W3C home > Mailing lists > Public > wai-xtech@w3.org > July 2007


From: Gez Lemon <gez.lemon@gmail.com>
Date: Wed, 18 Jul 2007 20:35:59 +0100
Message-ID: <e2a28a920707181235j28b5351fxc785251074ef6d50@mail.gmail.com>
To: "Ben Maurer" <bmaurer@andrew.cmu.edu>
Cc: "Evans, Donald" <Donald.Evans@corp.aol.com>, wai-xtech@w3.org

On 18/07/07, Ben Maurer <bmaurer@andrew.cmu.edu> wrote:
> Once a user solves a specific CAPTCHA, they can not be allowed to use the
> CAPTCHA again. Otherwise you could amplify a human based attack by
> re-using human solutions. It's not that the code can't be done, however
> getting the security aspect of it right is a bit harder.

The usability aspects make it worth the extra work to getting the
security aspect right, in my opinion. At the moment, AOL do re-present
the same CAPTCHA, so if they're not safe-guarding against this right
now, it's something they will need to address.

> Also -- it's a lot easier to just validate in JS on the client side. Then
> on the server side you only need to validate for non-js clients (and to
> protect against evil users). In this case, having the "hide the CAPTCHA"
> functionality would be unnecessary.

That would depend on how the errors are reported to the user.
Client-side validation could also be used to verify the CAPTCHA with
Ajax, and removed if it is okay.


Supplement your vitamins
Received on Wednesday, 18 July 2007 19:36:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:25:16 UTC