Re: CAPTCHA image validation in web form

[Joe Pluta <joepluta@xxxxxxxxxxxxxxxxx>]

Walden H. Leverich wrote:
> Um, but if they're on the page then can't the bot "see" them too and
> render your captcha useless? I guess you could do stuff like "What's the
> third word of the fourth paragraph on this page".
>   
I don't want to spend a ton of time on this because it rapidly becomes a 
matter of diminishing returns.  But it seems to me the issue is to make 
it relatively easy for a user, but not easy for a bot.  The latter 
includes making it hard for a bot to send the correct HTML to a human 
being to execute the test sequence.

So, I propose this:

1. Generate all the components that make up the test widget at run 
time.  Use a minimally obfuscated JavaScript routine to build the 
widgets in response to some simple table of values (e.g., don't send 
HTML strings to the page and have the JS build the widgets from those).  
This means the bot must at least run JavaScript - no simple HTTP processing.

2. Use the "honeypot" technique (a bad name, but good concept) to have 
some fields that are auto-poison fields.  Any entry in this fields 
invalidates the input but doesn't tell the "user" - it in fact acts as 
if it processed it correctly.  Use CSS to hide the widgets, set the CSS 
values dynamically in the JS.

3. Put the components of the test widget in different physical places in 
the document but use absolute positioning to get them together on the 
screen.  Make sure the code moves the auto-poison variables.  This makes 
it harder to figure out which fields are part of the test and which are 
not, and thus eliminate the auto-poison variables.

This isn't 100%, but it sure would make it hard to decipher and send to 
an Turnig bank.  You'd have to write a bot that intercepts the entire 
page, executes the JS to draw the page in an HTML canvas, then goes 
through and identifies the invisible values, sending only the visible 
ones to an end user.  Not impossible, of course, but a lot of work.

Joe