On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote: > Once a user solves a specific CAPTCHA, they can not be allowed to use the > CAPTCHA again. Otherwise you could amplify a human based attack by > re-using human solutions. It's not that the code can't be done, however > getting the security aspect of it right is a bit harder. The usability aspects make it worth the extra work to getting the security aspect right, in my opinion. At the moment, AOL do re-present the same CAPTCHA, so if they're not safe-guarding against this right now, it's something they will need to address. > Also -- it's a lot easier to just validate in JS on the client side. Then > on the server side you only need to validate for non-js clients (and to > protect against evil users). In this case, having the "hide the CAPTCHA" > functionality would be unnecessary. That would depend on how the errors are reported to the user. Client-side validation could also be used to verify the CAPTCHA with Ajax, and removed if it is okay. Gez -- _____________________________ Supplement your vitamins http://juicystudio.comReceived on Wednesday, 18 July 2007 19:36:08 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 13:15:43 GMT