On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
A CAPTCHA doesn't need to be successful against every possible threat, it merely needs to be effective against some types of threats. For example, web pages that protect resources with a CAPTCHA are great at making it much more difficult for someone with l33t wget skills from scraping a website.
Well, yes and no. Lately, AFAICT, most CAPTCHAs have been so successfully attacked by wgetters that they're quite easy for machines to break, but difficult for humans to use. For example, I can testify that I now fail about 25% of the reCAPTCHA challenges I perform, because the images are so distorted I just can't make them out (it's much worse on my mobile, given the combination if its small screen and my middle-aged eyes). So it's now more like airport security: a big hassle for the legitimate users but not really much of a barrier for a real attacker. A poor trade-off. Best, A -- Andrew Sullivan Dyn, Inc. asullivan@dyn.com