en.wikipedia.org/wiki/Captcha
server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human.
Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires that the user type the letters or digits of a distorted image that appears on the screen.
edit Characteristics A CAPTCHA system is a means of automatically generating new challenges which: * Current software is unable to solve accurately. Although a checkbox "check here if you are not a bot" might serve to distinguish between humans and computers, it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form.
The most important factor in deciding whether an algorithm should be made open or restricted is the size of the system. Although an algorithm which survives scrutiny by security experts may be assumed to be more conceptually secure than an unevaluated algorithm, an unevaluated algorithm specific to a very limited set of systems is always of less interest to those engaging in automated abuse. Breaking a CAPTCHA generally requires some effort specific to that particular CAPTCHA implementation, and an abuser may decide that the benefit granted by automated bypass is negated by the effort required to engage in abuse of that system in the first place.
edit Applications CAPTCHAs are used to prevent automated software from performing actions which degrade the quality of service of a given system, whether due to abuse or resource expenditure.
CAPTCHAs also serve an important function in rate limiting, as automated usage of a service might be desirable until such usage is done in excess, and to the detriment of human users. In such a case, a CAPTCHA can enforce automated usage policies as set by the administrator when certain usage metrics exceed a given threshold.
Web accessibility Because CAPTCHAs rely on visual perception, users unable to view a CAPTCHA (for example, due to a disability or because it is difficult to read) will be unable to perform the task protected by a CAPTCHA. As such, sites implementing CAPTCHAs may provide an audio version of the CAPTCHA in addition to the visual method. The official CAPTCHA site recommends providing an audio CAPTCHA for accessibility reasons.
edit Attempts at more accessible CAPTCHAs Even an audio and visual CAPTCHA will require manual intervention for some users, such as those who are both deaf and blind. There have been various attempts at creating CAPTCHAs that are more accessible.
mathematical questions ("what is 1+1" or even more complex problems like derivatives or polynomial factorization -- also known as a MAPTCHA, or Mathematical CAPTCHA), or "common sense" questions ("what color is the sky"). These attempts violate one or both of the principles of CAPTCHAs: either they cannot be automatically generated or they can be easily cracked given the state of artificial intelligence.
an attacker is unlikely to have encountered the formulation of the CAPTCHA in question, and unlikely to find it worth the time spending resources to break the CAPTCHA of a small site. Due to the lack of security provided by text based CAPTCHAs, most sites choose to use an audio and visual CAPTCHA as a way of balancing accessibility and security. Often, email or telephone support is used to manually provide access to users who are unable to solve a CAPTCHA.
edit Insecure implementation Like any security system, design flaws in a system implementation can prevent the theoretical security from being realized. Many CAPTCHA implementations, especially those which have not been designed and reviewed by experts in the fields of security, are prone to common attacks.
HMAC Finally, some implementations use only a small fixed pool of CAPTCHA images. Eventually, when enough CAPTCHA image solutions have been collected by an attacker over a period of time, the CAPTCHA can be broken by simply looking up solutions in a table, based on a hash of the challenge image.
The only step where humans still outperform computers is segmentation. If the background clutter consists of shapes similar to letter shapes, and the letters are connected by this clutter, the segmentation becomes nearly impossible with current software. Hence, an effective CAPTCHA should focus on the segmentation.
One approach involves relaying the puzzles to a group of human operators who can solve CAPTCHAs. In this scheme, a computer fills out a form and when it reaches a CAPTCHA, it gives the CAPTCHA to the human operator to solve. Another variation of this technique involves copying the CAPTCHA images and using them as CAPTCHAs for a high-traffic site owned by the attacker.
edit Image-recognition CAPTCHAs Some researchers promote image recognition CAPTCHAs as a possible alternative for text based CAPTCHAs. To date, no major website has made use of an image based CAPTCHA.
which in its default form presents a question requiring the user to select a stated type of animal from an array of thumbnail images of assorted animals. The images (and the challenge questions) can be customized, for example to present questions and images which would be easily answered by the forum's target userbase.
This was later removed because users had trouble entering the correct letters. Image recognition CAPTCHAs face many potential problems which have not been fully studied. It is difficult for a small site to acquire a large dictionary of images which an attacker does not have access to and without a means of automatically acquiring new labelled images, an image based challenge does not meet the definition of a CAPTCHA.
Human solvers are a potential weakness for strategies such as Asirra. Photos that are subsequently added to the Asirra database are then a relatively small data set that can be classified as they first appear.
Another potential weakness is that only a yes/no answer for each picture is required by most designs. Even with sixteen images, a bot has a 1 in 65536 (2^16) chance of getting the captcha right purely by chance. Furthermore, such chance identifications can be used to accumulate knowledge about the correct identification of the images, allowing the bot to progressively improve the accuracy of its guesses over time.
botnet attacks, the user would need to be forced to solve an annoyingly large number of images. The image database is not downloadable as it includes images of already adopted pets, which is 10 times the size of pets for adoption. Bot guessing is solved by creating both IP and session based buckets -- once IP has misclassified a challenge, a human needs to just solve two Asirras in a row from the same browser session reducing brute force probability to 1 in less than 5 million.
The user will be asked to type the alphanumeric character that overlies a particular feature. This process can automatically generate an effectively infinite number of image-recognition CAPTCHA.
computer vision program that can recognize the objects within the 3-D CAPTCHA images is intrinsically difficult. In addition, a compromised object will be automatically identified by the sudden influx of responses that correctly name the compromised object while incorrectly naming the other objects.
The instructions that accompany the 3-D CAPTCHA image are bound by language dependency. Any entity deploying the 3-D CAPTCHA will need to select the language to be used for the instructions that will accompany the image.
edit Collateral benefits Some of the original inventors of the CAPTCHA system have implemented a means by which some of the effort and time spent by people who are responding challenges can be harnessed as a distributed work system.
"Spammers' bot cracks Microsoft's CAPTCHA: Bot beats Windows Live Mail's registration test 30% to 35% of the time, says Websense", Computerworld"', February 7, 2008 21.
|
http://csua.com/feed/