On Wed, Sep 17, 2014 at 12:54:09PM +0300, Jari Arkko wrote:
I was not personally aware of the captcha operation nor have I ever
seen it while accessing the IETF web site from various places. But
we can ask Ray to investigate if there are different, more suitable
settings. However, I?d note that being able to deal with some dos attacks
is actually a useful feature, and it is not unthinkable for the IETF
to be a target. So any defence tactic inconvenience should be weighted
against the risks and benefits.
If captchas actually *were* a viable defense mechanism, then it might be
reasonable to use them. But they ceased being so years ago, and are now
deployed exclusively by those who either haven't been paying attention
or those who studiously refuse to acknowledge reality. Some reading on this
point (many of these contain links that lead to further useful material):
Stanford researchers outsmart captcha codes
http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html
CIntruder: pentesting tool to bypass captchas
http://cintruder.sourceforge.net/
How a trio of hackers brought Google's reCAPTCHA to its knees
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
Snapchat Account Registration CAPTCHA Defeated
http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-captcha-defeated
Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
Troy Hunt: Breaking CAPTCHA with automated humans
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
Now Even Photo CAPTCHAs Have Been Cracked/
http://it.slashdot.org/article.pl?sid=08/10/14/1442213
Cheap CAPTCHA Solving Changes the Security Game
https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/
Wiseguys Indicted in $25 Million Online Ticket Ring
http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
Using captchas in 2014 is the security equivalent of Wile E. Coyote holding an
umbrella over his head as an enormous boulder falls toward him: it's a pointless
and futile gesture with zero actual value.
---rsk