[Owasp-delhi] Re-considering CAPTCHAs

Phani pklanka at gmail.com
Wed Feb 2 13:07:51 EST 2011


Is there any analysis done which compares various captcha methods? Can
anyone share...

On Tue, Feb 1, 2011 at 9:27 AM, Gunwant Singh <gunwant.s at gmail.com> wrote:

> *1. I think this point is valid even if you deploy full-fledge CAPTCHAs.
> CAPTCHA deployed today could be exploitable a year later or may be earlier.
> *
> **
> *2. What if I use Auto-complete feature to turn-off the same, thereby
> compromising user-convenience against Security?
> *
> On Mon, Jan 31, 2011 at 9:10 PM, Vinil Menon <vinilm at yahoo.com> wrote:
>
>>  1. If you are building an "interesting" site with a decent amount of
>> traffic, your pages will become part of the "package" - how much additional
>> work would it be? I have websites whose input forms haven't been updated for
>> years now. That's a regular product life cycle -giving the spammer a lot of
>> time to tweak his tool
>>
>> 2. Anyway, a lot of users I know use the browser's autofill profiles
>> feature. Some of them also use extensions such as lastpass - and they work
>> in a similar way i.e. by scanning the html for INPUT fields and filling them
>> appropriately.
>> When they visit the sire, the users will see the browser showing the
>> yellow bar saying your form profile has been autofilled, which will confuse
>> the users because they don't see a valid input on the screen. Also, they
>> might become vary about visiting your site because it'd appear as if you are
>> harvesting information without their knowledge.
>>
>> >Vinil
>>
>>  ------------------------------
>> *From:* Gunwant Singh <gunwant.s at gmail.com>
>> *To:* OWASP DELHI <owasp-delhi at lists.owasp.org>; OWASP BLORE <
>> owasp-bangalore at lists.owasp.org>
>> *Sent:* Tue, February 1, 2011 4:42:31 AM
>> *Subject:* [Owasp-delhi] Re-considering CAPTCHAs
>>
>> Hi all,
>>
>> Hope you are doing well.
>>
>> So there was this thread on CAPTCHAs on Security focus lately and I
>> happened to read this new idea on CAPTCHA. This is what he said.
>>
>> "I hate captchas, always have so I use a reverse captcha on sites that I
>> build. You add a field to the form with name and id of email. You then give
>> it a label that says "Please leave blank" and hide them both with CSS. Most
>> people won't see them because the CSS works, even if they do see them they
>> read the message and obey. Spam engines on the other hand spot the email
>> field and happily fill it in. You then silently drop any contact forms with
>> values in the email field."
>>
>> Just wanted to know your opinion on this. How did you find this idea of
>> tricking spammers? I am concerned about this idea because of the easiness of
>> its implementation. But there can be concerns regarding customization of bot
>> softwares depending on the individual forms with such implementations. What
>> else do you have in mind?
>>
>> --
>> Gunwant Singh
>>
>>
>
>
> --
> Gunwant Singh
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20110202/13fa1e3f/attachment.html 


More information about the Owasp-delhi mailing list