HTML Encoded Captchas 177
rangeva writes to tell us about a twist he has developed on the common Captcha technique to discourage spam bots:
HECs encode the Captcha image into HTML, thus presenting an unsolved challenge to the bots' programmers. From the writeup: "The Captcha is no longer an image and therefore not a resource they can download and process. The owner of the site can change the properties of the Captcha's HTML, making it unique,... add[ing] another layer of complication for the bot to crack." HECs are not exactly lightweight — the one on the linked page weighs in at 218K — but this GPL'd project seems like a nice advance on the state of the art.
I failed to see how this'll help (Score:5, Interesting)
Render, PrintScr, OCR? (Score:3, Interesting)
A better solution might be the authentication system old 386 games had where you have to do some simple but human intelligence requiring task. "Find the word in the upper right of manual pg 4" -> "Enter the 3rd word from the following paragraph"
watermarking (Score:3, Interesting)
Re:I failed to see how this'll help (Score:4, Interesting)
Add in the huge size of the html and the annoyance factor of captchas in general, and this is amazingly stupid.
Spy vs spy (Score:1, Interesting)
I have a question. How much of a problem are these spammed responses to blogs. I go to several blogs that don't have captchas and haven't noticed anything that could be called spam. Is this a response to a non-problem?
A captcha is still a captcha (Score:5, Interesting)
A HTML generated captcha would prevent that, since there is no image file to copy.
However, what prevents the attacker to simply copy the relevant HTML source and put it on his or her site, just like the image? Sure, you can make it quite complicated by adding CSS layers and whatnot, but in the end that would just merely be an extra annoyance.
And stopping the attacker on using OCR on the captcha won't really work either. It's not that hard to render HTML code to an image, which you can feed to the OCR software.
In short, this hack is just another step in the arms race, that just buys us some time.
Do others use such spam-bot blockers? (Score:3, Interesting)
I've had sessions that took an inordinately long time to initialize with various web service providers (it's very noticeable on dial-up.) I'm wondering whether similar techniques might be used to attack rather than defend, possibly including rogue AJAX code.
Screen Captcha! (Score:3, Interesting)
The file size is what intriques me. Just make a 'hidden' captcha that a bot would download. Now figure out how to make a jpeg decompressor uncompress that to 2 gigs or better.
It's like the old "I'll compress 2gigs of the letter A with zip and upload it to that BBS and let the virus checker gag" gag.
Or maybe a gif file. I wonder how solid black or white compress......
Lunacy (Score:4, Interesting)
With the limited amount of colours used, it would make much more sense to
a) give the table an id, then:
table.tabid td { width:1px; height:1px; )
b) give some classes for each colour used
td.colid { background-color: blah; }
I'm sure that would half the source code size... How can you trust a HTML solution that hasn't even been properly thought through?
Processing (Score:2, Interesting)
The Captcha is no longer an image and therefore not a resource they can download and process.
Err...but the HTML captcha is a resource they can download and process.
Broken (Score:5, Interesting)
A matter of time (Score:2, Interesting)
The advantage of this captcha is that it is not widespread yet and so the chances that a bot can crack it are lower.
Funny that when OCR software is supposed to work it often fails, but when there is some effort to hinder recognition then bots can deal with that. Maybe general OCR software should try to crack input instead!
Congratulations... FOOL! (Score:2, Interesting)
Congratulations. How much did they pay you?
Oh, as for the "official" purpose. I give it a life expectancy of 3 weeks before the spammers have found a way around it. If they bother at all.
No need to download the image (Score:5, Interesting)
Now, just go to MD5Lookup.Com [md5lookup.com] and convert that little "hidden" MD5Sum back to the original text:
ad6ade8a0b6e2f748b80a390ff45cf31 - &NMTB
Maybe the author should add some salt.
Re:I failed to see how this'll help (Score:1, Interesting)
What would I do? simply look for all the td's with one single colored pixel, and then count the tr's inbetween.
Everything else is made easier as the chance is given, in fact, of developing a successful and simple scanner without the need for third party modules (gd, image::magick et similia).
Give up. If i can read that, i know i'm going to be able to make a script that just does that. This is just not the way.
You can make a script that makes things difficult on me, but that's just delaying the day where the captcha will be broken.
Stefano