> But defenses have to be *meaningful* defenses. Captchas are a pretend > defense. They're wishful thinking. They're faith-based security.
They're a hook-and-eye latch. Now, if you want to go installing a bank vault door to keep your dog in the backyard, by all means, be my guest. Me, I'm frugal, so I'll make the more reasonable investment of a hook-and-eye latch to keep the gate closed. > Moreover, like all defenses, they don't come for free. There are costs > associated with them (both for those deploying them and for users of > whatever service they're allegedly protecting). And beyond the obvious > costs, as we've learned through bitter experience, "complexity" is not > only a hidden cost but also sometimes the one that bites us in the ass by > way of vulnerabilities. > > So given that we all know that (a) the express purpose of captchas is > to determine whether or not a human is on the other end of the wire > and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs? Not a given; your (a) is faulty. I already gave a trivial example of a situation where the deployment was intended to detect and deter a specific sort of automated exploit (more of a "prove you're a stupid spam bot and therefore ignoreable" than a "prove you're human"). > Doubly so given that there are a fair number of visually-impaired > people, blind people, and, oh, by the way, people using devices with > rather small displays. Especially the last, recently. Why inflict > this nonsense on them? Why try to offload the (admittedly) hard work > of securing a resource onto the users, especially the users who are > least-equipped to deal with it? That depends on the CAPTCHA, I would imagine. Pretty sure that none of the cases you list would have a problem with the CAPTCHA I described. > And please: let's not even go to audio captchas. That's the sort of > bag-on-the-side-of-a-bag hack that we all did our sophomore year but > were too embarrassed to admit by the time we were seniors. > > We have much better defenses at our disposal. (Examples: BCP 38, the > Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with > rate throttling, checksum comparison.) Each suitable for a particular range of purposes. And, as it turns out, each generally varies in effectiveness as they age... it just turns out that CAPTCHA has aged relatively poorly. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
