On Tue, 14 Sep 2010 23:14:36 +1200 Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > The earlier work is also pretty devastating against CAPTCHAs (as > well as being a damn good read, "Sudo make me a CAPTCHA" :-). A > great many CAPTCHAs work by using a hidden form field containing > the encrypted solution to the CAPTCHA, which is then POSTed back to > the server along with the client's solution (this is needed to make > the operation stateless). If the decrypted version matches what > the client provides, they've solved the CAPTCHA. So all an > attacker has to do is solve one CAPTCHA manually and then replay > the encrypted version back along with the solution as often as they > like, you don't need to hire a Pakistani Internet cafe any more for > your CAPTCHA-breaking. This destroys an awful lot of CAPTCHAs, and > isn't at all easy to fix because of the requirement to keep it > stateless.
Couldn't one simply include a timestamp in the encrypted data? Assuming a five minute window (or what have you) would be too much, one could also keep some state for five minutes (which is not a lot to ask for.) Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
