|
Walden H. Leverich wrote:
Um, but if they're on the page then can't the bot "see" them too andI don't want to spend a ton of time on this because it rapidly becomes a
render your captcha useless? I guess you could do stuff like "What's the
third word of the fourth paragraph on this page".
matter of diminishing returns. But it seems to me the issue is to make
it relatively easy for a user, but not easy for a bot. The latter
includes making it hard for a bot to send the correct HTML to a human
being to execute the test sequence.
So, I propose this:
1. Generate all the components that make up the test widget at run
time. Use a minimally obfuscated JavaScript routine to build the
widgets in response to some simple table of values (e.g., don't send
HTML strings to the page and have the JS build the widgets from those).
This means the bot must at least run JavaScript - no simple HTTP
processing.
2. Use the "honeypot" technique (a bad name, but good concept) to have
some fields that are auto-poison fields. Any entry in this fields
invalidates the input but doesn't tell the "user" - it in fact acts as
if it processed it correctly. Use CSS to hide the widgets, set the CSS
values dynamically in the JS.
3. Put the components of the test widget in different physical places in
the document but use absolute positioning to get them together on the
screen. Make sure the code moves the auto-poison variables. This makes
it harder to figure out which fields are part of the test and which are
not, and thus eliminate the auto-poison variables.
This isn't 100%, but it sure would make it hard to decipher and send to
an Turnig bank. You'd have to write a bot that intercepts the entire
page, executes the JS to draw the page in an HTML canvas, then goes
through and identifies the invisible values, sending only the visible
ones to an end user. Not impossible, of course, but a lot of work.
Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.