Re: RFC: CGI::Application::Plugin::CAPTCHA

* Michael Peters <mpeters@xxxxxxxxxxxxx> [2005-08-26 17:35:04-0400]
> Dan Horne wrote:
> > It would be nice if whatever solution is selected can run under Windows too.
> > Many memory-based caching systems are specific to *nix systems and don't
> > work with MS (particularly the IPC ones). What about supporting the
> > Cache::Cache API, and then  let the developers choose which Cache::* module
> > suits?.
> 
> Ok, before we go down this road, can anyone give me a good reason that
> we need to permanently store these images or even cache them? The
> CAPTCHA phrase should be random enough that we would never use the same
> image twice in a reasonable amount of time right?

After following this thread, I feel I have to jump in here to give
my 0.02EUR. First of all, I think CAPTCHAs are horrible in every way
possible:
* Images are just bad:
    Either the images are completely unreadable (see my blog
    entry[1] on that), or they are "too easy" to crack[2]. 
* False sense of security:
    "Spammers can pay a programmer to aggregate these images and feed
    them one by one to a human operator, who could easily verify
    hundreds of them each hour." [3]
* Punishment for the wrong group of people:
    Visually impaired people (or heck, Links/Lynx users for the
    matter)  really wouldn't like CAPTCHAs for it clearly just bans
    them. Audio files need to be created too (and I think in the US
    there's even a law about this? Correct me if I'm wrong).
    After recently coming back from the Asian continent, I can also
    tell you browsing the web with images turned off (thanks FireFox!)
    is more a necessity than a pleasure. Internet speeds (if even) are 
    extremely slow, CAPTCHA images would be punishing those people too 
    (or anyone with a slow connection).
* Annoying:
    Certainly not the last reason: CAPTCHAs are beyond annoying.
    Just because _you_ seem to have some problems keeping spammers out,
    you force me (the user/client) to do all sorts of tricks for you.

So yeah, I don't really like such systems ;-) I'd rather see
different solutions to stopping spam or whatever reason was behind
your CAPTCHA idea.

But, besides me disliking it, I strongly belief the images have no
need on the server. A single encrypted string in the user's session
(database/file) would be sufficient IMHO. The use only needs to see
the image once, right?

  1. http://menno.b10m.net/nb/archives/2005/04/22/T16_56_47/index.html
  2. http://sam.zoy.org/pwntcha/
  3. http://www.w3.org/TR/turingtest/#security
-- 
B10m
   'Google is Evil'
   -rw-rw-rw-  1 satan demons  0 Jun 06 06:06 google

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx