Re: reCAPTCHA: AOL's CAPTCHA

On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote:
> Once a user solves a specific CAPTCHA, they can not be allowed to use the
> CAPTCHA again. Otherwise you could amplify a human based attack by
> re-using human solutions. It's not that the code can't be done, however
> getting the security aspect of it right is a bit harder.

The usability aspects make it worth the extra work to getting the
security aspect right, in my opinion. At the moment, AOL do re-present
the same CAPTCHA, so if they're not safe-guarding against this right
now, it's something they will need to address.

> Also -- it's a lot easier to just validate in JS on the client side. Then
> on the server side you only need to validate for non-js clients (and to
> protect against evil users). In this case, having the "hide the CAPTCHA"
> functionality would be unnecessary.

That would depend on how the errors are reported to the user.
Client-side validation could also be used to verify the CAPTCHA with
Ajax, and removed if it is okay.


Gez


-- 
_____________________________
Supplement your vitamins
http://juicystudio.com

Received on Wednesday, 18 July 2007 19:36:08 UTC