On 1/26/13, Michael Thomas <mike@mtcc.com> wrote:
Rich Kulawiec wrote:
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a "defense in depth" strategy, it can still make sense.
But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security.
Hm.. see, what we have here is a theory, that because some major sites' CAPTCHA implementations have been broken (in some cases, mainly by attacking the audio version), that all CAPTCHA implementations are necessarily vulnerable. And then, because of that.... all CAPTCHAs are worthless, just because some significant CAPTCHA implementations have been defeated with good success. [And then those Captchas got quickly revised, so they are no longer defeated] So what we have here, are two leaps of logic.... (1) CAPTCHAs used by a few popular websites were defeated in some cases, and some folks have published materials about techniques for defeating CAPTCHAs, therefore, we are to believe that all CAPTCHA implementations are inherently necessarily easily enough to break. The concept has a few holes in it, because it is possible the websites whose CAPTCHAs were defeated, had implementation-specific issues, and it is possible that CAPTCHAs exist that could be fundamentally harder to defeat efficiently. It may be a flawwed supposition that all CAPTCHA implementations are necessarily so similar, that the same attacks work. This may be coming, but It is not accepted fact, or a compelling idea, that text-based CAPTCHAs are yet trivial to defeat. It's entirely possible, that some types of CAPTCHA will become trivial to defeat, and others will present major challenges for an abuser. And, the second leap of logic was: (2) If a CAPTCHA is as easily broken as (1), then a considerable number of the attackers who target a site for abuse will be able to break it and do so (therefore, resulting in a defeat). [identical-misconception] The concept is equivalent to the idea, that all RSA based encryption worthless, because just some 512 bit RSA private key was defeated through factoring, by an attacker with sufficient cash to spend. Therefore, any site relying on a RSA-based SSL implementation is insecure, since RSA encryption is faith-based security [/identical-misconception]
Oh, I dunno. I run a website that has a fairly low volume forums that occasionally gets a drive by spamming. I'm pretty sure that if I implemented even a naive captcha it would go back to zero. [snip]
Yes. I would agree, that the CAPTCHA is likely to be successful in that case. If you would implement, and measure the amount of spam rates from automated bots both before and after implementing, then you would have a datapoint, in regards to CAPTCHA effectiveness :)
Mike -- -JH