Sunday, April 26, 2009

Google's What's Up CAPTCHA

Earlier this week there was a little chatter about a new CAPTCHA proposed by some of Google's research team. The actual paper - What's Up CAPTCHA? A CAPTCHA Based On Image Orientation - is well worth a read, and it's an interesting slant on the theme of helping deflect automated attacks against Web applications.

One criticism that I've had in the past for many of the CAPTCHA's out there and in use today is the fact that, in order to thwart the bad guys and their improved attack tools, the CAPTCHA has evolved to an almost unusable state for the "average" user - i.e. my grandma wouldn't be able to answer it even if she wore her glasses.

This proposal from the Google researchers I think addresses that concern, as it seems to be much more usable than some heavily obfuscated and random arrangement of letters and numbers we see on most sites. That said, I suspect that it's not going to be particularly successful against the bad guys - but, then again, the current generation of deployed CAPTCHA's don't solve that problem either (and I don't think they ever will).

CAPTCHA's as a defensive technology have proved to be redundant in the face of organized criminal attacks. You can find more analysis of how the bad guys have moved beyond this technology with my previous blogs - Evolving Beyond CAPTCHA - and - CAPTCHA's and Mechanical Turks.

Personally I'd like to see these image-based CAPTCHA's used rather than the current generation of letters/numbers ones - not so much because of their defensive value, but rather for ease of use by average Internet users. Reducing the complexity of these security hurdles is always going to be beneficial.

1 comment:

  1. well any captcha is breakable. now days with amazon's TURK and other labor force networks easily reachable to spammers and such, CAPTCHA is completely futile.

    the only REAL capptcha is direct verification through phone, or requesting ID.