On 8/27/2020 12:41 PM, Phil Stracchino wrote:
On 2020-08-27 13:15, Rich Kulawiec wrote:
- Captchas are a worst practice in security and should never be used. They can be and are defeated at will by any adversary who wants to trouble themselves to do so. They're also user-hostile. There are much better methods available for protecting Mailman instances from abusers.
I've said for some time that traditional captchas are by now almost a REVERSE test. Ability to solve them should be taken as stronger evidence that you are a bot than that you are a human, because bots are better at solving them than humans are.
Image-style captchas like reCaptcha are better, but they too have a shocking oversight: They do not scale well on increasingly-ubiquitous high-resolution displays. I'm currently using a 32" 4K monitor, and even after zooming the page as far as I can, I still sometimes have to resort to a magnifying glass to be certain whether I'm seeing a specified object somewhere in the background of one of the images.
Yay, topic drift.
IME the simple stupid server-side captchas are easy enough to solve and will deter 100% of the random bang bots & bad search engines. And the reason to use them is the page you're protecting can put non-trivial load on the server when triggered. It has nothing to do with security, nor bots actively trying to solve the captcha.
But reCaptchas aren't any better at defeating bots. I'm certain you'll find at least one cite on that in RISKS and/or DefCon archives. And not only as you say, half the images are invisible to the naked eye: I have privacy badger and an adblock in my browser, I'm sure you can guess how nice those javacrap recaptchas play with that.
Dima