- From: Ben Maurer <bmaurer@andrew.cmu.edu>
- Date: Wed, 18 Jul 2007 12:29:46 -0700 (PDT)
- To: Gez Lemon <gez.lemon@gmail.com>
- cc: "Evans, Donald" <Donald.Evans@corp.aol.com>, wai-xtech@w3.org
Hello, On Wed, 18 Jul 2007, Gez Lemon wrote: > On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote: >> On Wed, 18 Jul 2007, Gez Lemon wrote: >> > Finally, when someone enters their details, but makes a mistake and >> > the page is re-presented to them, if they have the answer to the >> > CAPTCHA correct, it would be good if the CAPTCHA is removed (or at >> > least hidden), as the user might think that was one of the reasons the >> > submission failed (even though the text would be red with an error >> > message if it was - it just helps remove any ambiguity, particularly >> > as CAPTCHAs can be intimidating). >> >> In general, this can be very hard for a site to implement. The issue is >> that it's easy to create a replay attack (a case where the solution to a >> CAPTCHA can be re-used). > > If the block the CAPTCHA is contained in is hidden with display: none, > it would still be submitted with the form, but hidden in graphical > browsers with CSS enabled (and also from screen readers interacting > with the browser). User agents without CSS support will render the > CAPTCHA exactly how they do now. It would be a benefit for the > majority of users with no detrimental effect on those that haven't got > CSS. Once a user solves a specific CAPTCHA, they can not be allowed to use the CAPTCHA again. Otherwise you could amplify a human based attack by re-using human solutions. It's not that the code can't be done, however getting the security aspect of it right is a bit harder. For reCAPTCHA we take care of the difficulty of detecting duplicate requests on our servers. The way our API works, it'd actually be difficult to implement the "hide reCAPTCHA when the form doesn't validate". We might add an extension to support this, but it's not a priority. Also -- it's a lot easier to just validate in JS on the client side. Then on the server side you only need to validate for non-js clients (and to protect against evil users). In this case, having the "hide the CAPTCHA" functionality would be unnecessary. -b
Received on Wednesday, 18 July 2007 19:29:54 UTC