Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

HTML Encoded Captchas

kdawson posted more than 6 years ago | from the type-this dept.

Spam 177

rangeva writes to tell us about a twist he has developed on the common Captcha technique to discourage spam bots: HECs encode the Captcha image into HTML, thus presenting an unsolved challenge to the bots' programmers. From the writeup: "The Captcha is no longer an image and therefore not a resource they can download and process. The owner of the site can change the properties of the Captcha's HTML, making it unique,... add[ing] another layer of complication for the bot to crack." HECs are not exactly lightweight — the one on the linked page weighs in at 218K — but this GPL'd project seems like a nice advance on the state of the art.

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

I failed to see how this'll help (5, Interesting)

Rosco P. Coltrane (209368) | more than 6 years ago | (#17421490)

At the end of the day, this captcha is displayed on the screen as a colorful harder-to-read mumbo-jumbo, just like jpeg captchas, so all a bot has to do is use a html renderer to turn it into a regular image that can be processed. So the added complication is linking one of the existing captcha decoders and the gecko engine for example, maybe a half day's work. Not exactly uncrackable...

Re:I failed to see how this'll help (3, Informative)

Anonymous Coward | more than 6 years ago | (#17421504)

Well, considering that the sample captcha is just a large table where every pixel is set as a background color, I'd say it would probably be a ten line perl script you can write in a lot less than half a day work.

Re:I failed to see how this'll help (1)

stg (43177) | more than 6 years ago | (#17421532)

Seems unfair that the parent has been modded down - the comment is very relevant in that case. While the page recommends using other methods, most other methods are going to be a lot easier to crack than doing good OCR on complex CAPTCHAs.

Re:I failed to see how this'll help (1)

Lehk228 (705449) | more than 6 years ago | (#17421682)

the trouble is finding where that set of tables is. the site can move it around on the page each time it is loaded, so the bot has to be much smarter than existing bots which just find the right URL to download the image

Re:I failed to see how this'll help (1, Interesting)

Anonymous Coward | more than 6 years ago | (#17423026)

Do you really think it's going to be a problem? A dynamic page keeps a given structure and therefore I say it takes, in the worst scenario, 10 minutes - to figure out how to extract the data you need to decode the captcha. Even if you move the text around, that's still going to be done programmatically, and that is a big limitation, isn't it?

What would I do? simply look for all the td's with one single colored pixel, and then count the tr's inbetween.

Everything else is made easier as the chance is given, in fact, of developing a successful and simple scanner without the need for third party modules (gd, image::magick et similia).

Give up. If i can read that, i know i'm going to be able to make a script that just does that. This is just not the way.
You can make a script that makes things difficult on me, but that's just delaying the day where the captcha will be broken.

Stefano

Re:I failed to see how this'll help (5, Insightful)

rangeva (471089) | more than 6 years ago | (#17421540)

"so all a bot has to do is use a html renderer to turn it into a regular image that can be processed"

It's not that simple. Since the Captcha is no longer an image that you can download, the bot will first has to locate the position of the Captcha. The owner of the site can modify the layout of the page and Captcha making it unique. By rendering the image into HTML you practically modify to encoding of the image to a new and unique one - making it highly difficult to create a generic bot that will learn to decode all the HTML variations out there.

The problem today is with automated software that download the Captcha images from a pre-defined location (URL) and crack them. HECs makes it much harder to locate this resource.

Oh and everything is Crackable;)

Re:I failed to see how this'll help (1)

stg (43177) | more than 6 years ago | (#17421586)

While I have to agree with your "everything is crackable", doesn't HECs use a whole lot more of bandwidth (moving the HEC, even compressed) and/or processing on both sides to decompress a gzipped stream than regular CAPTCHAs?

How poorly are the CAPTCHAs doing these days against bots, anyway? I see a few that are probably easy to OCR, but there are quite a few where I have to make a effort to read them myself...

Re:I failed to see how this'll help (1)

rangeva (471089) | more than 6 years ago | (#17421608)

The HEC is heavy - although you can change the size of the HEC and make it smaller.
The HEC should only be on the form page (registration, forum submission etc) so it won't harm the user's experience too much.

I created the HEC because I used to get about 20 spam posts a day on my phpBB forums and other forms on my sites. I also read on many boards that this is a real problem. Since I started using HECs the spam amount went to 0.

Re:I failed to see how this'll help (1)

stg (43177) | more than 6 years ago | (#17421694)

The HEC is heavy - although you can change the size of the HEC and make it smaller.


    Wouldn't pretty much anything larger than a single letter in HEC be larger than a full CAPTCHA?

The HEC should only be on the form page (registration, forum submission etc) so it won't harm the user's experience too much.


    My problem with the idea is that if it got popular, it'd probably be in a well-know script, at which point it'd be fairly easy to crack (even with random HTML spread around, it's a whole lot easier to analyze the text into a visible captch than doing OCR). So we'd keep the problem of the spammers, and add a new problem of large HECs.

I created the HEC because I used to get about 20 spam posts a day on my phpBB forums and other forms on my sites. I also read on many boards that this is a real problem. Since I started using HECs the spam amount went to 0.


    Were you using well known phpBB CAPTCHAs? Comparing a brand new system to a popular system where serious time was spent on developing bots is unfair.

    Unless your forums are particularly targeted in a huge scale (i.e.: 20 spam posts per day would be nothing) - ANYTHING at all you added that wasn't know to the bots would cut the amount of spams to 0.

    It's a clever concept... But I'm afraid it won't scale all that well.
   

Re:I failed to see how this'll help (1)

harrkev (623093) | more than 6 years ago | (#17421776)

even with random HTML spread around, it's a whole lot easier to analyze the text into a visible captch than doing OCR
This is still an image. Instead of sending a JPG or GIF, you are sending an actual bitmap in HTML. In my three-second preview, it just looks like a table with one-pixel cells. Then, you set the color of each cell (pixel) in HTML.

So, this still requires OCR, but there is just an extra obfuscation step in getting the image from HTML to a standard graphics format. The down side is that it is incredibly inefficient. Each pixel takes probably a dozen bytes or more (too lazy for an exact count right now).

Re:I failed to see how this'll help (1)

stg (43177) | more than 6 years ago | (#17423102)

This is still an image. Instead of sending a JPG or GIF, you are sending an actual bitmap in HTML. In my three-second preview, it just looks like a table with one-pixel cells. Then, you set the color of each cell (pixel) in HTML.

So, this still requires OCR, but there is just an extra obfuscation step in getting the image from HTML to a standard graphics format. The down side is that it is incredibly inefficient. Each pixel takes probably a dozen bytes or more (too lazy for an exact count right now).


Yes, I realize the spammer still have to do an OCR step. But the obfuscation step seems way too simple compared to OCR, which was my point.

BTW - dozen bytes per pixel? You wish! It's 64 bytes per pixel in the current sample!

Re:I failed to see how this'll help (0)

Anonymous Coward | more than 6 years ago | (#17421622)

Everything is crackable, granted.

However, everything should be accessible - most (arguably all) captcha methods are not.

If you could add ways for users with accessibility issues (particularly in this case screenreaders) to also access the service using your method you'd have something really worth shouting about.

Re:I failed to see how this'll help (1)

TubeSteak (669689) | more than 6 years ago | (#17422254)

By rendering the image into HTML you practically modify to encoding of the image to a new and unique one - making it highly difficult to create a generic bot that will learn to decode all the HTML variations out there.
OCR programs are already designed to accept per-site profiles.

Once a HTML-to-image rendering engine is added...
profiles can be updated to include site-specific html layout

Re:I failed to see how this'll help (2, Insightful)

Jerf (17166) | more than 6 years ago | (#17422588)

Oh, piffle. That's not hard either.

The "HTML renderer" in question will be either Mozilla or IE, both of which offer through Javascript the ability to find the absolute position of an element, and its absolute width and height. So the only "hard" part left is identifying the HTML location of the test, probably with something like XPath, or Mozilla's DOM Inspector which already allows you to just click on the element (and maybe go up in the hierarchy a bit.)

And I'm pretty sure the spammers already have programs to make it easy to have a human do just the hard parts, like identifying the location of the test, because I'm pretty sure that I've seen them have that sort of program to figure out the form field names easily. (Unique blogs, that is, blogs not based on any common software, have gotten blog spam too quickly and thoroughly before for any other explanation to make sense.)

You can try to move the test around, but you're right back to an arms race (which is where we already were, so no progress), and it's one where the spammers have a system that automatically notifies them of when they need to make changes.

The only spam solution is total moderation of the comment queue. If everyone did that there would be no spam anymore. (Somewhat ironically.)

Re:I failed to see how this'll help (3, Interesting)

Aladrin (926209) | more than 6 years ago | (#17421552)

Even worse, this catcha would be -easier- than a regular one. It lists every pixel as a TD, in rows... So easy to render that it's idiotic. And the image itself is simple as well... The background letters are much lighter in color and could easily be filtered.

Add in the huge size of the html and the annoyance factor of captchas in general, and this is amazingly stupid.

Re:I failed to see how this'll help (3, Insightful)

Aladrin (926209) | more than 6 years ago | (#17421562)

I should have added this disclaimer to the post:

Yes, I see that they recommend adding in random divs and crap. If it's still a table, it's still very very easy to parse, even without a parser. If they intend for you to replace the table with 'random elements' ... Do you KNOW how hard it would be to get it to show up correctly on each different browser? Another nightmare.

Re:I failed to see how this'll help (0)

Anonymous Coward | more than 6 years ago | (#17422808)

it's still very very easy to parse, even without a parser

WTF? If you're parsing it, you have a parser, by definition.

Re:I failed to see how this'll help (2, Informative)

Giorgio Maone (913745) | more than 6 years ago | (#17421634)

Gecko is absolutely overkill there: the HTML "encoding" is pretty lame, as the image is entirely made of 1px table cells, each one carrying its color information inlined in the style attribute.

Just one Perl line can extract the color matrix and pass it straight to your OCR algorithm.

Maybe if they used JavaScript to render the table on the client side, that would require Gecko or something like that (SpiderMonkey or Rhino would likely suffice), but still the complexity of a captcha cracker is noise reduction and character recognition, rather than image decoding.

That said, I've seen no "Content-encoding: gzip" in their response: gzip encoding cannot be remotely compared to jpeg compression, but it would nevertheless cut the weight of a very redundant HTML table by a 1:16 factor or more... (hurry up guys, you've been slashdotted!)

Do others use such spam-bot blockers? (2, Interesting)

msobkow (48369) | more than 6 years ago | (#17421650)

I've had sessions that took an inordinately long time to initialize with various web service providers (it's very noticeable on dial-up.) I'm wondering whether similar techniques might be used to attack rather than defend, possibly including rogue AJAX code.

Re:Do others use such spam-bot blockers? (1)

msobkow (48369) | more than 6 years ago | (#17421660)

What I'm trying to get at is that with Flash and similar technologies, I can just remove the plugin or disable it in the browser. But with an AJAX or any other interface that uses ECMAScript, it might well be possible to deliver attack code. People forget it's called JavaScript because it's a similar syntax, but it is NOT sandboxed like real Java applets.

Re:I failed to see how this'll help (0)

Anonymous Coward | more than 6 years ago | (#17421656)

Agree with parent. Very clever. Instead of a crackable captcha, we get a crackable captcha which also break standards compliance and rending performance. This has 'stupidity' written all over it.

A matter of time (2, Interesting)

superbrose (1030148) | more than 6 years ago | (#17422026)

The advantage of this captcha is that it is not widespread yet and so the chances that a bot can crack it are lower.

Funny that when OCR software is supposed to work it often fails, but when there is some effort to hinder recognition then bots can deal with that. Maybe general OCR software should try to crack input instead!

Re:A matter of time (1)

jonbryce (703250) | more than 6 years ago | (#17422902)

Even if the crackbot OCR software works only a small percentage of the time, it is still worth their while using it, as they just need to keep it running again and again until they get in. That's very different from OCRing a document many times, and hoping that one of them comes out right.

Re:I failed to see how this'll help (1)

(Score.5, Interestin (865513) | more than 6 years ago | (#17422032)

At the end of the day, this captcha is displayed on the screen as a colorful harder-to-read mumbo-jumbo, just like jpeg captchas, so all a bot has to do is use a html renderer to turn it into a regular image that can be processed. So the added complication is linking one of the existing captcha decoders and the gecko engine for example, maybe a half day's work. Not exactly uncrackable...

Exactly. It's just a really inefficient way to encode an uncompressed bitmap image. If you can encode it, the bad guys can decode it.

(Not to mention the fact that any well-organized attacker will be going at these things with a Internet cafe full of minimum-wage humans in some third-world country, so it doesn't matter how you fiddle the encoding. This looks like an example of what happens when you don't understand your problem space).

Re:I failed to see how this'll help (0)

Anonymous Coward | more than 6 years ago | (#17422528)

There's no need for an html renderer even, you only need a couple of regexp to find a table with 1px cells and styled with a background color, and pass those 1px colors to a script that generates the resulting image cell by cell, row by row.
The same process that was used to create the image can be easily reverted.

Re:I failed to see how this'll help (1)

v1 (525388) | more than 6 years ago | (#17423086)

And even if that fails (and I don't see how) then they could just resort to screen scrapers and feed that output to their capcha image processing engine.

Render, PrintScr, OCR? (3, Interesting)

Frogular (961545) | more than 6 years ago | (#17421492)

Can't the bot simply render and OCR it?

A better solution might be the authentication system old 386 games had where you have to do some simple but human intelligence requiring task. "Find the word in the upper right of manual pg 4" -> "Enter the 3rd word from the following paragraph"

Re:Render, PrintScr, OCR? (1)

AlecLyons (767385) | more than 6 years ago | (#17421846)

Problem with that is it requires some human intelligence to set the challenge.

Re:Render, PrintScr, OCR? (1)

Phillup (317168) | more than 6 years ago | (#17422102)

Problem with that is it requires some human intelligence to set the challenge.
And to solve it.

Chance are that if you make something that joe sixpack can pass... so can a bot written by an Einstein.

Re:Render, PrintScr, OCR? (1)

Millenniumman (924859) | more than 6 years ago | (#17422880)

You have 9 semi-random pictures. One is a dog. The rest are not. "Pick the dog".

Re:Render, PrintScr, OCR? (1)

vtcodger (957785) | more than 6 years ago | (#17421970)

Maybe, but one of the few times I ever went to the effort to hack a binary was to modify one of those games to get around that sort of authentication scheme. I, at least, found to it be far more aggravating than Captchas are today.

Re:Render, PrintScr, OCR? (1)

BiggyP (466507) | more than 6 years ago | (#17422006)

This makes me wonder if spammers might pick up on this method to get around FuzzyOCR and the like, unless of course HTML tables are discarded anyway.

If anyone wants to produce HTML table graphics then The GIMP comes with an export plugin, good fun but don't try exporting or rendering anything too large, it can put a lot of strain on the browser.

Javascript PGP encryption (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#17421498)

Another useful web page trick is Javascript encoding of PGP:
http://www.hanewin.net/encrypt/ [hanewin.net]

Instead of feedback forms that send plain text messages back to you for all to read, it lets you encrypt the text in the browser using PGP before it is sent. If you don't want people snooping on submitted messages this is a quick and simple way to do it.

Thunderbird has a plugin that lets you send and receive GnuPGP mails.
http://enigmail.mozdev.org/ [mozdev.org]

Not offtopic (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#17421710)

It's not offtopic (bad moderation), it's directly related to captchas on forms and just like the trick of doing the capture in the browser this is using, its the same thing, only for encrypting the message sent.

I've used both captchas and this script in the same project and if you're using this html captcha to do forms, you'll likely do the same.

Comment was:

Another useful web page trick is Javascript encoding of PGP:
http://www.hanewin.net/encrypt/ [hanewin.net]

Instead of feedback forms that send plain text messages back to you for all to read, it lets you encrypt the text in the browser using PGP before it is sent. If you don't want people snooping on submitted messages this is a quick and simple way to do it.

Thunderbird has a plugin that lets you send and receive GnuPGP mails.
http://enigmail.mozdev.org/ [mozdev.org]

Imagine encrypting your webforms (0)

Anonymous Coward | more than 6 years ago | (#17421996)

You have a user feedback or similar with your nice new captcha. You add the Javascript PGP encryption to it, and suddenly all the snooping is a thing of the past because all the user submitted replies are encrypted with PGP.

I'm not sure why you're throwing mod points to kick a 0 score comment that most people will never see to -1, and no, I have nothing to do with either Hanewin or Enigmail and the code is freely available.

Re:Imagine encrypting your webforms (0)

Anonymous Coward | more than 6 years ago | (#17422584)

Your first comment was (with hindsight incorrectly) moderated "off-topic" because it seemed totally irrelevant to the topic of this article. You failed to explain how it related to captchas. Although you then tried to explain the relevance in your follow-up post, your explanation was still not inadequate! Re-read the first paragraph of your comment entitled "Not offtopic" and think how the English could be corrected to improve your communication. If you post as an AC, try harder to make yourself crystal clear. If you use good English and express your thoughts in a logical order, the relevance of what you write should be clear from the beginning. You're not doing that yet. I was not the moderator.

Re:Imagine encrypting your webforms (0)

Anonymous Coward | more than 6 years ago | (#17422946)

typo: "not inadequate" --> "not adequate"

watermarking (2, Interesting)

dattaway (3088) | more than 6 years ago | (#17421506)

How about watermarking the captcha with the site's address and a short message?

What are the gotchas with these captchas (1)

Timesprout (579035) | more than 6 years ago | (#17421510)

Anyone?

Re:What are the gotchas with these captchas (4, Insightful)

YrWrstNtmr (564987) | more than 6 years ago | (#17421646)

Blind, color blind, text only browsers, more of a hassle, just to name a few.

Re:What are the gotchas with these captchas (2, Insightful)

Nyh (55741) | more than 6 years ago | (#17421730)

Or just users who have the sitteings for Firefox on 'Alway use my colors' because they don't like the angry fruit salads of most sites.

Nyh

Re:What are the gotchas with these captchas (1)

smillie (30605) | more than 6 years ago | (#17421850)

Alway use my colors

I was wondering why I can normally see captchas but saw nothing in the sample box. Being colorblind I need to force most pages to colors I can see. Since my browser doesn't allow me to set colors for one site but not another, even the good sites get changed.

Re:What are the gotchas with these captchas (1)

AusIV (950840) | more than 6 years ago | (#17422298)

I'm colorblind, and I frequently find myself refreshing a page numerous times to get a captcha I can actually read. I find the things really annoying. I understand a need to keep bots from spamming sites, but some of these captchas are absolutely ridiculous.

Re:What are the gotchas with these captchas (0)

Anonymous Coward | more than 6 years ago | (#17421676)

How hard would it be to convert this back to an Image? AFAICS, the PHP code simply creates a normal captcha image (using the PHP ImageTTFText() function, among others) then converts that in to a small table with as many rows and columns as the image has pixels. Each has a background color the same as the color at the corresponding point in the image.

One possibility that occured to me was to use XSLT in text output mode to try and generate the image. This is just one possibility of many.

OTOH, I think it's good that people are trying to stay ahead of the spammers, and anything which makes their job more difficult is a good thing.

--Robin

Re:What are the gotchas with these captchas (1)

springbox (853816) | more than 6 years ago | (#17422248)

The same limitations as other image-based CAPTCHAs

Bad form (5, Insightful)

Zaph0dB (971927) | more than 6 years ago | (#17421530)

I think using a captcha like this one (html-table rendered) is bad web-manners. The rendering of such a table, pixel by pixel, is a huge toll on browsers. Even on my (relatively) new and (relatively) powerful machine, it took Firefox a noticeable amount of time to render the image, and caused my hard drive to crunch a little. I don't even want to imagine less powerful machines or, random-fluctuation-of-time-and-space forbid, mobile devices. All in all, I think this method severely limits the users accessing this site.

Re:Bad form (1)

jellomizer (103300) | more than 6 years ago | (#17421620)

Heck it took time on my (Very) new and (Very) Powerful machine. The fastest chips available (more CPU or cores will not help because the browser calculates this on one CPU right now, maybe in the future) still needs to work on it. Makes it to slow for normal users. My mom on a iMac G3 with dialup will be painful to see.

Re:Bad form (1)

Xeriar (456730) | more than 6 years ago | (#17422022)

Took next to no time at all on any of my machines in Firefox. One is modern, three would have been considered top of the line about six years ago. If it's slow in your browser, either

1: Your browser does not prerender (ie. IE) - though rendering was pretty instantaneous in IE6 for me too.
2: Something is wrong with your machine
3: You should consider looking into the purchase of a new machine if you are obviously so anal about a registration scheme that you will go through -once- taking a few extra seconds.

Re:Bad form (1)

multipartmixed (163409) | more than 6 years ago | (#17422474)

Yeah. I didn't even notice a rendering delay on FF2; my box is a P3-900 w/ 512MB RAM with a bunch of puttys and photoshop 7 already running.

Opera doesn't seem to have that problem (1)

pathological liar (659969) | more than 6 years ago | (#17422010)

For what it's worth, Opera doesn't seem to have that problem. The page loaded/rendered so fast on my laptop that I thought they'd cheated and just stuck an image in there.

Re:Bad form (3, Informative)

the_womble (580291) | more than 6 years ago | (#17422196)

It did not take a noticable time to either download or render: Firefox, linux and dialup.

Re:Bad form (0)

Anonymous Coward | more than 6 years ago | (#17422942)

It did not take a noticable time to either download or render: Firefox, linux and dialup.

It did not take a noticable (less than 0.5 sec) time in my case as well: GNU/Linux, Firefox, AMD Athlon 64 3000+, dsl

Re:Bad form (1)

j00r0m4nc3r (959816) | more than 6 years ago | (#17422672)

Who cares about form? If it stops/slows spam then I support it. How often do you have to solve captchas anyway? Once a month maybe? Big deal... It's not like every website you visit every day has captchas for you to solve...

YOU GUYS ALL SUCK COCK (-1, Troll)

Anonymous Coward | more than 6 years ago | (#17421578)

Fuck you [twofo.co.uk]

Far easier ways to prevent the image being dl'd (0)

Anonymous Coward | more than 6 years ago | (#17421584)

If the goal was to prevent the image from immediately downloadable, could have used the data: protocol to embed the image data directly into the actual page, or embedded SVG, or used regular CSS to obfuscate the captcha.

Spy vs spy (1, Interesting)

Anonymous Coward | more than 6 years ago | (#17421588)

This scheme will work until it is widely enough used that it is worth the spammers' while to write a crack. As the author suggests, the ultimate solution is probably to have so many of these schemes that the spammers can't keep up.

I have a question. How much of a problem are these spammed responses to blogs. I go to several blogs that don't have captchas and haven't noticed anything that could be called spam. Is this a response to a non-problem?

April Fool's 3 months early? (0)

Anonymous Coward | more than 6 years ago | (#17421594)

I read TFA and solved their little captcha, but didn't get no Pr0n!

218kb (1)

Joebert (946227) | more than 6 years ago | (#17421598)

Screw trying to solve it, it would be easier to use that 218kb chunk of junk that's no doubt going to need a bunch of dynamic processing against them, thus forcing them to wish they never used it in the first place.

workaround... (5, Informative)

zozzi (576178) | more than 6 years ago | (#17421600)

Spammers already have a workaround for catchpas:

1. Show the image in an alternate pornographic/warez/whatever website

2. Ask the user to type it in to access the site

3. Use the user's input to access the original protected site

4. There is no step 4.

Re:workaround... (2, Funny)

rjamestaylor (117847) | more than 6 years ago | (#17421662)

Brilliantly devious. Hundreds of pr0n-seeking addicts are itching at any given moment to get their fix. Only problem is that there probably aren't enough CAPTCHAs available on the web to meet the pr0n-seekers demand! Either free "inventory" will be given away for repeated CAPTCHA solving or, if repeats not used, CAPTCHA won't be available and will frustrate the frustrated seeker even more. So, PhpBB-admins do your part: enable CAPTCHAs to meet the demand!

Re:workaround... (1)

iangoldby (552781) | more than 6 years ago | (#17421754)

Spammers already have a workaround for catchpas:
1. Show the image in an alternate pornographic/warez/whatever website ...

Except this isn't an image.

Re:workaround... (1)

iamdrscience (541136) | more than 6 years ago | (#17421800)

People bring that up whenever there's news about Captchas, but I have to say I don't believe it. When it comes to porn, I'm no slouch and I can count the number of times I've seen sites that give you free access after entering a captcha on one hand. Far more Captchas are compromised because some OCR nerd has figured out how to crack it.

Re:workaround... (5, Funny)

Phillup (317168) | more than 6 years ago | (#17422146)

When it comes to porn, I'm no slouch and I can count the number of times I've seen sites that give you free access after entering a captcha on one hand.

One hand eh?

Guess we don't really need to ask how you know this...

Re:workaround... (1)

Dystopian Rebel (714995) | more than 6 years ago | (#17422466)

When it comes to porn, I'm no slouch


At least you're maintaining good posture while you're stunting your growth.

A captcha is still a captcha (4, Interesting)

Cee (22717) | more than 6 years ago | (#17421610)

One of the main objections of a captcha is that an attacker could steal the image file and simply use it on their site (XXX sites...) to get it "cracked".
A HTML generated captcha would prevent that, since there is no image file to copy.
However, what prevents the attacker to simply copy the relevant HTML source and put it on his or her site, just like the image? Sure, you can make it quite complicated by adding CSS layers and whatnot, but in the end that would just merely be an extra annoyance.

And stopping the attacker on using OCR on the captcha won't really work either. It's not that hard to render HTML code to an image, which you can feed to the OCR software.

In short, this hack is just another step in the arms race, that just buys us some time.

Re:A captcha is still a captcha (0, Redundant)

Joebert (946227) | more than 6 years ago | (#17421640)

A HTML generated captcha would prevent that, since there is no image file to copy.

Someone could go to Microsoft.com & download Visual C++ Express Edition for free & put together somthing that uses Internet Explorer to render the entire page & save a bitmap of it in less than a day.
If they already had somthing to recognise a CAPTCHA, I bet they could dig the CAPTCHA image out of that bitmap while they're there.

Re:A captcha is still a captcha (1)

cmallinson (538852) | more than 6 years ago | (#17422598)

"One of the main objections of a captcha is that an attacker could steal the image file and simply use it on their site (XXX sites...) to get it "cracked"."

You could also just steal the html table code, and show it on another site. It almost easier, since there's no file to deal with.

Not a resource they can download and process? (1)

Tim C (15259) | more than 6 years ago | (#17421670)

Really? Firefox doesn't seem to have any problems downloading and processing it, and as I wasn't aware that Firefox or Gecko used voodoo magic, I'm going to assume that the same would be true of any purpose-written code...

It's a nice idea, but it's little more than a speed-bump at best. (And not a particularly high one, at that)

Re:Not a resource they can download and process? (1)

Professor_UNIX (867045) | more than 6 years ago | (#17421718)

Really? Firefox doesn't seem to have any problems downloading and processing it, and as I wasn't aware that Firefox or Gecko used voodoo magic
Took about 5 seconds to fully render that HEC on my 1.6 GHz Powerbook running Firefox. It could just be the time associated with downloading all that HTML though I guess. It definitely seems to not be friendly compared to a 30K JPEG of the same thing.

Re:Not a resource they can download and process? (1)

JamesTRexx (675890) | more than 6 years ago | (#17421804)

Took about 0.5 seconds on my FreeBSD Dell 1.13 GHz P III in Konqueror while compiling KDElibs3 in the background. At every reload of the page.
Or it could just be that FreeBSD/KDE has magic powers. :-)

Re:Not a resource they can download and process? (1)

Tim C (15259) | more than 6 years ago | (#17421832)

It took my copy of FF2 "a couple of seconds"* to render it first time round on my X2 4400+ once the page had fully loaded; subsequent loads showed the captcha more or less instantaneously, despite it being different each time.

By "no problems" I mean that it's right there in the page, and can be scraped out with relative ease. In fact, it's not really any harder than searching for the appropriate img tag, in either case you have to identify an enclosing block of text and pull out the relevant HTML fragment.

It might stop the odd kiddy when the script they found on an IRC channel can't handle it, but it's not going to stand up to anyone with even half a clue for very long. Don't get me wrong, it's definitely an interesting idea, and might be a (very small) step in the right direction, if someone can strengthen it somehow; I'm just not convinced that it'll be possible.

Re:Not a resource they can download and process? (1)

henryhbk (645948) | more than 6 years ago | (#17421858)

I tested it on my core-duo mac mini (with the crappy IMA graphics) in Safari and it was essentially instant. I will admit it was over FIOS so download speed was 15mbit, but it didn't slow down at all.

Screen Captcha! (2, Interesting)

mrmeval (662166) | more than 6 years ago | (#17421702)

It's easy no?

The file size is what intriques me. Just make a 'hidden' captcha that a bot would download. Now figure out how to make a jpeg decompressor uncompress that to 2 gigs or better.

It's like the old "I'll compress 2gigs of the letter A with zip and upload it to that BBS and let the virus checker gag" gag.

Or maybe a gif file. I wonder how solid black or white compress......

Re:Screen Captcha! (1)

KillerBob (217953) | more than 6 years ago | (#17422274)

If it's a "hidden" field, the legit browsers will still see it, though. The user may not see it, but it'll still be loaded by the browser.

As to how to make it compress really well, simple. Save it as a 2-colour bitmap (with all the pixels "on"). Of some obscenely high resolution. Like 168,000x105,000. 17.6 billion pixels. Will compress really small, but will also suck up a huge amount of RAM to display.

Lunacy (4, Interesting)

Stormx2 (1003260) | more than 6 years ago | (#17421712)

Lunacy! I've made apps which can do this sort of thing before, and this one is totally unoptimized! Take a look at this:

With the limited amount of colours used, it would make much more sense to
a) give the table an id, then:
table.tabid td { width:1px; height:1px; )
b) give some classes for each colour used
td.colid { background-color: blah; }

I'm sure that would half the source code size... How can you trust a HTML solution that hasn't even been properly thought through?

Processing (2, Interesting)

jones_supa (887896) | more than 6 years ago | (#17421716)

The Captcha is no longer an image and therefore not a resource they can download and process.

Err...but the HTML captcha is a resource they can download and process.

Re:Processing (1)

Phillup (317168) | more than 6 years ago | (#17422166)

The Captcha is no longer an image and therefore not a resource they can download and process.

Err...but the HTML captcha is a resource they can download and process.

Not without getting the whole page you can't... that is the point.

You still need to separate the captcha from the rest of the page.

When bad ideas go live (1, Insightful)

billcopc (196330) | more than 6 years ago | (#17421792)

Having a 200kb block of text, no matter how well it compresses, will add anywhere from 10 to 40 seconds to download on a dial-up line, and that was for a ridiculously small CAPTCHA. A larger, more human-readable size might use up 500kb or more. Even on a high-speed link that's a noticeable pause. The fact that it only shows up on the sign-up page doesn't make it excuseable; in fact it makes it counter-productive. If I find some cool site, eagerly hit the sign-up link and end up staring at a half-rendered page for more than 15-20 seconds, I'll just leave and find some other site that loads faster, because I really don't care what's going on behind the scenes... I have no compassion for an elaborate security device if it bungles my experience.

This is what happens when bad ideas are brought to life. This will only waste the site owner's bandwidth, maybe slow down the attacker slightly while the algorithm is modified.. we're talking AT MOST a couple days work. You could achieve the same result by adding a 2-second delay to the CAPTCHA cgi, the same idea as adding a delay to failed logins... if you can't properly defeat the attackers, at least slow them down.

We've reached a point where, with security/copy protection, if it is something than can be done by a human sitting at a computer, the human can be removed from the equation. The greatest shortcoming of any system like CAPTCHA, or even asking "human intelligence" questions like "What do monkeys eat" or other things that computers don't innately "know", is that a human has to computerize those actions in the first place. You have to teach YOUR computer what the answer to the monkey question is, and there are only so many answers you will teach it until you run out of ideas (or exhaust the body of humankind's knowledge). Eventually the attacker will know all the answers to your challenges and you've just wasted a whole lot of time.

A better strategy here is the psychological approach. How do you get rid of a tireless attacker ? What motivates an attacker ? They WANT something of value to them. That something can be email addresses, zombie hosts, or in the case of blog spam they just want eyeballs. There are two ways to demotivate them: get rid of what's luring them, or make your prize harder to get than everyone else's. The first solution might mean crippling your site, even making it totally worthless (think site owners that give up, communities that are abandoned after relentless attacks). The second solution only buys you time, because the more vulnerable sites will ramp up their security, sooner or later, and then you're back at square one.

Actually there is a solution 3: find the attackers and attack THEM. Hey it's not the higher road, but it's damn effective.

You must have a very poor dialup connection. (1)

goldcd (587052) | more than 6 years ago | (#17422040)

That page gzips down to 12k - so ~2 seconds download speed.
The larger problem would probably be load on the server - possibly you could get around this by pre-compressing and then randomly serving. I don't think this was supposed to be a perfect solution, it's just a nice little demo showing how something common can be done in a new way.

Captcha's are annoying (4, Insightful)

tacocat (527354) | more than 6 years ago | (#17421798)

While this has little to do with the original post I have a really annoying experience with captchas

I have 20/20 vision and am not color blind. Captchas are becoming so complicated and garbled that I get the code wrong about 40% of the time. Another portion of the time I take to long trying to answer the code question and type in the right characters. I typically get screwed on the number Zero and the letter 'O' and lowercase 'L' and the number 1.

It'b becoming, for me, an entry barrier to signing up and gaining access to websites. It would be much easier to simply use email authentication. What do you do with the people who are color blind? I spent some years dealing with display design and this was a legitimate concern that we addressed at the time for a specialized group of people. In the common population there are a lot more occurrences of people who are color blind.

Are captcha's really worth the effort compared to other more human friendly processes? Is anyone working on what we will be doing next? Considering that there are decades of technology in machine vision technology to pull from I think it will be fairly trivial for the bots to become better at reading captchas than humans.

It might be effective to take the email authentication process and apply everything that mail servers do to authenticate the user. What I mean by this is apply all the mail server rules like FQDN requirements for HELO, fully resolvable email domains, valid email addresses, non-open relays. Much of this would eliminate either the bots or the ISP's who are too stupid to properly configure a mail server. Similarly it might be sufficient to code the HTML/HTTP to expect a properly responding client and not some hacked up bot that can't do most of it right.

Re:Captcha's are annoying (1)

KillerBob (217953) | more than 6 years ago | (#17422214)

Well, I administer a couple of forums, and I can honestly tell you that captcha is mostly useless. That said, so is e-mail validation. The bots are using throwaway e-mail addresses to get around e-mail validation. Sometimes, they're registering their own domains and using a catch-all so that the bot can put in random junk for the e-mail address, sometimes they're using free e-mail providers.

The thing is, it's a losing battle. You can either shrug your shoulders, and let it happen, or you can take up arms. At its peak, an average of 100 bots/day were registering on my forums. I was able to stymie them by blocking websites from their profiles and preventing them from posting links until they'd had 10 posts, but they were still registering.

100/day may not sound like many, until I tell you that there's only about 2,000 legitimate users on the messageboard. You need to employ every weapon at your disposal to prevent bots from registering, and even then, you may not get all of them.

Now, addressing what you said specifically:
I have 20/20 vision and am not color blind. Captchas are becoming so complicated and garbled that I get the code wrong about 40% of the time. Another portion of the time I take to long trying to answer the code question and type in the right characters. I typically get screwed on the number Zero and the letter 'O' and lowercase 'L' and the number 1.


That's the fault of the website designer more than anything. The smart website designer will use a font that puts a slash through the numeral zero, for example, or will remove certain characters from the list of available characters, such as you describe. Most canned captchas actually support that, but it's up to the person using it to tell the script not to use characters like 'l'.

It'b becoming, for me, an entry barrier to signing up and gaining access to websites. It would be much easier to simply use email authentication. What do you do with the people who are color blind? I spent some years dealing with display design and this was a legitimate concern that we addressed at the time for a specialized group of people. In the common population there are a lot more occurrences of people who are color blind.


Provide an alternative method for registration. My e-mail address is provided on my registration page, asking users to send me an e-mail if they have any problems registering and I'll manually create the account. I check my e-mail daily, and at most, you'll have to wait 24 hours.

Again, that's up to the website administrator to make allowances for people who get screwed over by the captcha and other methods.

Are captcha's really worth the effort compared to other more human friendly processes? Is anyone working on what we will be doing next? Considering that there are decades of technology in machine vision technology to pull from I think it will be fairly trivial for the bots to become better at reading captchas than humans.


Yes. While I did say they were mostly useless, I also said that you need to employ every weapon at your disposal to keep the bots from registering. They do block some of the less sophisticated bots, and every little bit helps.

I've been tossing around an idea of an anti-captcha, though. Throw in a captcha, and right below it, have a note that says "now, disregard the above captcha and type 'notabot' in the box". I'll probably implement it to see what happens.

It might be effective to take the email authentication process and apply everything that mail servers do to authenticate the user. What I mean by this is apply all the mail server rules like FQDN requirements for HELO, fully resolvable email domains, valid email addresses, non-open relays. Much of this would eliminate either the bots or the ISP's who are too stupid to properly configure a mail server. Similarly it might be sufficient to code the HTML/HTTP to expect a properly responding client and not some hacked up bot that can't do most of it right.


I'm already using live e-mail validation. The only thing that changed is that the bots are now using throwaway addresses. They'll register a domain like "cheappills.info" (that's a real one from my logs, so feel free to ban it, or better yet, DoS it), and set up a catch-all rule so that asldkjfals@cheappills.info is a valid e-mail address. Having a script connect to the mail server and attempt to resolve an envelope only ends up sucking up a small amount of bandwidth, while not really stopping many bots.

In the end, you need to make use of every option you have to block the bots. I hid the "website" field in the registration, and set up a call to die() if the field is not-null in registration, I have a captcha, I have live e-mail validation, e-mail confirmation, and I've got a litany of about 30 e-mail servers that are blacklisted. Thankfully, there haven't been any bot registrations in almost a month. But if I remove any one of those, I suspect that I'll have to do some housekeeping again. It's unfun. But unfortunately, it's an arms race, and the only ways to get out of it are to surrender to the deluge or go dark.

Re:Captcha's are annoying (1)

tacocat (527354) | more than 6 years ago | (#17422924)

I supposed the next step is to have people write a physical letter or make a phone call to you personally. But I wonder how long it will be before electronic speech gets better.

Re:Captcha's are annoying (1)

AusIV (950840) | more than 6 years ago | (#17422366)

I have 20/20 vision and am not color blind. Captchas are becoming so complicated and garbled that I get the code wrong about 40% of the time.
I have 20/40 vision and am colorblind. I find a site with a captcha, I give up on it unless it's something I'm really interested in. There have definitely been websites that have lost my business because of their obnoxious captchas.

Broken (5, Interesting)

Kurayamino-X (557754) | more than 6 years ago | (#17421824)

All text based captcha's are broken, it doesn't matter how they're rendered, they're still a pre-defined set of characters that a bot can pick out eventually. Now, the "Click three kittens" captcha, that was fucking genious, no bot on the planet will be able to tell the difference between a kitten and a ham sandwich. Why isn't it being used? People seem to think obscuring text and making it harder for humans to read is a better idea than using something a computer will not be able to identify.

Re:Broken (1)

springbox (853816) | more than 6 years ago | (#17422364)

I see a few problems with that CAPTCHA. First, it's one of the few CAPTCHAs that requires JavaScript to work, which is not its biggest problem. All of the images for the CAPTCHA are thrown out onto the page so it's just a matter of having a human identify each animal in each picture and an automated program can find "x" number of "y"s on the page. Not only that, but the CAPTCHA images themselves are easily accessible since they're put in the same directory with file names like 0.jpg, 1.jpg, etc.

Re:Broken (1)

izam_oron (942139) | more than 6 years ago | (#17422682)

In that case, one could render them all into one image and use alphanumeric identifiers for the kittens instead. Even better, throw in a bunch of random pictures and ask the user to type in the ID of whichever one is item "x". Someone suggested that you use flickr with the kittens, so having access to multiple "x" pictures is a must. You get all the combinations of strange alphanumeric strings and the usability/cuteness factor of contrasting fuzzy animals.

not very effective (1)

varunvnair (891012) | more than 6 years ago | (#17421932)

This is going to be effective only as long as it is not popular and not worth somebody's time to sit down and write a script to convert it into a genuine image.

How difficult is it to translate this matrix into a normal image? Not very difficult I am afraid.

capchas (1)

iviagnus (854023) | more than 6 years ago | (#17422100)

Kudos! An awesome idea. If some here cannot see the relevance, they are n00bs with no brains.

218k of junk (2, Informative)

suv4x4 (956391) | more than 6 years ago | (#17422132)

This GPL-ed project can be reproduced by a junior coder in an hour so the fact it's GPL-ed I guess isn't of so much help.

Also on the subject of it being 218k, each pixel looks like:

... tr... <td style='height:1px;width:1px;background-color:#fcfb ff'></td> ... /tr...

which is badly redundant, the very first thing is you can make all "td"-s in the table be 1px/1px with a simple: table.captcha td {width:1px; height:1px} rule, then background-color can be shortened to just "background" and still be valid.

Furthermore you don't need table with rows and columns, if you float the pixels to left, then you only need a container of the right width and columns/rows wil naturally form, to keep it down we can style a shorter tag for our purposes, like <b>

So at this stage we arrive at the much simpler:

<b style="background:#abcdef"></b>

But this can be simplified even further by indexing the colors used as around a 40-50 css classes (fiven the image has a lot more than 40-50 pixels and 40-50 colors are enough for it, it's still a net gain), for example: .cA {background:#abcdef} .cB {background:#ffaabb}, at which point we get not only more obfuscation for the captcha crackers to solve, but much lighter code:

<b class="cA">&lt/;b>

and again the original:

... tr... <td style='height:1px;width:1px;background-color:#fcfb ff'></td> ... /tr...

And this is before we start putting JavaScript in the picture...

Congratulations... FOOL! (1, Interesting)

Tom (822) | more than 6 years ago | (#17422256)

Great, so blocking images in E-Mail will no longer get those image-spams thrown out, because now a bright-but-not-intelligent geek has given the spammer assholes a way to encode their crap in simple HTML which no spam filter will manage to get.

Congratulations. How much did they pay you?

Oh, as for the "official" purpose. I give it a life expectancy of 3 weeks before the spammers have found a way around it. If they bother at all.

Re:Congratulations... FOOL! (1)

WWWWolf (2428) | more than 6 years ago | (#17422544)

Great, so blocking images in E-Mail will no longer get those image-spams thrown out, because now a bright-but-not-intelligent geek has given the spammer assholes a way to encode their crap in simple HTML which no spam filter will manage to get.

In other news, people are celebrating on the streets when HTML email is finally dead and all spam filters are configured universally throw HTML attachments away. Everyone is suprised when the 1990s technology is working so well and understand why every old beard has been complaining about HTML mail...

...or maybe it's just that someone writes a new rule for SpamAssassin (adds "no megacrappy HTML" rule after the "no crappy HTML" rule) and calls it a day.

Re:Congratulations... FOOL! (1)

jonbryce (703250) | more than 6 years ago | (#17422982)

Spamassassin already blocks messages with a very high ratio of html tags to text, so it would get those messages.

This will leave spammers saying.... (1)

sbben (983577) | more than 6 years ago | (#17422534)

What the HEC?

No need to download the image (5, Interesting)

lintux (125434) | more than 6 years ago | (#17422568)

There's no need to download the image. Look at the source. Somewhere it says: <input type="hidden" name="hash" value="ad6ade8a0b6e2f748b80a390ff45cf31">

Now, just go to MD5Lookup.Com [md5lookup.com] and convert that little "hidden" MD5Sum back to the original text:

ad6ade8a0b6e2f748b80a390ff45cf31 - &NMTB

Maybe the author should add some salt. :-)

Re:No need to download the image (0)

Anonymous Coward | more than 6 years ago | (#17423054)

that probably means its even easier than that. you could just make your own form, to post your own word & hash to the server.

A simple screen capture defeats this (1)

BarnabyWilde (948425) | more than 6 years ago | (#17422604)

A simple screen capture defeats this, since everything is ultimately a map of bits (a bitmap!) on the screen that can easily be converted to a file.

I just wrote one.... (1)

Skylinux (942824) | more than 6 years ago | (#17422892)

I just wrote a sample CAPTCHA system as well but kept in black and white for various reasons. I also use whole words to make text input simpler for humans. Here is a competing article explaining a different approach.
ahref=http://www.network-technologies.org/Projects /Virtual_Brain_Online/article/user_validation_imag e_verification_code_captcha/rel=url2html-31631 [slashdot.org] http ://www.network-technologies.org/Projects/Virtual_B rain_Online/article/user_validation_image_verifica tion_code_captcha/>

Captchas (1)

anasciiman (528060) | more than 6 years ago | (#17422960)

I loathe CAPTCHAs in any form. People who are blind or, like me, totally colourblind have no functional means to figure out just what in the hell we're supposed to "see" in them. Some places have noted this and added audio versions but the majority of sites using CAPTCHAs do not bother. For those webmasters thinking of using CAPTCHAs - there are a lot of us out here who are visually disabled and, um, we have money to spend with your competition if you can't at least meet us halfway. </rant>

Visually impaired? (1)

cojsl (694820) | more than 6 years ago | (#17422976)

A quick skim of TFA didn't indicate whether these are any more accessible for the visually impaired. The current "audio captcha" option help, but standard captchas are a real barrier to the visually impaired.

BitBloating the pixels to individual TD tags (1)

TehBeer (860440) | more than 6 years ago | (#17422980)

BitBloating the pixels to individual 1X1 TD tags will hardly make a difference. All that is needed is to reconstruct the bitmap then use OCR on it as usual.

What a sad solution.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>