Captcha Public/Private Key Security Scheme - flawed?
93 views
Skip to first unread message
htmld
Oct 7, 2008, 9:59:29 AM10/7/08
to reCAPTCHA
Hi,
I've been trying to evaluate various CAPTCHA services and I took some
time to try and understand the supposed benefits of reCAPTCHAs
encryption scheme.
My understanding is that you submit your private key to the
verification servers to identify yourself and somehow stop others from
hosting reCAPTCHA on their websites and submitting answers to yours.
It appears as though the POST is done without SSL, and even if it
were, why would you need to send your private key? Some sort of
digital signature might make sense, but sending your private key in
plain text seems useless.
I also don't see how this can possibly stop the above mentioned attack
since the attacker can simply submit the results he gets directly to
your form, and even if you used SSL to contact the verification server
with a signed query, it would still work because it would be like any
other user filling out your form.
In short, I don't see how this scheme can work at all.
Thanks.
I've been trying to evaluate various CAPTCHA services and I took some
time to try and understand the supposed benefits of reCAPTCHAs
encryption scheme.
My understanding is that you submit your private key to the
verification servers to identify yourself and somehow stop others from
hosting reCAPTCHA on their websites and submitting answers to yours.
It appears as though the POST is done without SSL, and even if it
were, why would you need to send your private key? Some sort of
digital signature might make sense, but sending your private key in
plain text seems useless.
I also don't see how this can possibly stop the above mentioned attack
since the attacker can simply submit the results he gets directly to
your form, and even if you used SSL to contact the verification server
with a signed query, it would still work because it would be like any
other user filling out your form.
In short, I don't see how this scheme can work at all.
Thanks.
reCAPTCHA Support
Oct 7, 2008, 10:50:43 AM10/7/08
to reca...@googlegroups.com
Hi,
The security of reCAPTCHA does not rely on the private key staying private. We mostly do this to discourage the sharing of accounts. Please note that we use the referrer to prevent people from hosting your key on their site.
- Ben
The security of reCAPTCHA does not rely on the private key staying private. We mostly do this to discourage the sharing of accounts. Please note that we use the referrer to prevent people from hosting your key on their site.
- Ben
htmld
Oct 7, 2008, 11:31:58 AM10/7/08
to reCAPTCHA
I meant to reply to the post, not the author, but what I basically
said was:
Calling this a security feature is probably a bad idea then. Users may
get the impression this is in fact somehow more secure than other
CAPTCHA implementations. The referrer can be forged, and this still
wouldn't stop someone from hosting your key on their site. Not only
that, but the attacker can still just load your form, download the
image, crack it with an algorithm or post it on their website and then
submit the solution to your form, not the reCAPTCHA servers, in which
case, the referrer wouldn't even have to be forged.
Any attacker sophisticated enough to use these methods to try and
circumvent your CAPTCHA will probably not find these other measures
very challenging to overcome.
> reCAPTCHA: stop spam, read bookshttp://recaptcha.net- Hide quoted text -
>
> - Show quoted text -
said was:
Calling this a security feature is probably a bad idea then. Users may
get the impression this is in fact somehow more secure than other
CAPTCHA implementations. The referrer can be forged, and this still
wouldn't stop someone from hosting your key on their site. Not only
that, but the attacker can still just load your form, download the
image, crack it with an algorithm or post it on their website and then
submit the solution to your form, not the reCAPTCHA servers, in which
case, the referrer wouldn't even have to be forged.
Any attacker sophisticated enough to use these methods to try and
circumvent your CAPTCHA will probably not find these other measures
very challenging to overcome.
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages