On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a "defense in depth" strategy, it can still make sense.
Brother, you're preaching to the choir. I've argued for defense in depth for longer than I can remember. Still am. But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security. Moreover, like all defenses, they don't come for free. There are costs associated with them (both for those deploying them and for users of whatever service they're allegedly protecting). And beyond the obvious costs, as we've learned through bitter experience, "complexity" is not only a hidden cost but also sometimes the one that bites us in the ass by way of vulnerabilities. So given that we all know that (a) the express purpose of captchas is to determine whether or not a human is on the other end of the wire and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs? Doubly so given that there are a fair number of visually-impaired people, blind people, and, oh, by the way, people using devices with rather small displays. Especially the last, recently. Why inflict this nonsense on them? Why try to offload the (admittedly) hard work of securing a resource onto the users, especially the users who are least-equipped to deal with it? And please: let's not even go to audio captchas. That's the sort of bag-on-the-side-of-a-bag hack that we all did our sophomore year but were too embarrassed to admit by the time we were seniors. We have much better defenses at our disposal. (Examples: BCP 38, the Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with rate throttling, checksum comparison.) ---rsk