defense against human captcha-solving farms

[Nick Wharton]

hi..

Probably a naive question, but can reCaptcha defend against the bots which farm captcha-solving to farms of human workers via services like "Death by Captcha" or 2Captcha? I'm hoping that HTML 5 iFrame sandbox features might help to ensure a human is entering the captcha solution into the actual browser used to connect to my site. 

I'm not that sophisticated.. this fairly old approach is analyzing the source received by the bot. Can it be prevented?

https://www.troyhunt.com/breaking-captcha-with-automated-humans/

thanks!

[Nick Wharton]

Perhaps it's necessary to incorporate client-side checks to ensure the reCaptcha is being processed in a secure browser environment as opposed to a script.. just musing.

[Seth Munroe]

As an implementer of reCAPTCHA, you don't have to do anything to try to check the humanity of the user other than implement according to the guides. It's google's job to modify their reCAPTCHA APIs as needed to prevent ways to defeat it.

That's actually the beauty of the version 2 API. It allows google to make changes as needed on both the client side and the server side without breaking the code of the people who implement reCAPTCHA on their sites.

As long as you are calling the validate appropriately and checking for success:true then you can trust that every reasonable precaution to avoid allowing bots in has been taken.

-Seth

[Nick Wharton]

Thanks for your reply, Seth. If you know specifically what measures have been taken a link would be appreciated. I'm just not that trusting when it comes to security :).

[Seth Munroe]

I doubt you'd find any documentation on the measures they take. As soon as something like that is published it becomes a roadmap for defeating it.

-Seth

[Nick Wharton]

thanks Seth - Trust In Google is ok for me on this project :). Perhaps businesses with more of a stake pay for a higher support level to gauge their level of risk.