nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and
From: Joe Greco <jgreco () ns sol net>
Date: Fri, 25 Jan 2013 08:20:24 -0600 (CST)
But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security.
They're a hook-and-eye latch. Now, if you want to go installing a bank vault door to keep your dog in the backyard, by all means, be my guest. Me, I'm frugal, so I'll make the more reasonable investment of a hook-and-eye latch to keep the gate closed.
Moreover, like all defenses, they don't come for free. There are costs associated with them (both for those deploying them and for users of whatever service they're allegedly protecting). And beyond the obvious costs, as we've learned through bitter experience, "complexity" is not only a hidden cost but also sometimes the one that bites us in the ass by way of vulnerabilities. So given that we all know that (a) the express purpose of captchas is to determine whether or not a human is on the other end of the wire and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?
Not a given; your (a) is faulty. I already gave a trivial example of a situation where the deployment was intended to detect and deter a specific sort of automated exploit (more of a "prove you're a stupid spam bot and therefore ignoreable" than a "prove you're human").
Doubly so given that there are a fair number of visually-impaired people, blind people, and, oh, by the way, people using devices with rather small displays. Especially the last, recently. Why inflict this nonsense on them? Why try to offload the (admittedly) hard work of securing a resource onto the users, especially the users who are least-equipped to deal with it?
That depends on the CAPTCHA, I would imagine. Pretty sure that none of the cases you list would have a problem with the CAPTCHA I described.
And please: let's not even go to audio captchas. That's the sort of bag-on-the-side-of-a-bag hack that we all did our sophomore year but were too embarrassed to admit by the time we were seniors. We have much better defenses at our disposal. (Examples: BCP 38, the Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with rate throttling, checksum comparison.)
Each suitable for a particular range of purposes. And, as it turns out, each generally varies in effectiveness as they age... it just turns out that CAPTCHA has aged relatively poorly. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...), (continued)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Mike A (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and David Barak (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Rich Kulawiec (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Michael Thomas (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jimmy Hess (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jean-Francois Mezei (Jan 30)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and . (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Howard (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 24)