NYCPHP Meetup

[Chris Shiflett]

--- Allen Shaw <ashaw at iifwp.org> wrote:
> I've seen (or seen theorized) captchas that require a user to
> enter a keyword based on three or more different pictures -- for
> example, show the user a Frosted Flakes box cover, that famous
> Nike-branded golfer, and a Cincinatti Bengals logo, and most
> users (depending on the target audience) could get in by typing
> "tiger".

The problem with this approach is that humans can still guess it, so the
adult site attack (that thing needs a name) will still work. Thus,
strengthening this further doesn't really help - it's already easier to
use the adult site attack than it is to leverage the captcha breaking
research results that have been produced.

This is a key point regarding security in general - it's unwise to focus
all of your attention in any one area, thereby assuming that this is the
one opening that a potential attacker will use. It's similar to how people
have a false sense of security when something is encrypted - often
decryption isn't necessary for a successful attack (presentation of the
original encrypted data may be all that's required).

I'm glad that there are people who focus a lot of effort on specific
issues, but personally speaking, I try to focus on the big picture.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming January 2005         http://httphandbook.org/