Re: reCAPTCHA: AOL's CAPTCHA from Ben Maurer on 2007-07-18 (wai-xtech@w3.org from July 2007)

From: Ben Maurer <bmaurer@andrew.cmu.edu>
Date: Wed, 18 Jul 2007 12:29:46 -0700 (PDT)
To: Gez Lemon <gez.lemon@gmail.com>
cc: "Evans, Donald" <Donald.Evans@corp.aol.com>, wai-xtech@w3.org
Message-ID: <Pine.LNX.4.64-044.0707181221490.5857@unix31.andrew.cmu.edu>

Hello,

On Wed, 18 Jul 2007, Gez Lemon wrote:

> On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote:
>> On Wed, 18 Jul 2007, Gez Lemon wrote:
>> > Finally, when someone enters their details, but makes a mistake and
>> > the page is re-presented to them, if they have the answer to the
>> > CAPTCHA correct, it would be good if the CAPTCHA is removed (or at
>> > least hidden), as the user might think that was one of the reasons the
>> > submission failed (even though the text would be red with an error
>> > message if it was - it just helps remove any ambiguity, particularly
>> > as CAPTCHAs can be intimidating).
>> 
>> In general, this can be very hard for a site to implement. The issue is
>> that it's easy to create a replay attack (a case where the solution to a
>> CAPTCHA can be re-used).
>
> If the block the CAPTCHA is contained in is hidden with display: none,
> it would still be submitted with the form, but hidden in graphical
> browsers with CSS enabled (and also from screen readers interacting
> with the browser). User agents without CSS support will render the
> CAPTCHA exactly how they do now. It would be a benefit for the
> majority of users with no detrimental effect on those that haven't got
> CSS.

Once a user solves a specific CAPTCHA, they can not be allowed to use the 
CAPTCHA again. Otherwise you could amplify a human based attack by 
re-using human solutions. It's not that the code can't be done, however 
getting the security aspect of it right is a bit harder.

For reCAPTCHA we take care of the difficulty of detecting duplicate 
requests on our servers. The way our API works, it'd actually be difficult 
to implement the "hide reCAPTCHA when the form doesn't validate". We might 
add an extension to support this, but it's not a priority.

Also -- it's a lot easier to just validate in JS on the client side. Then 
on the server side you only need to validate for non-js clients (and to 
protect against evil users). In this case, having the "hide the CAPTCHA" 
functionality would be unnecessary.

-b

Received on Wednesday, 18 July 2007 19:29:54 UTC