Re: [Ai] For software developers - creating custom accessible CAPTCHA
Hi I am not from software development background, but I feel that you can check this website ssconline.nic.in it seems that the developer of this website has done something for solving captchas. According to my understanding, Alok's approach is similar to the one adopted by this one. On 8/8/17, Alok Kaushik via Ai <ai@accessindia.inclusivehabitat.in> wrote: > Hi Harish / Akash, > > Thanks for your response. > > > > Yes. I completely agree that theoretically it is possible to extract the > alt text of the image and convert words in numbers. However, the idea was > to stop general bots, which would still happen. It is possible to > determine the captcha programmatically provided that coding to target > specific site is done. I would myself not recommend this approach for a > site that is vastly popular, or has high stakes, in which case specific > targeting could very well happen. > > > > There are many other backend tracking and detection mechanisms that > should be implemented for a high visibility / high stake site. Amazon has > been able to keep intruders away even without a captcha. > > > > OTP may be cited as one of the alternatives. > > > > However, solution has to be context specific, and many portals that are new > or have a relatively low user base may not be able to opt mobile > integration or deploy network level safety mechanisms. > > > > Sugamya Pustakalaya has a captcha that asks the user to add two numbers. > While this would suffice for a general bot, it would not suffice if > someone specifically targets that site, and codes to determine the > captcha. Hackers would indulge in custom coding if they have something to > gain from it. > > > > Your observation is completely valid. We just need to decide context > specific trade-offs. > > > > > > I may be sticking out my neck and making a statement about future. I feel > that with the emergence of AI / computer vision most captchas would not be > safe in near future, even if they are just images. We may actually see > image based captchas go away in the time to come, and something new may > emerge. > > > > Thanks. > > Alok > > > > From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of > Kotian, H P via Ai > Sent: Tuesday, August 08, 2017 2:17 PM > To: Share, empower > Cc: Kotian, H P > Subject: Re: [Ai] For software developers - creating custom accessible > CAPTCHA > > > > Hi Alok > > > > Just to bring to your attention, there is a security challenge in this > approach. > > CAPTCHA is essentially used to fight against Bots and to prevent them from > guess the CAPTCHA. > > As I see, you have the words placed in Alt text. It is not a big deal to > read the alt text fromDocument object and convert the numbers in words back > to numerals. > > > > Check it out. > > > > Harish. > > > > > > From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of > Alok Kaushik via Ai > Sent: Tuesday, August 8, 2017 8:49 AM > To: ai@accessindia.inclusivehabitat.in > Cc: Alok Kaushik <alok.li...@gmail.com> > Subject: [Ai] For software developers - creating custom accessible CAPTCHA > > > > Hi, > > In one of my recent software development works I created a CAPTCHA that is > accessible for screen readers using the following approach. > > > > 1. Generate a random 5 digit number. > > 2. Generate an image containing the embedded 5 digit number. Image is > programmatically generated and is not an image that could be downloaded. 5 > digit number is communicated to the captcha generating code using > encryption. > > 3. Convert the complete 5 digit number in English words, including the > words thousand and hundred. > > 4. Assign the converted number in words as the alternate text of the > image dynamically. This would allow the screen readers to read out the > number in words, while other users will see regular image. > > 5. Track the random number as a session variable for later > comparison. > > > > I am writing this for following two reasons. > > 1. This approach seems to be working for me. Want to know if anyone > sees any issue in this either in usability or security. > > 2. If anyone doing software development is interested in implementing > this, I can share the code off the list. > > > > Thanks. > > Alok > > > > > > _ > > > Caution: The Reserve Bank of India never sends mails, SMSs or makes calls > asking for personal information such as your bank account details,
Re: [Ai] For software developers - creating custom accessible CAPTCHA
Hi Harish / Akash, Thanks for your response. Yes. I completely agree that theoretically it is possible to extract the alt text of the image and convert words in numbers. However, the idea was to stop general bots, which would still happen. It is possible to determine the captcha programmatically provided that coding to target specific site is done. I would myself not recommend this approach for a site that is vastly popular, or has high stakes, in which case specific targeting could very well happen. There are many other backend tracking and detection mechanisms that should be implemented for a high visibility / high stake site. Amazon has been able to keep intruders away even without a captcha. OTP may be cited as one of the alternatives. However, solution has to be context specific, and many portals that are new or have a relatively low user base may not be able to opt mobile integration or deploy network level safety mechanisms. Sugamya Pustakalaya has a captcha that asks the user to add two numbers. While this would suffice for a general bot, it would not suffice if someone specifically targets that site, and codes to determine the captcha. Hackers would indulge in custom coding if they have something to gain from it. Your observation is completely valid. We just need to decide context specific trade-offs. I may be sticking out my neck and making a statement about future. I feel that with the emergence of AI / computer vision most captchas would not be safe in near future, even if they are just images. We may actually see image based captchas go away in the time to come, and something new may emerge. Thanks. Alok From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of Kotian, H P via Ai Sent: Tuesday, August 08, 2017 2:17 PM To: Share, empower Cc: Kotian, H P Subject: Re: [Ai] For software developers - creating custom accessible CAPTCHA Hi Alok Just to bring to your attention, there is a security challenge in this approach. CAPTCHA is essentially used to fight against Bots and to prevent them from guess the CAPTCHA. As I see, you have the words placed in Alt text. It is not a big deal to read the alt text fromDocument object and convert the numbers in words back to numerals. Check it out. Harish. From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of Alok Kaushik via Ai Sent: Tuesday, August 8, 2017 8:49 AM To: ai@accessindia.inclusivehabitat.in Cc: Alok Kaushik <alok.li...@gmail.com> Subject: [Ai] For software developers - creating custom accessible CAPTCHA Hi, In one of my recent software development works I created a CAPTCHA that is accessible for screen readers using the following approach. 1. Generate a random 5 digit number. 2. Generate an image containing the embedded 5 digit number. Image is programmatically generated and is not an image that could be downloaded. 5 digit number is communicated to the captcha generating code using encryption. 3. Convert the complete 5 digit number in English words, including the words thousand and hundred. 4. Assign the converted number in words as the alternate text of the image dynamically. This would allow the screen readers to read out the number in words, while other users will see regular image. 5. Track the random number as a session variable for later comparison. I am writing this for following two reasons. 1. This approach seems to be working for me. Want to know if anyone sees any issue in this either in usability or security. 2. If anyone doing software development is interested in implementing this, I can share the code off the list. Thanks. Alok _ Caution: The Reserve Bank of India never sends mails, SMSs or makes calls asking for personal information such as your bank account details, passwords, etc. It never keeps or offers funds to anyone. Please do not respond in any manner to such offers, however official or attractive they may look. Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this email by error, please notify us by return e-mail or telephone and immediately and permanently delete the message and any attachments. The recipient should check this email and any attachments for the presence of viruses. The Reserve Bank of India accepts no liability for any damage caused by any virus transmitted by this email. Disclaimer: 1. Contents of the mails, factual, or otherwise, reflect the thinking of the person sending the mail and AI in
Re: [Ai] For software developers - creating custom accessible CAPTCHA
absolutely agree with harish's point. it will be very big security risk as it's very easy to retrieve the alt text of the images programmaticly via bots and other manners. On 8/8/17, bhawani shankar verma via Ai <ai@accessindia.inclusivehabitat.in> wrote: > it is already in IRCTC. in udai both captcha and OTP. > > > -Original Message- > From: gatak singh via Ai > Sent: Tuesday, August 08, 2017 2:27 PM > To: Share, empower > Cc: gatak singh > Subject: Re: [Ai] For software developers - creating custom accessible > CAPTCHA > > the best alternative they can provide for captcha is OTP. I just > visited the income tax website to link my apan card with adhar card. > they have this option. I easily linked my pan card with the help of > OTP. I loved it. I think IRCTC, UIDAI, and all others should adopt > this idea. > > On 8/8/17, Kotian, H P via Ai <ai@accessindia.inclusivehabitat.in> wrote: >> Hi Alok >> >> Just to bring to your attention, there is a security challenge in this >> approach. >> CAPTCHA is essentially used to fight against Bots and to prevent them >> from >> guess the CAPTCHA. >> As I see, you have the words placed in Alt text. It is not a big deal to >> read the alt dext fromDocument object and convert the numbers in words >> back >> to numerals. >> >> Check it out. >> >> Harish. >> >> >> From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of >> Alok Kaushik via Ai >> Sent: Tuesday, August 8, 2017 8:49 AM >> To: ai@accessindia.inclusivehabitat.in >> Cc: Alok Kaushik <alok.li...@gmail.com> >> Subject: [Ai] For software developers - creating custom accessible >> CAPTCHA >> >> Hi, >> In one of my recent software development works I created a CAPTCHA that >> is >> accessible for screen readers using the following approach. >> >> >> 1. Generate a random 5 digit number. >> >> 2. Generate an image containing the embedded 5 digit number. Image >> is >> programmatically generated and is not an image that could be downloaded. >> >> 5 >> digit number is communicated to the captcha generating code using >> encryption. >> >> 3. Convert the complete 5 digit number in English words, including >> the >> words thousand and hundred. >> >> 4. Assign the converted number in words as the alternate text of >> the >> image dynamically. This would allow the screen readers to read out the >> number in words, while other users will see regular image. >> >> 5. Track the random number as a session variable for later >> comparison. >> >> I am writing this for following two reasons. >> >> 1. This approach seems to be working for me. Want to know if anyone >> sees any issue in this either in usability or security. >> >> 2. If anyone doing software development is interested in >> implementing >> this, I can share the code off the list. >> >> Thanks. >> Alok >> >> >> >> >> Caution: The Reserve Bank of India never sends mails, SMSs or makes calls >> asking for personal information such as your bank account details, >> passwords, etc. It never keeps or offers funds to anyone. Please do not >> respond in any manner to such offers, however official or attractive they >> may look. >> >> >> Notice: This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you are not the intended recipient, any dissemination, use, >> review, distribution, printing or copying of the information contained in >> this e-mail message and/or attachments to it are strictly prohibited. If >> you >> have received this email by error, please notify us by return e-mail or >> telephone and immediately and permanently delete the message and any >> attachments. The recipient should check this email and any attachments >> for >> the presence of viruses. The Reserve Bank of India accepts no liability >> for >> any damage caused by any virus transmitted by this email. >> > > > -- > gatak singh > QA test engineer at VMware India pvt. ltd. > > Email: > gataksingh.gurud...@gmail.com > gutta...@vmware.com > > WhatsApp: > 9980948679 > > skype: > gatak.guru > > facebook: > https://m.facebook.com/gatak.singh?ref_component=mbasic_home_header_page=%2Fwap%2Fhome.php=8 > > twitter: > https://twitter.com/gataksingh
Re: [Ai] For software developers - creating custom accessible CAPTCHA
it is already in IRCTC. in udai both captcha and OTP. -Original Message- From: gatak singh via Ai Sent: Tuesday, August 08, 2017 2:27 PM To: Share, empower Cc: gatak singh Subject: Re: [Ai] For software developers - creating custom accessible CAPTCHA the best alternative they can provide for captcha is OTP. I just visited the income tax website to link my apan card with adhar card. they have this option. I easily linked my pan card with the help of OTP. I loved it. I think IRCTC, UIDAI, and all others should adopt this idea. On 8/8/17, Kotian, H P via Ai <ai@accessindia.inclusivehabitat.in> wrote: Hi Alok Just to bring to your attention, there is a security challenge in this approach. CAPTCHA is essentially used to fight against Bots and to prevent them from guess the CAPTCHA. As I see, you have the words placed in Alt text. It is not a big deal to read the alt dext fromDocument object and convert the numbers in words back to numerals. Check it out. Harish. From: Ai [mailto:ai-boun...@accessindia.inclusivehabitat.in] On Behalf Of Alok Kaushik via Ai Sent: Tuesday, August 8, 2017 8:49 AM To: ai@accessindia.inclusivehabitat.in Cc: Alok Kaushik <alok.li...@gmail.com> Subject: [Ai] For software developers - creating custom accessible CAPTCHA Hi, In one of my recent software development works I created a CAPTCHA that is accessible for screen readers using the following approach. 1. Generate a random 5 digit number. 2. Generate an image containing the embedded 5 digit number. Image is programmatically generated and is not an image that could be downloaded. 5 digit number is communicated to the captcha generating code using encryption. 3. Convert the complete 5 digit number in English words, including the words thousand and hundred. 4. Assign the converted number in words as the alternate text of the image dynamically. This would allow the screen readers to read out the number in words, while other users will see regular image. 5. Track the random number as a session variable for later comparison. I am writing this for following two reasons. 1. This approach seems to be working for me. Want to know if anyone sees any issue in this either in usability or security. 2. If anyone doing software development is interested in implementing this, I can share the code off the list. Thanks. Alok Caution: The Reserve Bank of India never sends mails, SMSs or makes calls asking for personal information such as your bank account details, passwords, etc. It never keeps or offers funds to anyone. Please do not respond in any manner to such offers, however official or attractive they may look. Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this email by error, please notify us by return e-mail or telephone and immediately and permanently delete the message and any attachments. The recipient should check this email and any attachments for the presence of viruses. The Reserve Bank of India accepts no liability for any damage caused by any virus transmitted by this email. -- gatak singh QA test engineer at VMware India pvt. ltd. Email: gataksingh.gurud...@gmail.com gutta...@vmware.com WhatsApp: 9980948679 skype: gatak.guru facebook: https://m.facebook.com/gatak.singh?ref_component=mbasic_home_header_page=%2Fwap%2Fhome.php=8 twitter: https://twitter.com/gataksingh youtube: https://www.youtube.com/channel/UCzlwwCd3JSGJC3eyn7i1HeQ Disclaimer: 1. Contents of the mails, factual, or otherwise, reflect the thinking of the person sending the mail and AI in no way relates itself to its veracity; 2. AI cannot be held liable for any commission/omission based on the mails sent through this mailing list.. To check if the post reached the list or to search for old posting, reach: https://www.mail-archive.com/ai@accessindia.inclusivehabitat.in/maillist.html ___ Ai mailing list Ai@accessindia.inclusivehabitat.in http://accessindia.inclusivehabitat.in/mailman/listinfo/ai Disclaimer: 1. Contents of the mails, factual, or otherwise, reflect the thinking of the person sending the mail and AI in no way relates itself to its veracity; 2. AI cannot be held liable for any commission/omission based on the mails sent through this mailing list.. To check if the post reached the list or to search for old posting, reach: https://www.mail-archive.com/ai@accessindia.inclusivehabitat.in/maillist.html ___ Ai mailing list Ai@accessindia.inclusivehab
