A nonce is designed exactly for the case of validating a form-to-action process: that's the whole point. Using CAPTCHA for that works, because CAPTCHA is a form on nonce that requires the user to "promote" the nonce into a state that can be passed to the action. But the core functionality is still the nonce behaviour, not the CAPTCHA behaviour. CAPTCHA is about validating that it's a human triggering the form-to-action process (as opposed to a machine), not that the action is preceded by a form. Both are valid, no question, but if you can void foisting extra effort onto the human in question, surely you agree that's a good thing?
cheers, barneyb On Tue, Mar 17, 2009 at 9:03 PM, Justin Scott <[email protected]> wrote: > >> CAPTCHA is virtually never the right solution. If >> a simple CAPTCHA is sufficient to protect your form, >> you're not securing something immensely valuable in >> an attacker's eye. > > I'll respectfully disagree. You also made a great point for using it while > trying to break it down. If putting a CAPTCHA on the page is enough of a > deterrent that a would-be attacker goes away, then it's served its purpose. > If you're concerned that a visitor might have trouble, you can always make > its use dynamic. The page can assume that the visitor is legitimate, and if > something "fishy" is happening from a given IP or session ID, the system can > activate the CAPTCHA as a basic line of defense. It's certainly not the > be-all end-all security measure, but it's enough for most situations as a > first line of defense. > > But getting back to the original question, it's a good way to verify that > the form post is coming from your original form page and not some saved > version hosted somewhere else if that is your goal. Depending on the > situation, it may be overkill, or it might be just right. There are many > tools in our bag, and I wouldn't be so quick to dismiss CAPTCHA for certain > situations if it fits the bill. > > > -- > Justin Scott | GravityFree > Member of the Technical Staff > > 1960 Stickney Point Road, Suite 210 > Sarasota | FL | 34231 | 800.207.4431 > 941.927.7674 x115 | f 941.923.5429 > www.GravityFree.com > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320614 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
