Walden H. Leverich wrote:
Um, but if they're on the page then can't the bot "see" them too and
render your captcha useless? I guess you could do stuff like "What's the
third word of the fourth paragraph on this page".
I don't want to spend a ton of time on this because it rapidly becomes a matter of diminishing returns. But it seems to me the issue is to make it relatively easy for a user, but not easy for a bot. The latter includes making it hard for a bot to send the correct HTML to a human being to execute the test sequence.

So, I propose this:

1. Generate all the components that make up the test widget at run time. Use a minimally obfuscated JavaScript routine to build the widgets in response to some simple table of values (e.g., don't send HTML strings to the page and have the JS build the widgets from those). This means the bot must at least run JavaScript - no simple HTTP processing.

2. Use the "honeypot" technique (a bad name, but good concept) to have some fields that are auto-poison fields. Any entry in this fields invalidates the input but doesn't tell the "user" - it in fact acts as if it processed it correctly. Use CSS to hide the widgets, set the CSS values dynamically in the JS.

3. Put the components of the test widget in different physical places in the document but use absolute positioning to get them together on the screen. Make sure the code moves the auto-poison variables. This makes it harder to figure out which fields are part of the test and which are not, and thus eliminate the auto-poison variables.

This isn't 100%, but it sure would make it hard to decipher and send to an Turnig bank. You'd have to write a bot that intercepts the entire page, executes the JS to draw the page in an HTML canvas, then goes through and identifies the invisible values, sending only the visible ones to an end user. Not impossible, of course, but a lot of work.

Joe

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.