Académique Documents
Professionnel Documents
Culture Documents
test to tell Computers and Humans Apart. codes are easy to understand and rewrite for
This full form well defines the purpose of any human being. One example of
a simple puzzle hurdle, which restricts random words from some dictionary and
various automated programs to sign-up E- then it create 7 puzzles by placing the chosen
mail accounts, cracking passwords, spam words in a particular pattern. Pix is also a
sending, privacy violation etc. This type of CAPTCHA, it uses pictures in order
CAPTCHA actually challenges a particular to create some puzzle. This system uses
automated program, which is trying to access around 6 pictures as a puzzle. All these
some private zone. So, CAPTCHA helps in pictures will have relation with some
preventing access of personal mail accounts common topic and a user will be supposed to
programs.
1
1. indeed human. The purpose of a CAPTCHA
5
Other text CAPTCHAs involves text
distortions and the user is asked to identify
the text hidden. The various implementations
are:
2.TYPES OF WEB CAPTCHAS
6
This is a variation of the Gimpy. This
doesn’t contain dictionary words, but it picks
up random alphabets to create a nonsense but
pronounceable text. Distortions are then
added to this text and the user is challenged
to guess the right word. This technique
overcomes the drawback of Gimpy
CAPTCHA because, Gimpy uses dictionary
words and hence, clever bots could
bedesigned to check the dictionary for the
matching word by brute-force.
Fig 2.1 Gimpy CAPTCH
2.1.2 Ez – Gimpy:
L9D28229
B
Graphic CAPTCHAs are challenges everything on the left is drawn with thick
that involve pictures or objects that have lines and those on the right are in thin lines.
some sort of similarity that the users have to After seeing the two blocks, the user is
guess. They are visual puzzles, similar to presented with a set of four single blocks and
Mensa tests. Computer generates the puzzles is asked to determine to which group the
and grades the answers, but is itself unable to each block belongs to. The user passes the
9
software would struggle with the distortion
being applied, and need to be effective at
speech to text translation in order to be
successful. This is a crude way to filter
humans and it is not so popular because the
user has to understand the language and the
accent in which the sound clip is recorded.
2.6 PIX
captcha 2.4 RECAPTCHA and book
11
would then falsely represent the poll
winner in spotlight. This also results
in decreased faith in these polls.
CAPTCHAs can be used in websites
that have embedded polls to protect
them from being accessed by bots,
and hence bring up the reliability of
the polls.
7. Preventing Dictionary
14
As people find new ways to get 4.1 Things to know:
aroundCAPTCHA, computer scientis
The first step to create a CAPTCHA is to
ts like von Ahn develop CAPTCHAs
look at different ways humans and machines
that address other challenges in the
process information. Machines follow sets of
field of AI. A step backward for
instructions. If something falls outside the
CAPTCHA is still a step forward for
realm of those instructions, the machines
AI – “every defeat is also a victory”.
aren’t able to compensate. A CAPTCHA
designer has to take this into account when
creating a test. For example, it’s easy to
build a program that looks at metadata – the
information on the Web that’s invisible to
humans but machines can read. If you create
a visual CAPTCHA and the images’
metadata includes the solution, your
CAPTCHA will be broken in no time.
18
34: ); 13. Are set of options always has to contain
35: the correct answer, so we'll include that in
36: return $data; the array
37: }
16-23. Next, we will generate the additional
answers, which are all wrong. We'll keep
looping until we have found the number
of unique answers requested by
The relevant lines of the above code are
$num_answers minus 1, since we already
explained below:
included one answer: the correct one.
19
That's it. We can now start using this class. value of captcha_answer. It depends on the
From our script that renders our front-end validation library we use, how to call it, but
pages, we call: we need to make sure that a new CAPTCHA
is generated if the answer was empty or
// generate a new captcha
incorrect. Also, we need to insert validation
$this->load->library('captcha');
messages that inform the user whether his is
$captchadata = $this->captcha-
solution to the CAPTCHA was correct.
>generate_captcha(5);
Most CAPTCHA scripts found freely on the less of a target. Spammers go for mass
Web are vulnerable to these types of attacks. targets, as their success rate is typically
extremely low. Even if we would have a
Security Even After Wide-Spread single animal image with just two answers,
Adoption: There are various and the answers would be in the same order
"CAPTCHAs" that would be insecure if a each time, we would drastically reduce spam
significant number of sites started using submissions.
them. An example of such a puzzle is asking
21
An example of this effect is the
site www.codinghorror.com/blog; it has a
custom CAPTCHA check that simply lets
you enter the word "Orange" to post a
comment. Orange. Each time. Nothing is
random, and there is only one answer. Still,
it has drastically reduced the spam on that
blog, and it's a big blog. Obscurity works.
Not for security, but against spammers.
22
CAPTCHA includes a randomly generated
background behind the word.
23
CAPTCHA arranges the words in pairs and if we're on an insecure shared server, any
the words of each pair overlap one another. user on that server may have access to
Users have to type in three correct words in everyone else's session files, so even if our
order to move forward. How reliable is this site is totally secure, a vulnerability on any
approach? other website hosted on that machine can
lead to a compromise of the session data, and
As it turns out, with the right
hence, the CAPTCHA script. One
CAPTCHA-cracking algorithm, it's not
workaround is by storing only a hash of the
terribly reliable. Greg Mori and Jitendra
CAPTCHA word in the session, thus even if
Malik published a paper detailing their
someone can read the session files, they can't
approach to cracking the Gimpy version of
find out what the CAPTCHA word is.
CAPTCHA. One thing that helped them was
that the Gimpy approach uses actual words
rather than random strings of letters and
5.1 Breaking CAPTCHAs without
numbers. With this in mind, Mori and Malik
OCR:
designed an algorithm that tried to identify
words by examining the beginning and end Most CAPTCHAs don't destroy the
of the string of letters. They also used the session when the correct phrase is entered.
Gimpy's 500-word dictionary. So by reusing the session id of a known
Mori and Malik ran a series of tests CAPTCHA image, it is possible to automate
using their algorithm. They found that their requests to a CAPTCHA-protected page.
26
access to popular sites for reading the Spammers often use social
CAPTCHA. However, it always required a engineering to outwit gullible Web users to
significant level of resources to achieve. The serve their purpose. Security firm, Trend
development of software to automatically Micro warns of a Trojan called
interpret CAPTCHAs brings up a number of TROJ_CAPTCHAR, which masquerades
problems for site operators. The problem, as as a strip tease game. At each stage of the
discovered by Wintercore Labs and game, the user is asked to solve a
published at the start of March is that there CAPTCHA. The result is relayed to a remote
are repeatable patterns evident in the audio server where a malicious user is waiting for
file and by applying a set of complex but them. The strip-tease game is a ploy by
straight forward processes, a library can be spammers to identify and match solutions for
built of the basic signal for each possible ambiguous CAPTCHAs from legitimate
character that can appear in the CAPTCHA. sites, using the unsuspecting user as the
Wintercore point to other audio CAPTCHAs decoder of the said images.
that could be easily reversed using this
technique, including the one for Facebook.
The wider impact of this work might take
5.5 CAPTCHA cracking as a
some time to appear, but it provides an
interesting proof of breaking audio business:
CAPTCHAs. At the least, it shows that both
No CAPTCHA can survive a human
of Google's CAPTCHA tools have now been
that’s receiving financial incentives for
defeated by software and it should only be a
solving it. CAPTCHA are cracked by firms
matter of time until the same can be said for
posing as Data Processing firms. They
Microsoft and Yahoo!'s offerings. Even with
usually charge $2 for 1000 CAPTCHAs
an effectiveness of only 90%, any failed
successfully solved. They advertise their
CAPTCHA can easily be reloaded for a
business as “Using the advertisement in
second try.
blogs, social networks, etc significantly
increases the efficiency of the business.
Many services use pictures called
5.4 Social Engineering used to CAPTCHAs in order to prevent automated
break CAPTCHAs: use of these services. Solve CAPTCHAs
27
with the help of this portal; increase your Are text CAPTCHAs like Gimpy,
business efficiency now!” Such firms help user–friendly? Sometimes the text is
spammers in beating the first line of defence distorted to such an extent, that even humans
for a Website, i.e., CAPTCHAS. have difficulty in understanding it. Some of
the issues are listed in table 6.1
There are many issues with Table 6.1 Usability issues in text based
CAPTCHAs, primarily because they distort CAPTCHAs
text and images in such a way that,
sometimes it gets difficult for even humans
to read. Even the simplest, but effective
CAPTCHA, like a mathematical equation
Distortion becomes a problem when it is
“What is the sum of three and five?” can be
done in a very haphazard way. Some
a pain for cognitively disabled people.
characters like ‘d’ can be confused for ‘cl’ or
‘m’ with ‘rn’. It should also be easily
understandable to those who are unfamiliar
6.1 Usability issues with text based
with the language.
CAPTCHAS:
28
Content is an issue when the string length distortion, confusing characters can also
becomes too long or when the string is not a occur in audio CAPTCHAs. For example,
dictionary word. Care should be taken not to we observed that it is hard to tell apart ‘p’
include offensive words. and ‘b’; ‘g’ and ‘j’, and ‘a’ and ‘8’. Whether
a scheme is friendly to non-native speakers
Presentation should be in such a way as is another usability concern for audio
to not confuse the users. The font and colour
CAPTCHAs.
chosen should be user friendly.
Content: Content materials used in audio
CAPTCHAs are typically language specific.
6.2 Usability of audio CAPTCHAS: Digits and letters read in a language are
often not understandable to people who do
In audio CAPTCHAs, letters are read not speak the language. Therefore, unlike
aloud instead of being displayed in an image. text-based schemes, localisation is a major
Typically, noises are deliberately added to issue that audio CAPTCHAs face.
prevent such audio schemes from being
broken by current speech recognition Presentation: The use of colour is not an
technologies. issue for audio CAPTCHAs, but the
integration with web pages is still a concern.
Distortion: Background noises effectively For example, there is no standard graphical
distort sounds in audio CAPTCHAs. There is symbol for representing an audio CAPTCHA
no rigorous study of what kind of on a web page, although many schemes such
background noises will introduce acceptable as Microsoft and reCAPTCHA use a speaker
sound distortion. However, it is clear that symbol. More importantly, what really
distortion methods and levels, just as in text matters for visually impaired users is that the
based CAPTCHAs, can have a significant html image alternative text attached to any of
impact on the usability of audio the above symbol should clearly indicate the
CAPTCHAs. For example, an early test in need to solve an audio CAPTCHA.
2003 showed that the distorted sound in an
audio CAPTCHA that was deployed at
Microsoft’s Hotmail service was When embedded in web pages, audio
unintelligible to all (four) journalists, with CAPTCHAs can also cause compatibility
good hearing, that were tested. Due to sound
29
issues. For example, many such schemes At that level, it is reasonable to employ
require JavaScript to be enabled. However, many concurrent approaches, including audio
some users might prefer to disable and visual CAPTCHA, to do so.
JavaScript in their browsers. Some other
schemes can be even worse. For example, 7.1 present scenario
we found that one audio scheme requires Conclusion of CAPTCHAs are associated
Adobe Flash support. With this scheme, with its usefulness and deciphering ability
vision-impaired users will not even notice of HUMAN and BOTS. In present scenario
that such a CAPTCHA challenge exist in the of web world millions of website is using
page, unless Flash is installed in their this protocol to minimizes the exploitation
computers - apparently, no text alternative is of resources. CAPTCHA-based Code
attached to the speaker-like Flash object, Voting is easy to use
either. •has a good scalability
31
Classifying images on the web
automatically, J. Electron. Imaging Vol 11,
445.
[8]: http://www.captcha.net/.
[9]:http://www.blogtoplist.com/rss/captcha.html.
[10]:http://www.gnu.org/licenses/gpl.html.
8. REFRENCES
[11]:http://www.white-hat-web-
[1]: von Ahn, L., Blum, M., Hopper, N. and design.co.uk/articles/php-captcha.php.
Langford, J. CAPTCHA: Using Hard AI
Problems for Security. [12]:http://en.wikipedia.org/wiki/Fiber_Channel