Something Seems Very Odd

[Arnie]

Can someone tell me if this reCAPTCHA site is for real? I have my
suspicions that something is rotten in the state of Denmark.

[Ryan Andreasen]

Arnie,

I have implemented reCAPTCHA in asp and asp.net with no problems.  I've never done PHP, but I haven't had any problems with the ASP stuff.

[reCAPTCHA Support]

Hi,

reCAPTCHA is used on a large number of sites including Facebook, Craigslist, and TicketMaster. We're definitely "for real".

On Mon, Oct 27, 2008 at 5:01 PM, Arnie <ar...@simcona.com> wrote:

Can someone tell me if this reCAPTCHA site is for real?  I have my
suspicions that something is rotten in the state of Denmark.

--
reCAPTCHA: stop spam, read books
http://recaptcha.net

[recaptcher]

This captcha may be for real and may be used everywhere but I am
really disappointed. I make mistakes on porpuse on one or both words
displayed and always receive "TRUE".
This also happens in the demo captcha on reCaptcha site.

Does it works that way? Do words displayed not need to be exactly
typed to be given a response of "true"?

If so I think the level of security is very, very low.

Any clarification would be appreciated.

[Paul Herring]

http://wiki.recaptcha.net/index.php/FAQ#reCAPTCHA_is_accepting_incorrect_words

--
PJH

http://shabbleland.myminicity.com/ind

[recaptcher]

I see... but I'd rather prefer that typed words matched exactly with
images. I still think the level of security is not very high that way.
Disappointed.



On 28 oct, 14:50, "Paul Herring" <pauljherr...@gmail.com> wrote:

> On Tue, Oct 28, 2008 at 5:44 PM, recaptcher <gala...@adinet.com.uy> wrote:
>
> > This captcha may be for real and may be used everywhere but I am
> > really disappointed. I make mistakes on porpuse on one or both words
> > displayed and always receive "TRUE".
> > This also happens in the demo captcha on reCaptcha site.
>
> > Does it works that way? Do words displayed not need to be exactly
> > typed to be given a response of "true"?
>
> > If so I think the level of security is very, very low.
>
> > Any clarification would be appreciated.
>

> http://wiki.recaptcha.net/index.php/FAQ#reCAPTCHA_is_accepting_incorr...
>
> --
> PJH
>
> http://shabbleland.myminicity.com/ind

[Paul Herring]

On Tue, Oct 28, 2008 at 6:06 PM, recaptcher <gal...@adinet.com.uy> wrote:
> On 28 oct, 14:50, "Paul Herring" <pauljherr...@gmail.com> wrote:
>

>> http://wiki.recaptcha.net/index.php/FAQ#reCAPTCHA_is_accepting_incorrect_words

>
> I see... but I'd rather prefer that typed words matched exactly with
> images. I still think the level of security is not very high that way.
> Disappointed.

If you'd prefer more perceived 'security' over annoying your users
more, then you could always use a different package that is probably
easier for 'bots to decipher.

There are sufficient 'big names' using this package that don't seem to
have a problem with the 'security.'

Exactly how many visitors (and spam) are you getting such that you're
getting false positives using recaptcha anyway? (And by false
positives I mean 'bot spam that has 'successfully' solved the captcha
and posted spam, not you testing to see how wrong you can get one
before it stops accepting it.)

--
PJH

http://shabbleland.myminicity.com/ind

[recaptcher]

I am planning to use reCaptcha on a new site so I can't say if it is
broken easily but I am a developer that know how easily captchas are
broken.

I have no interest in annoying my visitors but I expect many
"annoying" visitors. That's why I want a great level of security.

I understand the logic behind and may be useful for those involved
with reCaptcha project but for final users (like me and many others)
the "perceived" security is not good. Also, not for being "perceived"
is less important. reCaptcha may be the best method on the planet but
if final users don't "perceive" reCaptcha is good, they (we) won't use
it . After all, without final users, reCaptcha project is nothing.

The claim of reCaptcha higher level of security is a fact to be
confirmed. Or perhaps you know scientific works that prove reCaptcha
is more secure than other implementations? If so, please I'll
appreciate the URLs of such works to read them.




On 28 oct, 15:14, "Paul Herring" <pauljherr...@gmail.com> wrote:

> On Tue, Oct 28, 2008 at 6:06 PM, recaptcher <gala...@adinet.com.uy> wrote:
> > On 28 oct, 14:50, "Paul Herring" <pauljherr...@gmail.com> wrote:
>

> >>http://wiki.recaptcha.net/index.php/FAQ#reCAPTCHA_is_accepting_incorr...

[Paul Herring]

On Tue, Oct 28, 2008 at 6:50 PM, recaptcher <gal...@adinet.com.uy> wrote:
[...]

> The claim of reCaptcha higher level of security is a fact to be
> confirmed. Or perhaps you know scientific works that prove reCaptcha
> is more secure than other implementations? If so, please I'll
> appreciate the URLs of such works to read them.

I know of none; I'm just a user of it.

Ben - do you have anything?

--
PJH

http://shabbleland.myminicity.com/ind

[reCAPTCHA Support]

You can't prove a negative -- there's no way to prove "CAPTCHA X is unbreakable" or "CAPTCHA X is harder than Y" (without breaking Y). However, I can say that the vast majority of CAPTCHAs out there are much weaker than reCAPTCHA based on the fact that the others can be trivially broken.

reCAPTCHA is more secure in the sense that we take responsibility for upgrading the CAPTCHA as needed. No other CAPTCHA does this.

- Ben

[recaptcher]

On 28 oct, 16:14, "Paul Herring" <pauljherr...@gmail.com> wrote:
> On Tue, Oct 28, 2008 at 6:50 PM, recaptcher <gala...@adinet.com.uy> wrote:
>
> [...]

>
> Ben - do you have anything?
>

Of course not. Otherwise, since I am implementing reCaptcha, I would
be recognizing it is the best.

But this is not to hard to find out. If I receive the number of bots I
expect probably I'll implement another similar system in addition to
reCaptcha to compare with it and find out which is the best (at least)
for me.

Thank you for responding.

[Paul Herring]

On Tue, Oct 28, 2008 at 7:30 PM, recaptcher <gal...@adinet.com.uy> wrote:
> On 28 oct, 16:14, "Paul Herring" <pauljherr...@gmail.com> wrote:
>> On Tue, Oct 28, 2008 at 6:50 PM, recaptcher <gala...@adinet.com.uy> wrote:
>>
>> [...]
>>
>> Ben - do you have anything?
>
> Of course not.

You weren't the Ben (if indeed that is your name) I was asking ;)

(The one I /was/ asking answered just before you did.)

--
PJH

http://shabbleland.myminicity.com/ind

[recaptcher]

> You can't prove a negative -- there's no way to prove "CAPTCHA X is
> unbreakable"

Who wants to prove a negative? If you read carefully, I never said I
want an unbreakable system. I am only looking for a secure one.

> "CAPTCHA X is harder than Y" (without breaking Y).

Just compare the two. It's easy.

> reCAPTCHA is more secure in the sense that we take responsibility for
> upgrading the CAPTCHA as needed. No other CAPTCHA does this.

That sounds good!

On 28 oct, 16:28, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:
> You can't prove a negative -- there's no way to prove "CAPTCHA X is
> unbreakable" or "CAPTCHA X is harder than Y" (without breaking Y). However,
> I can say that the vast majority of CAPTCHAs out there are much weaker than
> reCAPTCHA based on the fact that the others can be trivially broken.
>
> reCAPTCHA is more secure in the sense that we take responsibility for
> upgrading the CAPTCHA as needed. No other CAPTCHA does this.
>
> - Ben
>

> On Tue, Oct 28, 2008 at 3:14 PM, Paul Herring <pauljherr...@gmail.com>wrote:

[Charles Sweeney]

recaptcher wrote:


> I am planning to use reCaptcha on a new site so I can't say if it is
> broken easily but I am a developer that know how easily captchas are
> broken.
>
> I have no interest in annoying my visitors but I expect many
> "annoying" visitors. That's why I want a great level of security.
>
> I understand the logic behind and may be useful for those involved
> with reCaptcha project but for final users (like me and many others)
> the "perceived" security is not good. Also, not for being "perceived"
> is less important. reCaptcha may be the best method on the planet but
> if final users don't "perceive" reCaptcha is good, they (we) won't use
> it . After all, without final users, reCaptcha project is nothing.
>
> The claim of reCaptcha higher level of security is a fact to be
> confirmed. Or perhaps you know scientific works that prove reCaptcha
> is more secure than other implementations? If so, please I'll
> appreciate the URLs of such works to read them.

I think anyone who has taken even a little time to look into
reCAPTCHA, will know it is as secure (if not more so) than any other
captcha. The fact you don't need to enter both words correctly, comes
up here many times (in the short time I have been reading this
group). and equally, the reason why this does not compromise security
also comes up regularly.

As you say, it's about perception. Perhaps it could be made clearer
that both words are not required to be entered correctly? Then
"recaptcher" and others in his/her position will not perceive it as
broken.

--
Charles Sweeney
http://FormToEmail.com
PHP mail script with reCAPTCHA

[Paul Herring]

On Wed, Oct 29, 2008 at 12:13 AM, Charles Sweeney <con...@identipic.com> wrote:
[...]

> As you say, it's about perception. Perhaps it could be made clearer
> that both words are not required to be entered correctly?

If people are missing the connection between the purpose of
recaptcha's difference from other recaptcha and the fact that one of
he words cannot be known beforehand so it cannot be compared for
correctness...

Yes, maybe it should be made explicit somewhere more visible other
than the FAQ entry I cited earlier..

Then again, as shown, even when pointed out it'd make no difference.

--
PJH

http://shabbleland.myminicity.com/ind