That's a rather short-term solution. It's not terribly difficult to
automate processing of Javascript on web pages; I know someone who
does it for printing and other purposes.
reCAPTCHA uses a public/private key system, right? If that's the
case, it shouldn't be *possible* for even someone performing a
man-in-the-middle attack to simulate a successful challenge.
The question then becomes, *how* are they able to trick the MediaWiki
reCAPTCHA extension into thinking there was a successful challenge?
>
> Yes, we would all like all users to be able to access our sites but in
> my case (photo and art galleries) users need to have JS enabled to
> access all of the site's features. In the case of of the biggest
> example - I can use Google w/o js in my browser, but Google Maps would
> be of my reach.......
Rosettacode.org primarily has textual content. There's nothing about
the site that makes it unsuitable for the visually impared.
>
> My server logs clearly show that "suspicious traffic" (i.e. directly
> linking to a reg. page) from "suspicious net blocks" never loads any
> of the page's js. When I have looked into reports of "reCAPTCHA
> hacked" the sites mostly seemed to have a reCAPTCHA like yours, with a
> <noscript> reCAPTCHA.
>
> It seems that there are now services advertising for captcha solving
> by humans at pennies per unit. If by using virtual machines and/or
> low-cost computers with no extra features the spammers might have a
> workable business model .Increasing the degree of difficulty on the
> captcha is not practical, but increasing the degree of user/browser
> interaction required should increase the cost of computing resources
> needed for many humans to solve many captchas. Maybe if the webmaster
> can increase this degree of computing difficulty his/her site will
> then become a less desirable target.
The biggest attack I've seen up to this point was where high-demand,
low-reputation sites such as porn and warez ask the user to "prove
they are human" and solve a CAPTCHA from someone else's site. But
that was a front-page article on Slashdot years ago...
>
> All of this is based only upon a few months of observation and
> learning.
>
> I wish you luck!
--
:wq