Fighting spam: Captchas – really necessary?
Why all this?
You may have asked yourself this question after captchas started to appear on an ever-increasing number of sites. Spam admittedly has become a persistent problem in the meantime, and as long as there is a sufficient supply of people who click on any links contained therein or get into the offers, this problematic isn't really going to change. The only way of curtailing spam at least a little bit is blocking the ways of propagation, but that normally has the exact opposite effect: Instead of the spammers unnervedly giving up, they go to great lengths in bypassing any security measures and so stay able to continue distributing their junk.
In the end the same is true with captchas: As long as they have been rarely
used it hadn't been worth equipping spam bots with a captcha analyzer. But
after an increasing number of web sites that provide forums, guest books, etc.
integrated captchas, the spammers have followed suit and equipped their spam
bots with correspondent means – particularly because a captcha won't prevent a
spammer from distributing his junk manually where necessary.
There are furthermore some other problems linked to captchas that don't really
make their use any easier. Plus they
prove
to be superfluous and nonsensical, as has already been illustrated
elsewhere; however, at the same time options are offered to make spamming moot
for the spammers.
I for my part am going to further delve into each aspect of the various
captchas and highlight the associated problems linked to them.
Unreadable!
Honestly: How often have you become upset that you had to decode a sequence of
characters that could hardly or not at all be deciphered or had to interpret
hard-to-recognize images?
Unfortunately the captchas presented are harder and harder to recognize so that
one has to guess some time or another what is being displayed after all.
However, one can request a new captcha in this case, but what if no usable
image shows up after the sixth or seventh request? With each request the ire of
a visitor is of course increasing who eventually gives up being bugged out and
normally won't return that quickly. A visitor of a web site wants to be able to
use it as easily as possible instead of having to solve riddles. This alone is
an aspect in disfavor of using captchas.
Not barrier-free!
That which is already becoming a problem for people without amblyopia is an
impossible thing for people with bad sight or even the blind. After all the
affected can rarely decipher the captcha or not at all. This may be considered
by the providers of some captchas so that anything being displayed can be
played back as sound, but there are other obstacles that cause this method to
fail, e. g. the knowledge of other
languages. When the computer doesn't provide any means of voice output,
either, the blind or anyone with too severe amblyopia cannot work with the
affected form without the aid of other people.
Exactly for this reason the W3C argues
against the use of
captchas for preventing spam – not to mention that that runs contrary to
any laws in various countries that are in effect to do away with the
discrimination of handicapped people.
In order to stay barrier-free you are bound to come up with something else for
thwarting spam without making life for your amblyopic visitors any harder.
The graphic captchas may have been reinforced by pure lexical captchas that may be displayed without problems e. g. by a Braille line or text-to-speech synthesis, but you may still incur any other problems here, e. g. for people suffering from dyslexia or comprehension disabilities, therefore the text must not bee to convoluted.
to the topHard to integrate!
There is another catch on it: Depending on the document or MIME type used you cannot integrate the captcha even if you wanted. Unfortunately many captchas rely on the browser providing some features for incorporating the captcha into a page, usually the iframe as well as the JavaScript method document.write(). This method therefore is not viable when any of the two components isn't available. Some variants of (X)HTML don't provide the iframe, and since there is no other way of incorporating a captcha, this is tantamount to a losing battle. The other imitation comes into effect whenever a document is served as MIME type application/xhtml+xml, because in that instance the method document.write() is unavailable. In the end this prevents that a captcha can be integrated into such pages after all, but fortunately there are other mans that can be implemented much more easily.
to the topInsecure!
The implementation of various captchas has unfortunately proven not to be secure so cracking them and subsequently distributing spam despite active security measures has been a rather easy feat. These are the most common weaknesses that can appear in captchas, usually several of them at once, are these:
- Fixed font
- Limited number of characters available
- No or insufficient distortion of the characters
- No or too little color variance or too weak color gradient of the writing
- No or too little color variance or too weak color gradient of the background
- No or too ineffective interference
- Different planes for writing and background
- Too regular ordering of the characters
Sites like PWNtcha,
Breaking Gimpy,
and aiCaptcha
demonstrate how easily some captchas may be cracked. On top of that
social
engineering is used to bypass
captchas. This is possible since an identifier must be provided in the
(X)HTML source when the captcha is generated, because the service being used
must be able to recognize who has requested the captcha. Otherwise it wouldn't
be possible to verify the solution being entered.
Exactly this identifier is filched by spammers in order to request captchas
themselves that grant access to a protected area when it is successfully
solved.
Conclusion
No matter how you look at it: The advantages offered by captchas are outweighed
by their disadvantages by order of several magnitudes. It is therefore very
difficult to impossible for amblyopics to access any affected sites as far as
graphical captchas are concerned, which in turn means that this isn't
barrier-free. However, it's not just amblyopics of all kinds that have problems
here, some captchas are so badly distorted that even non-amblyopics have their
hands full with discerning what is being displayed. Normally a link is provided
for requesting a new captcha, but in extreme cases one would have to wait for a
long time until a usable image shows up. A frustrated user is well-nigh
guaranteed.
These disadvantages are normally somewhat mitigated by pure textual captchas,
because they may be passed as cleartext and can therefore be displayed by a
braille line or processed by text-to-speech synthesis, but the question arises
again when and inhowfar spammers follow suit and equip their spam bots with
modules that allow them to crack this type of captcha.
A significant drawback is the actual security aspect, because some captchas can
be seen through much too easily and don't really pose an obstacle for a bot.
Instead the normal use by ordinary humans is made significantly more difficult
to some extent, which is mostly owing to images that can barely be deciphered
any more. Alternate captchas that display some symbols or objects are
especially problemtic, because amblyopics cannot recognize
anything at all and so the door is nailed shut for
them.
The technologies for recognizing patterns in graphics are furthermore becoming
increasingly sophisticated so that it is merely a question of time until
captchas are completely annulled.
From this aspect the use of captchas is questionable at best. Furthermore
there are measures that are more effective for giving spam bots a hard life so
they should definitely be preferred. On top of that your web site stays
barrier-free and easy-to-use so that it doesn't provoke any additional
resentment in this aspect.