RE: CAPTCHA

["Sacks, Cailan C" <Cailan.Sacks () standardbank co za>]

I think Google captcha's are very readable, and quiet easy to implement. Also, can't say I've seen very many users drop 
a service just because of a captcha code, unless it is a really frustrating technology. Truth of the matter though, is 
that I doubt spammers are specifically targeting you, but you would not be the first to implement this kind of css 
trickery. Remember, online fraud is big money business, and as a result, the bots on the prowl at the moment aren't the 
primitive creatures of old. Maybe today, it might be a handful of sites using this method that are not being hit (maybe 
it's a whole bunch). Tomorrow it could be a bunch more. Every time eating in to their profits. 

It is obfuscation because all you're doing is hiding the real form functionality through some css. Either you're 
securing a service (by locking it down), or you're masking a service. Do you want to re-look at your problem in 6 
months, or do you want the problem to go away? Even if Google captcha is hacked, Google fix it, and you one again get 
the benefit. So much benefits to doing security properly as opposed to half cooked quick-and-dirties which could land 
your domain on the spammers list and result in a few days/hours of email downtime.

Anyway just my 2 cents. Lazy devs (and quick and dirties) are the reason I have a job... :)

-----Original Message-----
From: Robin Wood [mailto:robin () digininja org] 
Sent: Tuesday, January 25, 2011 5:37 PM
To: Sacks, Cailan C
Cc: Steve Syfuhs; Shang Tsung; webappsec () securityfocus com
Subject: Re: CAPTCHA

On 25 January 2011 07:22, Sacks, Cailan C
<Cailan.Sacks () standardbank co za> wrote:
> Stupid idea. A spammer sees funky implementations of web forms every day, and they patch their bots accordingly. 
> There is no security in obfuscation, just buys you time until someone beats you over the head. Google captcha. They 
> do the work and you reap the benifit. Can't get easier.

Depends on your users. I know loads of people who turn off when they
see CAPTCHAs as they have trouble reading them and find them a pain to
try to decipher.

I know that this method isn't perfect but the way I see it is that if
a bot writer wants to modify their spider just to get it to work with
my site then they are going to be sending me spam anyway one way or
another as they have me as a specific target.

Traditional CAPTCHAs have also been cracked, I don't know about
Googles but I'd imagine that the bot writers will be putting more
effort into improving their systems to get around them than to worry
about hitting a few sites.

One last thing, why would you call this obfuscation? I see it as just
another way to implement a system.

Robin


> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Syfuhs
> Sent: Tuesday, January 25, 2011 3:05 AM
> To: Robin Wood; Shang Tsung
> Cc: webappsec () securityfocus com
> Subject: RE: CAPTCHA
>
> This is a brilliant idea.  Did you come up with it?  If not, got any resources?
>
> Sent from my Windows Phone
>
> -----Original Message-----
> From: Robin Wood
> Sent: Monday, January 24, 2011 7:49 PM
> To: Shang Tsung
> Cc: webappsec () securityfocus com
> Subject: Re: CAPTCHA
>
>
> On 24 January 2011 15:11, Shang Tsung <shangtsung71 () gmail com> wrote:
> > We are planning to use a CAPTCHA in order to stop spam engines from
> > filling our Online Forms. From a quick research I made, I found there
> > are good and there are bad types of CAPTCHA.
> >
> > Does anyone know if there are any standard and secure implementations
> > of CAPTCHA that we can use?
> >
> > Any good articles on the subject?
>
> I hate captchas, always have so I use a reverse captcha on sites that
> I build. You add a field to the form with name and id of email. You
> then give it a label that says "Please leave blank" and hide them both
> with CSS. Most people won't see them because the CSS works, even if
> they do see them they read the message and obey. Spam engines on the
> other hand spot the email field and happily fill it in. You then
> silently drop any contact forms with values in the email field.
>
> Normal humans aren't affected and you trick most generic bots.
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
> Standard Bank email disclaimer and confidentiality note
> Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and 
> confidentiality note. Kindly email disclaimer () standardbank co za (no content or subject line necessary) if you 
> cannot view that page and we will email our email disclaimer and confidentiality note to you.



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------