nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and
From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 25 Jan 2013 07:40:50 -0500
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a "defense in depth" strategy, it can still make sense.
Brother, you're preaching to the choir. I've argued for defense in depth for longer than I can remember. Still am. But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security. Moreover, like all defenses, they don't come for free. There are costs associated with them (both for those deploying them and for users of whatever service they're allegedly protecting). And beyond the obvious costs, as we've learned through bitter experience, "complexity" is not only a hidden cost but also sometimes the one that bites us in the ass by way of vulnerabilities. So given that we all know that (a) the express purpose of captchas is to determine whether or not a human is on the other end of the wire and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs? Doubly so given that there are a fair number of visually-impaired people, blind people, and, oh, by the way, people using devices with rather small displays. Especially the last, recently. Why inflict this nonsense on them? Why try to offload the (admittedly) hard work of securing a resource onto the users, especially the users who are least-equipped to deal with it? And please: let's not even go to audio captchas. That's the sort of bag-on-the-side-of-a-bag hack that we all did our sophomore year but were too embarrassed to admit by the time we were seniors. We have much better defenses at our disposal. (Examples: BCP 38, the Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with rate throttling, checksum comparison.) ---rsk
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...), (continued)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 20)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Mike A (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and David Barak (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Rich Kulawiec (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Michael Thomas (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jimmy Hess (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jean-Francois Mezei (Jan 30)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and . (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Howard (Jan 24)