The Anti-Captcha Challenge
Recap: the problem with current Captcha solutions
The general purpose of Captcha's are to prevent the automation of form submission. For example, to protect a guestbook from filling up with spam-entries or to prevent hundreds of bogus users registering to a forum.
Until recently, image-based Captcha's have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, Captcha's too have to continuously increase in complexity.
Just look at these gems and imagine yourself being color blind:
Ironically, it's come to the point that computers are better at deciphering Captcha's than humans are, simply because computers have infinite patience.
To illustrate: evildoers trying to beat your Captcha are probably satisfied with a success ratio of 1/100 – because in just a few hours of repetition this can add up to hundreds of successful passes. A typical human user on the other hand probably throws in the towel after three consecutive failed attempts – at which point they'll most likely leave your website altogether.
Who can blame them? The average user doesn't understand why they should enter a random string of letters in the first place. It's not their problem and they do not care what it is for. For them it's some sort of annoying puzzle that stands in the way of doing what they want to do. Not being able to pass it, makes them feel inadequate and frustrated.
I argue, let's keep the end-user entirely out of it,
I propose we rid ourselves of Captcha's as we know it,
I proclaim this the era of Anti-Captcha's... Hallelujah!
The Anti-Captcha challenge
The basic idea behind it is simple;
"Create a captcha solution which does not require any end-user interaction"
As a first attempt, I concocted a working Anti-Captcha based on the reasoning that only browsers can interpret javascript well. Making it a question of "Has a browser been involved at form submission?" instead of "Has a human been involved". In general the answer ends up to be equal (see "Caveats" section below).
How it works
Check out the online demo here
In the head of the html document an external javascript-file is called, this file is in fact a php file which is designed to:
- Generate a random token
- Store a checksum of this token in session
- Generate some obfuscated javascript code which (when interpreted) adds a hidden input-field to every form element on the webpage using the token as a value
After form-submission, the checksum of the post value should equal the checksum stored in session. As a bonus, this technique should also provide adequate protection against XSRF.
Installation
- Download Anti-Captcha and (if needed) the latest version of the jQuery javascript library
- Put both scripts in the head of your html document (in the proper order):
<head> <script type="application/javascript" src="jquery-1.3.2.min.js"></script> <script type="application/javascript" src="anti-captcha-0.1.js.php"></script> </head>
- After form-submission match the input value with the sha1 checksum stored in session:
<?php // Start session session_start(); // Verify the token using the checksum stored in session if (sha1($_POST['anti-captcha-token']) == $_SESSION['anti-captcha-checksum']) { // Immediately reset and continue form validation unset($_SESSION['anti-captcha-checksum']); die('Captcha accepted'); } else { // No Anti-Captcha checksum received die('Error, please enable javascript'); }
Looking for the WordPress plugin? Click here
Requirements
The Anti-Captcha script is written to be PHP4 compatible and should run on most hosting platforms. Because of the usage of the jQuery javascript library compatibility with all major internet browsers can be expected (including the dreaded IE6). Note: the user does need to have javascript enabled for form submission to succeed.
Caveats
Obviously this technique isn't perfect, at some point bots might gain the ability to interpret javascript or simply read-out the obfuscated code instead. At that time a different approach, with a similar concept, would be needed.
It should also be possible to fool the Anti-Captcha with the use of “automated mouse-clicking software”. However this should be very hard to combine with botnets - thus making additional security layers (for example: maximizing form-submission on a per-ip basis) more feasible.
Another major drawback is the need for javascript to allow form-submissions, which is something you should ponder over yourself. Personally I feel it outweighs the disadvantages image-based Captcha's bring in, but this probably depends on the project at hand.
Credits
Part of the obfuscation technique used is based upon Dean Edwards JavaScript's Packer which is ported to PHP by Nicolas Martin, and made compatible with PHP4 by Mark Fabrizio Jr.
License
The Anti-Captcha is licensed under LGPL 2.1
The problem with current Captcha solutions
The general purpose of a Captcha is to prevent the automation of form submission. For example, to protect a guestbook from filling up with spam-entries or to prevent hundreds of bogus users registering to a forum.
Image based captcha's have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, captcha's too have to continuously increase in complexity. Just look at these fine examples: