Re: CAPTCHA image validation in web form

Walden H. Leverich wrote:

Um, but if they're on the page then can't the bot "see" them too and
render your captcha useless? I guess you could do stuff like "What's the
third word of the fourth paragraph on this page".

I don't want to spend a ton of time on this because it rapidly becomes a matter of diminishing returns. But it seems to me the issue is to make it relatively easy for a user, but not easy for a bot. The latter includes making it hard for a bot to send the correct HTML to a human being to execute the test sequence.

So, I propose this:

1. Generate all the components that make up the test widget at run time. Use a minimally obfuscated JavaScript routine to build the widgets in response to some simple table of values (e.g., don't send HTML strings to the page and have the JS build the widgets from those). This means the bot must at least run JavaScript - no simple HTTP processing.

2. Use the "honeypot" technique (a bad name, but good concept) to have some fields that are auto-poison fields. Any entry in this fields invalidates the input but doesn't tell the "user" - it in fact acts as if it processed it correctly. Use CSS to hide the widgets, set the CSS values dynamically in the JS.

3. Put the components of the test widget in different physical places in the document but use absolute positioning to get them together on the screen. Make sure the code moves the auto-poison variables. This makes it harder to figure out which fields are part of the test and which are not, and thus eliminate the auto-poison variables.

This isn't 100%, but it sure would make it hard to decipher and send to an Turnig bank. You'd have to write a bot that intercepts the entire page, executes the JS to draw the page in an HTML canvas, then goes through and identifies the invisible values, sending only the visible ones to an end user. Not impossible, of course, but a lot of work.

Joe