014-09-17 05:48:58
On Wed, Sep 17, 2014 at 12:54:09PM +0300, Jari Arkko wrote:
I was not personally aware of the captcha operation nor have I ever
seen it while accessing the IETF web site from various places. But
we can ask Ray to investigate if there are different, more suitable
settings. However, I?d note that being able to deal with some dos attacks
is actually a useful feature, and it is not unthinkable for the IETF
to be a target. So any defence tactic inconvenience should be weighted
against the risks and benefits.

If captchas actually *were* a viable defense mechanism, then it might be
reasonable to use them.  But they ceased being so years ago, and are now
deployed exclusively by those who either haven't been paying attention
or those who studiously refuse to acknowledge reality.  Some reading on this
point (many of these contain links that lead to further useful material):

        Stanford researchers outsmart captcha codes
        http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html

        CIntruder: pentesting tool to bypass captchas
        http://cintruder.sourceforge.net/

        How a trio of hackers brought Google's reCAPTCHA to its knees
        
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

        Snapchat Account Registration CAPTCHA Defeated
        
http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-captcha-defeated

        Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
        
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html

        Troy Hunt: Breaking CAPTCHA with automated humans
        
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html

        Now Even Photo CAPTCHAs Have Been Cracked/
        http://it.slashdot.org/article.pl?sid=08/10/14/1442213

        Cheap CAPTCHA Solving Changes the Security Game
        
https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/

        Wiseguys Indicted in $25 Million Online Ticket Ring
        http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/

Using captchas in 2014 is the security equivalent of Wile E. Coyote holding an
umbrella over his head as an enormous boulder falls toward him: it's a pointless
and futile gesture with zero actual value.

---rsk