A better Captcha?

November 7, 2006 | Filed Under Geek 

We all know ‘captchas’ are bad…

We all know they are a necessary evil…

…but do we know what we actually use them for?

The assumption is we are using them to detect humans and allow them - not true, we are actually using them to try and detect bots and block them.

And this is the captcha’s flaw - because humans are flawed, captcha’s very often trip people up.

But there is something we seem to have forgotten - the browser. Bot’s don’t use Firefox, or IE, or Opera etc. They are custom browsing scripts.

…so here’s the good bit.

Rather than trying to detect the human in the system, could we use javascript to detect the browser, hunt through the DOM for some (and it could be variable) browser feature that the Bot’s don’t have? such as the ability to upload an image? or install a plugin?

If javascript is available - yes.

If javascript is not available, then we could still use an image and alt text - the ‘old fashioned’ way, but a real human user should never need to see the captcha, unless they can’t use javascript, and then there should be no need to scramble the image.

users of screenreaders with javascript enabled would be allowed in, users of screenreaders with javascript disabled would read the alt text of the image and be allowed in.

Bot’s would be detected as ‘not browsers’ and be blocked.

…well thats my theory anyway.

Tags: Geek

Comments

6 Responses to “A better Captcha?”

  1. Barry Price on November 7th, 2006 1:29 pm

    And with one line of code, your bot can identify itself as a screenreader without JavaScript support, or whatever would be most convenient.

    Anyone can send whatever HTTP_USER_AGENT string they like to any webserver they like, and webmasters who make decisions based on it are morons - no offense :-)

  2. jim on November 7th, 2006 1:45 pm

    Hmmm…. so the Bot would get a standard captcha test then.

    But A ‘Real Human’ Using A ‘Real Browser’, with JavaScript enabled, wouldn’t get the captcha - which is the whole point.

    Sorry if I didn’t make that clear. ;-)

  3. Paul Tomblin on November 7th, 2006 2:25 pm

    I think Barry has it right. Anything that a “real browser” has, a bot can emulate, except for the real person sitting in front of it. And some bots have even gotten that real person part right by showing the captchas to some poor slob looking for free porn.

    SpamKarma2 puts an encrypted payload in the javascript portion. Real browsers with Javascript turn on return the correct response, but so do *some* (not many yet, but some) bots.

    SpamKarma2 takes a multi-pronged approach, and it works pretty damn well. (Except the RBL check, which has in the last couple of days been up and down like the Assyrian Empire.) It only makes you do a captcha check if your karma is low enough to make it look like it might be spam, but not so low as to make it obviously spam.

  4. Barry Price on November 7th, 2006 3:01 pm

    Sure, but there are edge cases. Emulating a JavaScript parser with just enough ability to pass the DOM test would be the next level, I guess.

    In short, we can make it less of a pain in the arse, sure, but we can never really solve the problem.

  5. jim on November 7th, 2006 5:00 pm

    making it less of a PITA is priority in my book.

  6. Barry Price on November 8th, 2006 4:02 am

    Cross-purposes, I think.

    No, we will never be able to reliably detect whether a visitor is a human or a robot (not that all robots are spammers, or all humans are not - but that’s another story).

    But yes, making it less of a pain in the arse for we mere humans is certainly worthwhile :)

Leave a Reply