CAPTCHA

From Citizendium
Revision as of 15:45, 22 February 2007 by imported>Nick Johnson
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

A Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHA is a Turing Test employed most frequently in websites to discriminate between humans and computer programs. Usually implemented as an image analysis problem, CAPTCHAs present a problem which is trivial for a human to solve, but very difficult for a computer program.

Rationale

Many companies offer online services free of charge. However, people who want to exploit those services will often attempt to write a computer program that can automatically register for and use said services. CAPTCHAs are one of the most successful methods for foiling such attacks.

Common Implementation

CAPTCHAs are most frequently implemented as a distorted image containing a short text. The user is asked to copy the text from the image into a form field. The distortion usually defeats state of the art Optical Character Recognition (OCR) algorithms.

Criticism of CAPTCHAs

Handicap accessible CAPTCHAs have not yet been developed. As a result, common image CAPTCHAs prevent people who are blind or who have poor eyesight from using web services.

Attacks Against CAPTCHAs

The major problem with CAPTCHAs is that they do not prevent the test subject (human or computer) from passing the test onto another party. This can be exploited by an attacker to gain access to a target website:

  1. Attacker creates an online service with high demand, such as a pornographic website.
  2. Some third party visit's the attacker's website, and attempts to register.
  3. The attacker's website begins a registration procedure at the target website, and recieves a CAPTCHA.
  4. The attacker's website presents the same CAPTCHA to the third party.
  5. The third party voluntarily solves the CAPTCHA.
  6. The attacker's website uses the solution to the CAPTCHA to complete registration at the target website.

In doing so, the attacker can repeatedly access the CAPTCHA-protected web service without direct intervention.