Update 2: Using pornography websites, there is clever technique leveraging humans that works well in defeating CAPTHA’s (A comment on my last post found an early reference). An attacker offers a free adult website granting access to any visitor who fills out CAPTCHA images. The website, acting as a CAPTCHA proxy, downloads the obfuscated image from the target then redisplays it to the visitor. Once the visitor fills out the image, or two, or three they are granted access. The attacker is then free to perform their intended action. Effective, simple, and what caused me to add #4 to the CET.
"Completely Automated Public Turing Test to Tell Computers and Humans Apart"
Just about everyone on-line has seen one typed in one of these by now, even if they didn't know exactly what it was for. CAPTCHA's are designed to prevent automated account registration, blog spam, BBS spam, whois DB lookup, login brute-force, password recovery, etc. People have attempted all sorts of strange and interesting methods to stop the bots. The obfuscated-text-in-an-image variety is the one most commonly used. The problem is not all CAPTCHA systems are created equally. Some are superior to others, but its difficult to tell exactly why. What us web application security people need is a methodology to measure the effectiveness of a CAPTCHA system. I first wrote about the CAPTCHA Effectiveness Test just over a year ago and promised to eventually make an update.
CAPTCHA Effectiveness Test
1) Test should be administered where the human and the server are remote over the network.
2) Test should be simple for humans to pass.
* Humans should fail less than 0.1% on the first attempt.
3) Test should be solvable by humans in less than a several seconds.
4) Test should only be solvable by the human to which it was presented.
5) Test should be hard for computer to pass
* Correctly guessing the answer should be less than 1 in 1,000,000, even after 24-hours of analysis.
6) Knowledge of previous test questions, answers, results, or combination thereof should not impact the predictability of following tests.
7) Test should not discriminate against humans with visual or hearing impairments.
8) Test should not possess a geographic, cultural, or language bias.
Applying the CET.
Given that the implementation is secure (many or not).
Still work work in progress...