Abstract
A CAPTCHA is a special kind of AI hard test to prevent bots from logging into computer systems. We define an AI hard test to be a problem which is intractable for a computer to solve as a matter of general consensus of the AI community. On the Internet, CAPTCHAs are typically used to prevent bots from signing up for illegitimate e-mail accounts or to prevent ticket scalping on e-commerce web sites. We have found that a popular and distributed architecture for implementing CAPTCHAs used on the Internet has a flawed protocol. Consequently, the security that the CAPTCHA ought to provide does not work and is ineffective at keeping bots out. This paper discusses the flaw in the distributed architecture’s protocol. We propose an improved protocol while keeping the current architecture intact. We implemented a bot, which is 100% effective at breaking CAPTCHAs that use this flawed protocol. Furthermore, our implementation of the improved protocol proves that it is not vulnerable to attack. We use two popular web sites, tickets.com and youtube.com, to demonstrate our point.
Please use the following formal when filing this chapter: Caine. A. and Hengartner, U., 2007, in IFIP International Federation for information Processing, Volume 238, Trust Management, eds. Etalle, S., Marsh, S., (Boston: Springer), pp. 367–382.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart auto-matically. Commnications of the ACM 47(2) (2004) 57–60
Yahoo! Inc.: Yahoo e-mail sign up. http://www.yahoo.com (2007)
Minnesota Twins Major League Baseball: Minnesota twins electronic ticketing. http://minnesota.twins.mlb.com/ (2007)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet RFC 2104 (1997)
Lewis, J.P.: Fast template matching. Vision Interface (1995) 120–123
Caine, A., Hengartner, U.: Data set. http://www.cs.uwaterloo.ca/~adcaine/ php/demo.htm (2007)
Caine, A., Hengartner, U.: Implementation of proposed protocol. http://www. cs.uwaterloo.ca/~adcaine/php/wrapper.html (2007)
Youtube: Sign up page for youtube.com. http://www.youtube.com/signup (2007)
The CAPTCHA Project at Carnegie Mellon University. http://www.captcha. net/ (2006)
PWNtcha captcha decoder. http://sam.zoy.org/pwntcha/ (2006)
Fukuda, K., Garrigue, M.A., Gilman, A.: Inaccessibility of CAPTCHA. W3C (2005)
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In: CVPR. Volume 1. (2003) 134–141
Doctorow, C.: Solving and creating captchas with free porn. http://boingboing.net/2004/01/27/solving_and_creating.html (2004)
von Ahn, L., Blum, M., Hopper, N., Langford, J.: CAPTCHA: Using hard AI problems for security. Eurocrypt (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Caine, A., Hengartner, U. (2007). The AI Hardness of CAPTCHAs does not imply Robust Network Security. In: Etalle, S., Marsh, S. (eds) Trust Management. IFIPTM 2007. IFIP International Federation for Information Processing, vol 238. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-73655-6_24
Download citation
DOI: https://doi.org/10.1007/978-0-387-73655-6_24
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-73654-9
Online ISBN: 978-0-387-73655-6
eBook Packages: Computer ScienceComputer Science (R0)