this reminds me of another alternative to captchas i'd seen, something like kitten captcha or something..
the premise being, you had a 3x3 grid of thumbnails of animals, and you'd have to pick out of them, which were kittens.
less invasive captchas are something that i'd really like to see on sites, but despite the alternatives (of which i'm sure there are many) they never seem to take off..
Kitten captcha is stupid, because you only have to classify kitten images once (manually, mechanical turk), and then it will be broken 100% of the time.
The "kitten CAPTCHA" could then take countermeasures:
1. Apply transforms to the images. This would require spam bots to perform much harder processing.
2. Use a larger pool of images -- after all, this is the Internet, a communication medium used primarily to exchange pictures of kittens.
Of course the spammers would adapt. But CAPTCHAs are not one-shot solutions. A good CAPTCHA works well enough to defeat most bots, and is updated once most bots start defeating it.
The Cat/Dog captcha was broken because dogs are very likely to be photographed on grass while cats are not. An attack that simply calculated the amount of green in the image broke the captcha to a very high accuracy.
maybe i'm missing something here but the biggest issue i see with this is it does not effectively prevent spamming/robots. the libraries which this is based on were not created with distinguishing humans and robots in mind. especially checking the $1 gesture recognizer (https://github.com/josscrowcroft/MotionCAPTCHA/blob/master/j...) i don't see if this could be used in real life (for captchas).
Interesting concept, but I doubt it will take off. The present version would be easily breakable by image-processing and some scripting. They could obfuscate the image, but then you're in the same war-of-attrition you see with text-based captchas today.
Text captchas suck, but they're the only thing that's ever been shown to be robust over the long term.
As far as I can tell from the demo there is no server side validation on this captcha. Everything is handled on the client side. So really all your doing is making an annoyance for your honest target users. And allowing a spam bot to just totally ignore this 'captcha' to submit their POST regardless....
I've seen hundreds of these 'alternative' captchas. 'slide to unlock', 'sort images' ect. None yet have proven to be as effective at stopping a simple curl script.
Real captchas will store the value of the image or verification method on the first fetch in a session, and when the form is finally filled out the server will verify that the session value matches the submitted value. Without this component, the alternative captchas are pointless and just an annoyance to your real users.
Yeah, exactly. It's a proof of concept, with plans to turn it into a production-ready solution that relies on a typical difficult PHP Captcha, which is then replaced with the cooler MotionCAPTCHA on page load, if the user's browser supports.
16 comments
[ 2.7 ms ] story [ 45.6 ms ] threadthe premise being, you had a 3x3 grid of thumbnails of animals, and you'd have to pick out of them, which were kittens.
less invasive captchas are something that i'd really like to see on sites, but despite the alternatives (of which i'm sure there are many) they never seem to take off..
1. Apply transforms to the images. This would require spam bots to perform much harder processing.
2. Use a larger pool of images -- after all, this is the Internet, a communication medium used primarily to exchange pictures of kittens.
Of course the spammers would adapt. But CAPTCHAs are not one-shot solutions. A good CAPTCHA works well enough to defeat most bots, and is updated once most bots start defeating it.
Text captchas suck, but they're the only thing that's ever been shown to be robust over the long term.
Even it it weren't, and shapes were generated and verified on the server side, computers are extremely good at recognizing simple shapes.
EDIT:
Here, to break it on this page
http://www.josscrowcroft.com/demos/motioncaptcha
simply enter this into the URL box:
javascript:$('input').attr({'disabled':false});
I've seen hundreds of these 'alternative' captchas. 'slide to unlock', 'sort images' ect. None yet have proven to be as effective at stopping a simple curl script.
Real captchas will store the value of the image or verification method on the first fetch in a session, and when the form is finally filled out the server will verify that the session value matches the submitted value. Without this component, the alternative captchas are pointless and just an annoyance to your real users.
Spam bots are not built on top of web browsers...