[Owasp-delhi] Re-considering CAPTCHAs
pklanka at gmail.com
Wed Feb 2 13:07:51 EST 2011
Is there any analysis done which compares various captcha methods? Can
On Tue, Feb 1, 2011 at 9:27 AM, Gunwant Singh <gunwant.s at gmail.com> wrote:
> *1. I think this point is valid even if you deploy full-fledge CAPTCHAs.
> CAPTCHA deployed today could be exploitable a year later or may be earlier.
> *2. What if I use Auto-complete feature to turn-off the same, thereby
> compromising user-convenience against Security?
> On Mon, Jan 31, 2011 at 9:10 PM, Vinil Menon <vinilm at yahoo.com> wrote:
>> 1. If you are building an "interesting" site with a decent amount of
>> traffic, your pages will become part of the "package" - how much additional
>> work would it be? I have websites whose input forms haven't been updated for
>> years now. That's a regular product life cycle -giving the spammer a lot of
>> time to tweak his tool
>> 2. Anyway, a lot of users I know use the browser's autofill profiles
>> feature. Some of them also use extensions such as lastpass - and they work
>> in a similar way i.e. by scanning the html for INPUT fields and filling them
>> When they visit the sire, the users will see the browser showing the
>> yellow bar saying your form profile has been autofilled, which will confuse
>> the users because they don't see a valid input on the screen. Also, they
>> might become vary about visiting your site because it'd appear as if you are
>> harvesting information without their knowledge.
>> *From:* Gunwant Singh <gunwant.s at gmail.com>
>> *To:* OWASP DELHI <owasp-delhi at lists.owasp.org>; OWASP BLORE <
>> owasp-bangalore at lists.owasp.org>
>> *Sent:* Tue, February 1, 2011 4:42:31 AM
>> *Subject:* [Owasp-delhi] Re-considering CAPTCHAs
>> Hi all,
>> Hope you are doing well.
>> So there was this thread on CAPTCHAs on Security focus lately and I
>> happened to read this new idea on CAPTCHA. This is what he said.
>> "I hate captchas, always have so I use a reverse captcha on sites that I
>> build. You add a field to the form with name and id of email. You then give
>> it a label that says "Please leave blank" and hide them both with CSS. Most
>> people won't see them because the CSS works, even if they do see them they
>> read the message and obey. Spam engines on the other hand spot the email
>> field and happily fill it in. You then silently drop any contact forms with
>> values in the email field."
>> Just wanted to know your opinion on this. How did you find this idea of
>> tricking spammers? I am concerned about this idea because of the easiness of
>> its implementation. But there can be concerns regarding customization of bot
>> softwares depending on the individual forms with such implementations. What
>> else do you have in mind?
>> Gunwant Singh
> Gunwant Singh
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-delhi