Negative CAPTCHA

April 4, 2008

In January of last year, Ned Batchelder flushed out an idea of Damien Katz’ and Jan Lenhardt’s– negative CAPTCHA. CAPTCHA® – as you know – stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it’s purpose is to lock out automated systems, particularly bots designed to abuse HTML forms for submitting comment spam to blogs, internet fora, and other sites that would prefer only flesh and blood wingnuts be allowed to spam them.

Negaive CAPTCHA is precisely that, rather than giving the humanoids the chance to prove their “intelligence,”  it tricks bots into demonstrating their stupidity. At it’s core it involves putting an item or two in your forms as honeypots designed to be left blank. Normally, these would be hidden from users using CSS or JavaScript.

There are two problems you might see with that. First, you may block out those using text-based browsers, either for accessibility or because they’re just weird. A serious corollary of this is that you will significantly degrade the level of discussion at your site by excluding the most intelligent of humanoids, the vanguard who browse the web under cover of NoScript.

The second problem is that one can imagine that were this method used by even moderately popular sites, it probably wouldn’t hold up for long. Recognizing that something is hidden using CSS is trivial, I’m sure there are techniques for dealing with JavaScript as well.

The way around the first set of problems is to take the human path: label the form “only fill this out if you are a stupid bot.” Those who fill it out deserve to be blocked because they probably wrote some snide comment in it. Or they’re a bot.

Ned’s piece proposes dealing with the latter problem with a certain amount of server side randomization, and backing it up – as we do CAPTCHA – with content analysis. And trained monkey moderators.

Of course nothing is impenetrable for the bad guys or infallible in serving the good guys, but it seems to me that, all things being equal, this is more accessible and less obtrusive for human users. At least until the bots and their lobbyists push through Section 508 Subpart (R) mandating equal access for the blood-flow and organic process impaired.

(Revivified and brought to my attention by Heiko Webers’ RoR Security Project.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: