- From: Gez Lemon <gez.lemon@gmail.com>
- Date: Wed, 18 Jul 2007 20:35:59 +0100
- To: "Ben Maurer" <bmaurer@andrew.cmu.edu>
- Cc: "Evans, Donald" <Donald.Evans@corp.aol.com>, wai-xtech@w3.org
On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote: > Once a user solves a specific CAPTCHA, they can not be allowed to use the > CAPTCHA again. Otherwise you could amplify a human based attack by > re-using human solutions. It's not that the code can't be done, however > getting the security aspect of it right is a bit harder. The usability aspects make it worth the extra work to getting the security aspect right, in my opinion. At the moment, AOL do re-present the same CAPTCHA, so if they're not safe-guarding against this right now, it's something they will need to address. > Also -- it's a lot easier to just validate in JS on the client side. Then > on the server side you only need to validate for non-js clients (and to > protect against evil users). In this case, having the "hide the CAPTCHA" > functionality would be unnecessary. That would depend on how the errors are reported to the user. Client-side validation could also be used to verify the CAPTCHA with Ajax, and removed if it is okay. Gez -- _____________________________ Supplement your vitamins http://juicystudio.com
Received on Wednesday, 18 July 2007 19:36:08 UTC