On Tue, 14 Sep 2010 23:14:36 +1200 Peter Gutmann
<pgut...@cs.auckland.ac.nz> wrote:
> The earlier work is also pretty devastating against CAPTCHAs (as
> well as being a damn good read, "Sudo make me a CAPTCHA" :-).  A
> great many CAPTCHAs work by using a hidden form field containing
> the encrypted solution to the CAPTCHA, which is then POSTed back to
> the server along with the client's solution (this is needed to make
> the operation stateless).  If the decrypted version matches what
> the client provides, they've solved the CAPTCHA.  So all an
> attacker has to do is solve one CAPTCHA manually and then replay
> the encrypted version back along with the solution as often as they
> like, you don't need to hire a Pakistani Internet cafe any more for
> your CAPTCHA-breaking.  This destroys an awful lot of CAPTCHAs, and
> isn't at all easy to fix because of the requirement to keep it
> stateless.

Couldn't one simply include a timestamp in the encrypted data?
Assuming a five minute window (or what have you) would be too much,
one could also keep some state for five minutes (which is not a lot
to ask for.) 

Perry E. Metzger                pe...@piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to