CAPTCHA: Difference between revisions
imported>Markus Baumeister (Made example clearer and linkified) |
mNo edit summary |
||
(12 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
A '''Completely Automated Public Turing test to tell Computers and Humans Apart''' or '''CAPTCHA''' is a [[ | {{subpages}} | ||
{{Image|GoogleCaptcha.jpg|right|250px|A CAPTCHA}} | |||
A '''Completely Automated Public Turing test to tell Computers and Humans Apart''', or '''CAPTCHA''', is a [[Turing test]] employed most frequently in [[websites]] to discriminate between [[humans]] and [[computer programs]]. Usually implemented as an [[image analysis]] problem, CAPTCHAs present a problem which is trivial for a human to solve, but very difficult for a computer program (see [[artificial intelligence]]). | |||
== Rationale == | === Rationale === | ||
Many companies offer [[online service]]s free of charge. However, people who want to [[computer security|exploit]] those services will often attempt to write a computer program that can automatically register for and use said services. CAPTCHAs are one of the most successful methods for foiling such attacks. | Many companies offer [[online service]]s free of charge. However, people who want to [[computer security|exploit]] those services will often attempt to write a computer program that can automatically register for and use said services. CAPTCHAs are one of the most successful methods for foiling such attacks. | ||
== Common | === Common implementation === | ||
CAPTCHAs are most frequently implemented as a [[distortion|distorted]] [[image]] containing a short text. The user is asked to type the text from the image into a [[form field]]. The distortion usually defeats state of the art [[optical character recognition|Optical Character Recognition (OCR)]] algorithms. | CAPTCHAs are most frequently implemented as a [[distortion|distorted]] [[image]] containing a short text. The user is asked to type the text from the image into a [[form field]]. The distortion usually defeats state of the art [[optical character recognition|Optical Character Recognition (OCR)]] algorithms. | ||
== Criticism of CAPTCHAs == | === Criticism of CAPTCHAs === | ||
[[handicap|Handicap]] [[handicap accessible|accessible]] CAPTCHAs have not yet been developed. As a result, common image CAPTCHAs prevent people who are [[blindness|blind]] or who have poor eyesight from using web services. | [[handicap|Handicap]] [[handicap accessible|accessible]] CAPTCHAs have not yet been developed. As a result, common image CAPTCHAs prevent people who are [[blindness|blind]] or who have poor eyesight from using web services. | ||
== Attacks Against CAPTCHAs == | === Attacks Against CAPTCHAs === | ||
The major problem with CAPTCHAs is that they do not prevent the test subject (human or computer) from passing the test onto another party. This can be exploited by an attacker to gain access to a target website: | The major problem with CAPTCHAs is that they do not prevent the test subject (human or computer) from passing the test onto another party. This can be exploited by an attacker A to gain access to a target website B, by use of an intermediate website: | ||
# Attacker A creates an online service with high demand, such as a [[pornography|pornographic]] website. | # Attacker A creates an online service with high demand, such as a [[pornography|pornographic]] website. | ||
Line 24: | Line 26: | ||
# The attacker's website uses the solution to the CAPTCHA to complete registration at the target website B. | # The attacker's website uses the solution to the CAPTCHA to complete registration at the target website B. | ||
In doing so, the attacker can repeatedly access the CAPTCHA-protected web service without his own direct intervention. | In doing so, the attacker can repeatedly access the CAPTCHA-protected web service without his own direct intervention. This is an example of a [[man-in-the-middle attack]]. | ||
[[Category: | The attack of directly solving the CAPTCHA using a computer is becoming more and more viable, though, and many CAPTCHAs have been essentially broken by this method.[[Category:Suggestion Bot Tag]] | ||
Latest revision as of 11:01, 22 July 2024
A Completely Automated Public Turing test to tell Computers and Humans Apart, or CAPTCHA, is a Turing test employed most frequently in websites to discriminate between humans and computer programs. Usually implemented as an image analysis problem, CAPTCHAs present a problem which is trivial for a human to solve, but very difficult for a computer program (see artificial intelligence).
Rationale
Many companies offer online services free of charge. However, people who want to exploit those services will often attempt to write a computer program that can automatically register for and use said services. CAPTCHAs are one of the most successful methods for foiling such attacks.
Common implementation
CAPTCHAs are most frequently implemented as a distorted image containing a short text. The user is asked to type the text from the image into a form field. The distortion usually defeats state of the art Optical Character Recognition (OCR) algorithms.
Criticism of CAPTCHAs
Handicap accessible CAPTCHAs have not yet been developed. As a result, common image CAPTCHAs prevent people who are blind or who have poor eyesight from using web services.
Attacks Against CAPTCHAs
The major problem with CAPTCHAs is that they do not prevent the test subject (human or computer) from passing the test onto another party. This can be exploited by an attacker A to gain access to a target website B, by use of an intermediate website:
- Attacker A creates an online service with high demand, such as a pornographic website.
- Some third party C visit's the attacker's website, and attempts to register.
- The attacker's website begins a registration procedure at the target website B, and receives a CAPTCHA from it.
- The attacker's website presents the CAPTCHA from B to the third party C.
- The third party voluntarily solves the CAPTCHA assuming it was generated by A's website.
- The attacker's website uses the solution to the CAPTCHA to complete registration at the target website B.
In doing so, the attacker can repeatedly access the CAPTCHA-protected web service without his own direct intervention. This is an example of a man-in-the-middle attack.
The attack of directly solving the CAPTCHA using a computer is becoming more and more viable, though, and many CAPTCHAs have been essentially broken by this method.