Slashdot Mirror
HTML Encoded Captchas
rangeva writes to tell us about a twist he has developed on the common Captcha technique to discourage spam bots:
HECs encode the Captcha image into HTML, thus presenting an unsolved challenge to the bots' programmers. From the writeup: "The Captcha is no longer an image and therefore not a resource they can download and process. The owner of the site can change the properties of the Captcha's HTML, making it unique,... add[ing] another layer of complication for the bot to crack." HECs are not exactly lightweight — the one on the linked page weighs in at 218K — but this GPL'd project seems like a nice advance on the state of the art.
At the end of the day, this captcha is displayed on the screen as a colorful harder-to-read mumbo-jumbo, just like jpeg captchas, so all a bot has to do is use a html renderer to turn it into a regular image that can be processed. So the added complication is linking one of the existing captcha decoders and the gecko engine for example, maybe a half day's work. Not exactly uncrackable...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Can't the bot simply render and OCR it?
A better solution might be the authentication system old 386 games had where you have to do some simple but human intelligence requiring task. "Find the word in the upper right of manual pg 4" -> "Enter the 3rd word from the following paragraph"
How about watermarking the captcha with the site's address and a short message?
Anyone?
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
I think using a captcha like this one (html-table rendered) is bad web-manners. The rendering of such a table, pixel by pixel, is a huge toll on browsers. Even on my (relatively) new and (relatively) powerful machine, it took Firefox a noticeable amount of time to render the image, and caused my hard drive to crunch a little. I don't even want to imagine less powerful machines or, random-fluctuation-of-time-and-space forbid, mobile devices. All in all, I think this method severely limits the users accessing this site.
When in danger or in doubt, run in circles, scream and shout [Robert Heinlein]
If the goal was to prevent the image from immediately downloadable, could have used the data: protocol to embed the image data directly into the actual page, or embedded SVG, or used regular CSS to obfuscate the captcha.
This scheme will work until it is widely enough used that it is worth the spammers' while to write a crack. As the author suggests, the ultimate solution is probably to have so many of these schemes that the spammers can't keep up.
I have a question. How much of a problem are these spammed responses to blogs. I go to several blogs that don't have captchas and haven't noticed anything that could be called spam. Is this a response to a non-problem?
I read TFA and solved their little captcha, but didn't get no Pr0n!
Screw trying to solve it, it would be easier to use that 218kb chunk of junk that's no doubt going to need a bunch of dynamic processing against them, thus forcing them to wish they never used it in the first place.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
1. Show the image in an alternate pornographic/warez/whatever website
2. Ask the user to type it in to access the site
3. Use the user's input to access the original protected site
4. There is no step 4.
---
One of the main objections of a captcha is that an attacker could steal the image file and simply use it on their site (XXX sites...) to get it "cracked".
A HTML generated captcha would prevent that, since there is no image file to copy.
However, what prevents the attacker to simply copy the relevant HTML source and put it on his or her site, just like the image? Sure, you can make it quite complicated by adding CSS layers and whatnot, but in the end that would just merely be an extra annoyance.
And stopping the attacker on using OCR on the captcha won't really work either. It's not that hard to render HTML code to an image, which you can feed to the OCR software.
In short, this hack is just another step in the arms race, that just buys us some time.
I've had sessions that took an inordinately long time to initialize with various web service providers (it's very noticeable on dial-up.) I'm wondering whether similar techniques might be used to attack rather than defend, possibly including rogue AJAX code.
I do not fail; I succeed at finding out what does not work.
Really? Firefox doesn't seem to have any problems downloading and processing it, and as I wasn't aware that Firefox or Gecko used voodoo magic, I'm going to assume that the same would be true of any purpose-written code...
It's a nice idea, but it's little more than a speed-bump at best. (And not a particularly high one, at that)
It's official. Most of you are morons.
It's easy no?
The file size is what intriques me. Just make a 'hidden' captcha that a bot would download. Now figure out how to make a jpeg decompressor uncompress that to 2 gigs or better.
It's like the old "I'll compress 2gigs of the letter A with zip and upload it to that BBS and let the virus checker gag" gag.
Or maybe a gif file. I wonder how solid black or white compress......
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Lunacy! I've made apps which can do this sort of thing before, and this one is totally unoptimized! Take a look at this:
With the limited amount of colours used, it would make much more sense to
a) give the table an id, then:
table.tabid td { width:1px; height:1px; )
b) give some classes for each colour used
td.colid { background-color: blah; }
I'm sure that would half the source code size... How can you trust a HTML solution that hasn't even been properly thought through?
The Captcha is no longer an image and therefore not a resource they can download and process.
Err...but the HTML captcha is a resource they can download and process.
Having a 200kb block of text, no matter how well it compresses, will add anywhere from 10 to 40 seconds to download on a dial-up line, and that was for a ridiculously small CAPTCHA. A larger, more human-readable size might use up 500kb or more. Even on a high-speed link that's a noticeable pause. The fact that it only shows up on the sign-up page doesn't make it excuseable; in fact it makes it counter-productive. If I find some cool site, eagerly hit the sign-up link and end up staring at a half-rendered page for more than 15-20 seconds, I'll just leave and find some other site that loads faster, because I really don't care what's going on behind the scenes... I have no compassion for an elaborate security device if it bungles my experience.
This is what happens when bad ideas are brought to life. This will only waste the site owner's bandwidth, maybe slow down the attacker slightly while the algorithm is modified.. we're talking AT MOST a couple days work. You could achieve the same result by adding a 2-second delay to the CAPTCHA cgi, the same idea as adding a delay to failed logins... if you can't properly defeat the attackers, at least slow them down.
We've reached a point where, with security/copy protection, if it is something than can be done by a human sitting at a computer, the human can be removed from the equation. The greatest shortcoming of any system like CAPTCHA, or even asking "human intelligence" questions like "What do monkeys eat" or other things that computers don't innately "know", is that a human has to computerize those actions in the first place. You have to teach YOUR computer what the answer to the monkey question is, and there are only so many answers you will teach it until you run out of ideas (or exhaust the body of humankind's knowledge). Eventually the attacker will know all the answers to your challenges and you've just wasted a whole lot of time.
A better strategy here is the psychological approach. How do you get rid of a tireless attacker ? What motivates an attacker ? They WANT something of value to them. That something can be email addresses, zombie hosts, or in the case of blog spam they just want eyeballs. There are two ways to demotivate them: get rid of what's luring them, or make your prize harder to get than everyone else's. The first solution might mean crippling your site, even making it totally worthless (think site owners that give up, communities that are abandoned after relentless attacks). The second solution only buys you time, because the more vulnerable sites will ramp up their security, sooner or later, and then you're back at square one.
Actually there is a solution 3: find the attackers and attack THEM. Hey it's not the higher road, but it's damn effective.
-Billco, Fnarg.com
While this has little to do with the original post I have a really annoying experience with captchas
I have 20/20 vision and am not color blind. Captchas are becoming so complicated and garbled that I get the code wrong about 40% of the time. Another portion of the time I take to long trying to answer the code question and type in the right characters. I typically get screwed on the number Zero and the letter 'O' and lowercase 'L' and the number 1.
It'b becoming, for me, an entry barrier to signing up and gaining access to websites. It would be much easier to simply use email authentication. What do you do with the people who are color blind? I spent some years dealing with display design and this was a legitimate concern that we addressed at the time for a specialized group of people. In the common population there are a lot more occurrences of people who are color blind.
Are captcha's really worth the effort compared to other more human friendly processes? Is anyone working on what we will be doing next? Considering that there are decades of technology in machine vision technology to pull from I think it will be fairly trivial for the bots to become better at reading captchas than humans.
It might be effective to take the email authentication process and apply everything that mail servers do to authenticate the user. What I mean by this is apply all the mail server rules like FQDN requirements for HELO, fully resolvable email domains, valid email addresses, non-open relays. Much of this would eliminate either the bots or the ISP's who are too stupid to properly configure a mail server. Similarly it might be sufficient to code the HTML/HTTP to expect a properly responding client and not some hacked up bot that can't do most of it right.
All text based captcha's are broken, it doesn't matter how they're rendered, they're still a pre-defined set of characters that a bot can pick out eventually. Now, the "Click three kittens" captcha, that was fucking genious, no bot on the planet will be able to tell the difference between a kitten and a ham sandwich. Why isn't it being used? People seem to think obscuring text and making it harder for humans to read is a better idea than using something a computer will not be able to identify.
...I got nothing.
This is going to be effective only as long as it is not popular and not worth somebody's time to sit down and write a script to convert it into a genuine image.
How difficult is it to translate this matrix into a normal image? Not very difficult I am afraid.
You have a user feedback or similar with your nice new captcha. You add the Javascript PGP encryption to it, and suddenly all the snooping is a thing of the past because all the user submitted replies are encrypted with PGP.
I'm not sure why you're throwing mod points to kick a 0 score comment that most people will never see to -1, and no, I have nothing to do with either Hanewin or Enigmail and the code is freely available.
For what it's worth, Opera doesn't seem to have that problem. The page loaded/rendered so fast on my laptop that I thought they'd cheated and just stuck an image in there.
The advantage of this captcha is that it is not widespread yet and so the chances that a bot can crack it are lower.
Funny that when OCR software is supposed to work it often fails, but when there is some effort to hinder recognition then bots can deal with that. Maybe general OCR software should try to crack input instead!
That page gzips down to 12k - so ~2 seconds download speed.
The larger problem would probably be load on the server - possibly you could get around this by pre-compressing and then randomly serving. I don't think this was supposed to be a perfect solution, it's just a nice little demo showing how something common can be done in a new way.
Kudos! An awesome idea. If some here cannot see the relevance, they are n00bs with no brains.
This GPL-ed project can be reproduced by a junior coder in an hour so the fact it's GPL-ed I guess isn't of so much help.
... tr... <td style='height:1px;width:1px;background-color:#fcfb ff'></td> ... /tr...
.cA {background:#abcdef} .cB {background:#ffaabb}, at which point we get not only more obfuscation for the captcha crackers to solve, but much lighter code:
... tr... <td style='height:1px;width:1px;background-color:#fcfb ff'></td> ... /tr...
Also on the subject of it being 218k, each pixel looks like:
which is badly redundant, the very first thing is you can make all "td"-s in the table be 1px/1px with a simple: table.captcha td {width:1px; height:1px} rule, then background-color can be shortened to just "background" and still be valid.
Furthermore you don't need table with rows and columns, if you float the pixels to left, then you only need a container of the right width and columns/rows wil naturally form, to keep it down we can style a shorter tag for our purposes, like <b>
So at this stage we arrive at the much simpler:
<b style="background:#abcdef"></b>
But this can be simplified even further by indexing the colors used as around a 40-50 css classes (fiven the image has a lot more than 40-50 pixels and 40-50 colors are enough for it, it's still a net gain), for example:
<b class="cA"></;b>
and again the original:
And this is before we start putting JavaScript in the picture...
Great, so blocking images in E-Mail will no longer get those image-spams thrown out, because now a bright-but-not-intelligent geek has given the spammer assholes a way to encode their crap in simple HTML which no spam filter will manage to get.
Congratulations. How much did they pay you?
Oh, as for the "official" purpose. I give it a life expectancy of 3 weeks before the spammers have found a way around it. If they bother at all.
Assorted stuff I do sometimes: Lemuria.org
What the HEC?
There's no need to download the image. Look at the source. Somewhere it says:
:-)
Now, just go to MD5Lookup.Com and convert that little "hidden" MD5Sum back to the original text:
ad6ade8a0b6e2f748b80a390ff45cf31 - &NMTB
Maybe the author should add some salt.
A simple screen capture defeats this, since everything is ultimately a map of bits (a bitmap!) on the screen that can easily be converted to a file.
I just wrote a sample CAPTCHA system as well but kept in black and white for various reasons. I also use whole words to make text input simpler for humans. Here is a competing article explaining a different approach.s /Virtual_Brain_Online/article/user_validation_imag e_verification_code_captcha/rel=url2html-31631http ://www.network-technologies.org/Projects/Virtual_B rain_Online/article/user_validation_image_verifica tion_code_captcha/>
ahref=http://www.network-technologies.org/Project
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
I loathe CAPTCHAs in any form. People who are blind or, like me, totally colourblind have no functional means to figure out just what in the hell we're supposed to "see" in them. Some places have noted this and added audio versions but the majority of sites using CAPTCHAs do not bother. For those webmasters thinking of using CAPTCHAs - there are a lot of us out here who are visually disabled and, um, we have money to spend with your competition if you can't at least meet us halfway.
Think of me when you shave your legs...
A quick skim of TFA didn't indicate whether these are any more accessible for the visually impaired. The current "audio captcha" option help, but standard captchas are a real barrier to the visually impaired.
BitBloating the pixels to individual 1X1 TD tags will hardly make a difference. All that is needed is to reconstruct the bitmap then use OCR on it as usual.
What a sad solution.
Not only is it bad form, it appears it may stress some browsers enough that it blocks legitimate users.
Locating the captcha in the rendered page can't take more than a couple seconds. You'd have to change it a lot to change that. It's a blocky, colorful, bit of screen near a form submit button. Even if you change it there are only so many ways you can change it without making it confusing to users. If a user can find it then I can write a script to find it.
It's a useful tool to slow down script kiddies but it won't stop anyone that could actually write the code to grab the characters in the image in the first place.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
"because it seemed totally irrelevant to the topic of this article." ...
"Re-read the first paragraph of your comment entitled "Not offtopic" and think how the English could be corrected to improve your communication."
No, please, whoever moderated, stop misusing negative mod points. Just because they could not see how it relates, doesn't mean others have the same problem. Slashdot isn't a forum for professional writers and comments are not expected to be punchy journalism.
The page compresses with gzip from 188,398 bytes down to 13,326 bytes. In plain text it displays ca. 5,000 bytes.
1 7240 "Will Solve Captcha for Money?"
So with HTML compression the size of this encoding isn't really a problem.
But as mentioned at http://en.wikipedia.org/wiki/Captcha the real hurdle is that the opponent can use low-paid data entry workers: http://it.slashdot.org/article.pl?sid=06/09/06/12
Stephan
http://stephan.sugarmotor.org
I can only see one good use for this as a method to prevent easy hotlinking/stealing of normal images, as long as it's CSS optimised as a previous post, and the page in TFA itself, mentions.
Or even as a non-image way to render text on a page in fonts that don't exist on the users system, such as is used at http://mardeg.sitesled.com/
There are still image captcha for phpbb that have not been cracked, although the default phpbb captcha has been cracked.
Dont ask the question in text, use an audio file.
Generate the audio file using a good natural text to speech maker.
Ofcourse, use 10 variations of grammer for the questions perhaps. Easy to do in real time.
Liberty freedom are no1, not dicks in suits.
http://bmaurer.blogspot.com/2007/01/beware-random- captchas-found-on.html
- If your OCR can read 1/2 the chars on the page, the md5sum lets you crack the others. Really quickly
- Forget OCR. It doesn't check that the server itself generated the hashes. Hash "apple" then submit the hash and the word "apple".
- There are no checks for duplicates. You can solve one captcha and submit it 1000000 times.
- You can delete any jpeg file on the website, due to the non-checking of the hash for the word ".."
- You can fill up the dude's disk by requesting lots of captchas but
"Capchas" and similar technology are just DRM. Thankfully, the audience trying to crack the former are far more stupid than the audience that crack DRM.
Although not technically an "image", it's still an image-based solution. If I wrote a CAPTCHA using SVG, it'd still be an image, even if it's a markup language. If I wrote it in Flash, it'd still be an image-based solution, even if it's Flash. I also don't see what would be difficult about automatically singling out an enormous, single-lined (in source) table full of CSS declarations without any 'data'. In fact, it's probably easier to spot as a script than an image...Probably with a similar time to decode it.
If your idea looks good on paper, you need more paper.
If you absolutely must use something like this, you can easily confuse spambots (and with far less code!) by interspersing some elements containing the CAPTCHA text itself and making them contiguous on the screen using absolute positioning. Such a thing is an accessibility nightmare, but no worse than the technique in the article.
Obviously that will only work until the spammers add a rule to check for what you're doing. If your method remains a minority, they probably won't bother.
Given that, why bother asking the user to type anything or show them the graphic? Just use Javascript to enter the text into a hidden field and hide the image ("visibility: none") in a way that looks to a bot like it's shown. Thus, the users aren't bothered but you'll hopefully catch the (current) bots.
-- Jamie
I have done it and published on root.cz the functional example (ready to use) of the captcha here: http://kregion.cz/discussion-forum-commentary-spam -filter/ (writen in PHP, MySQL and using GD library - licence GNU/GPL - still not writen as a function, but only to copy&paste to source code - will be corrected in the future version)
...they don't know the difference between a "DOS Attack" and a simple slashdotting... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
The page has been taken down. The author says it was subject to a DoS attack. I guess that's what /. readers are, eh?
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
HAHA, fucktard! U got modded down!
"Please note: I removed the HEC demo since it was used to perform a DoS attack on this server. The HECs are quite heavy and I didn't add a mechanism against Dos " So is it reliable to use this technique at all ? I mean the author's website itself has been taken down just like that ! I tell you, internet nowadays is an evil place indeed.
Chris ,
Php Programmers.