On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
CAPTCHAS are a "defense in depth" that reduce the number of spam incidents to a number manageable by humans.
No, they do not. If you had actually bothered to read the links that I provided, or simply to pay attention over the last several years, you would know that captchas are not any kind of defense at all.
They're like holding up tissue paper in front of a tank: worthless.
(Yes, yes, I'm well aware that many people will claim that *their* captchas work. They're wrong, of course: their captchas are just as worthless as everyone else's. They simply haven't been competently attacked yet. And relying on either the ineptness or the laziness of attackers is a very poor security strategy.)
This is a fairly common mistake. Security isn't about prevention, it's about deterrence. If you have a locked screen door, someone can still trivially break the screen and unlock it. If you have a glass door, a brick. If you have a hollow core wood door, a shoulder. If you have a solid core wood door, a sledge. If you have a steel door, a prybar. If you have a safe-style door, explosives. If you're Fort Knox, a larger military force. :-) Basically there is no door that cannot be overcome with sufficient force; the point of a door is not to absolutely prevent a bad guy from entering under all circumstances, but rather to deter the average attacker to go bother the neighbors instead. You can do many things to augment your physical security, unpickable locks, reinforced doors, motion sensor lights, alarm systems, etc. but all of these are merely enhancers that are designed to make a criminal look for an easier target. A determined and properly resourced attacker who is determined to attack a given resource is going to be successful eventually. And that's where the so-called argument against CAPTCHAs falls apart. A CAPTCHA doesn't need to be successful against every possible threat, it merely needs to be effective against some types of threats. For example, web pages that protect resources with a CAPTCHA are great at making it much more difficult for someone with l33t wget skills from scraping a website. It isn't a high bar anymore, it isn't a strong defense anymore. All quite true, so I'll even agree with your inevitable answer that many websites are using CAPTCHA as protection against attacks that it is no longer capable of guarding against. Agreed! However, as part of a "defense in depth" strategy, it can still make sense. It's much more of a locked screen door at this point, but if you've got threats that can be easily deterred, then it's still viable. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.