Dec 5th, 2007
A bad month for CAPTCHAs
Shortly after my last post on CAPTCHAs, some of you may have noticed MustLive’s CAPTCHA bypass tests in the comments below the article. Although I moderate all comments to my blog, I allowed those through because I thought they were a good follow-up to what I myself had written about CAPTCHAs.
In reality, the only function that CAPTCHA on my blog serves is to reduce the number of spam comments I have to sift through to find the real comments. Along with a couple other plugins, it does a good job with keeping the spam out.
However, the point here isn’t so much what the target is or why someone would want to target any particular blog. The point is to constantly improve on our security strategies and improve their weaknesses. As I have said many times in the past, we can’t even begin to imagine how someone might exploit a vulnerability in the future. So if the technologies are broken, lets just fix them.
MustLive’s comments were clearly a precursor to his Month of Bugs project, which I have very much enjoyed following. He did a great job of demonstrating the many ways a CAPTCHA can be vulnerable. In particular, he well understands how important a role session state plays in CAPTCHA authentcation.
Properly implementing session state is a big problem for many web developers and can contribute to many other problems, including account hopping, cross-site scripting, session hijacking, etc.
It would be well worth your time to read through MustLive’s CAPTCHA posts and get a better understanding of the common problems.
On a side note, I decided to change my own CAPTCHA. It wasn’t really because the other one was weak, because the new one has issues too. What I like about the new one is that it gives me more settings to play around with.
Apart from the security issues that MustLive pointed out with this particular CAPTCHA, which still need to be addressed, I wanted to point out what configuration I did which I think make this CAPTCHA more effective (secure yet usable) in general:
- The image is larger, allowing for easier readability but also increases the probability that an OCR of the image will fail. With more space I was able to add more noise without obscuring the characters and with more space to OCR, the more chances there are for errors.
- There are no confusing letters such as o and 0, 5 and s, l and 1 and i, 6 and G and C, 9 and g, etc. This makes the process less confusing for the user. Yes this does reduce the total number of characters the CAPTCHA uses, but you can make up for that by increasing the length of the CAPTCHA. Note also that some letters, such as X, appear more than others. Again this is for usability.
- I clearly explain how many characters there are, that case does not matter (don’t you always wonder that?), and that there are no o’s or 0’s (because there are circles as part of the noise). This is all to improve usability for the user.
- The fonts are easy to read yet still have enough variety to make OCR more difficult.
- There are no colors. Colors don’t really confuse a computer and probably even make it easier to distinguish each object.
I haven’t done any OCR tests to see if any of these methods actually improve the security of the CAPTCHA, its really just my own theories. The best way to improve on these is to prove me wrong. MustLive, you got any good OCR scripts?
Test :-)
Mark, your site is about security, so you need reliable captcha. Previous and current one are not reliable enough, so you need more secure captcha.
I’m glad that you like it. I hope many people, especially security guys and web developers enjoyed my MoBiC project.
It’s good, because previous captcha was very weak, but new one is unsecure too. As you alrady know from my artcile about Cryptographp captcha.
And after I checked today your new captcha (which is using Cryptographp plugin + additional checks) it is vulnerable. This captcha is vulnerable for session reusing with constant captcha
bypass method + bypassing additional protections. I have written you all details in email. So your captcha need to be improved.
Like I told you, current captcha is unreliable ;-). Man, no need to look for OCR (or cheap work force) when there are holes in captcha. Like I told in Month of Bugs in Captchas using vulnerabilities to bypass captchas is more effective way. So until there are holes in some captcha, it can be reliable.
No, Mark, I have not such scripts. I’m only interesting in a posteriori vulnerabilities (holes in algorithms), not a priori vulnerabilities (holes in idea). So I’m as security auditor interesting only in holes in captchas (others two bypassing methods, OCR and cheap work force, is less interesting for me).