3
Apr

Improved CAPTCHA?

   Posted by: Joshbw   in Browser/Web Security

Add Comment

My coworkers and I were just BSing about CAPTCHAs and how to make them harder to crack while still usable.  Tangentially the conversation just previously was about the bastards that injected a highly animated flash file on an epilepsy forum (which is messed up), and my mind drew a random connection between the two.

I wonder how hard it would be for automation to break an animated CAPTCHA, for example a small flash file that loads the text dynamically from the server (so there isn’t even the overhead of generated a dynamic CAPTCHA image) and slowly scrolls the text across, never showing all of the CAPTCHA text at once (though immediately a concern is the text could be intercepted in transit; it might be better to dynamically create animated GIFs on the server).  The implementation for this obviously needs to be much more complicated than that simple description; it has to cover attempts to compromise the CAPTCHA system without needing to do image processing.  However, if the attacker was forced to do image processing, how much of a speed bump would the animation create?

Any image processing gurus happen to know?

~ Joshbw

This entry was posted on Thursday, April 3rd, 2008 at 9:49 am and is filed under Browser/Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 comments so far

Jim
 1 

You are onto something here - there are a number of ways to protect content via flash. The only downside - need to support a wide variety/versions of the flash engine. But still, I like it.

April 10th, 2008 at 3:12 pm
Joshbw
 2 

I think an animated GIF would be better for client side support, and isn’t technically difficult to dynamically generate. The downside is that it does take significantly more processing time than static graphics to generate, and for captchas on popular websites dynamic generation is usually the only viable route (since otherwise the attackers can just harvest all of the images, and create a database of hashes from the file and associated text).

Flash is definitely and easier route in terms of server resources, but you are absolutely right about it being a pain with the myriad of flash versions (is flash even present, is it a smart device that uses flash-lite, etc).

April 11th, 2008 at 8:43 am
Jim
 3 

Ouch - the world could use better Captcha protection: http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html

April 15th, 2008 at 5:37 pm
Jim
 4 

Holy cats and dogs - have you seen this?

http://research.microsoft.com/asirra/?0sr=a

April 15th, 2008 at 5:42 pm
Joshbw
 5 

Yeah, I read that article on ars yesterday. I’ve found that no more spam than usual has made it through my outlook filter (the built in filter in 2007 is remarkably good) but I have been getting a great deal more spam in my gmail account, from gmail and hotmail domains.

I’ve also seen the Asira project before and I like the intent of it. That said, I have a concern with it. It is technically feasible to crawl petfinder and download all of the images, which are conveniently categorized by type (cat, dog, bird, rabbit, etc) and then create a simple database that uses a hash from the image as a key to look up the type. Then, when crawling sites that are asira enabled the images could just be rehashed and looked up.

Hopefully MS is actually doing some modifications (resize, slight color filter, etc) that would cause the Asira image to have a different hash value, which would frustrate that approach.

April 16th, 2008 at 7:58 am

Leave a reply

Name (*)
Mail (will not be published) (*)
URI
Comment
Back to top