Captcha

A captcha (an acronym for "completely automated public Turing test to tell computers and humans apart") is a type of challenge-response test used in computing to determine whether or not the user is human. The term was coined in 2000 by Luis von Ahn, Manuel Blum, and Nicholas J. Hopper of Carnegie Mellon University, and John Langford of IBM. A common type of captcha requires that the user type the letters of a distorted and/or obscured sequence of letters or digits that appears on the screen. Because the test is administered by a computer, in contrast to the standard Turing test that is administered by a human, a captcha is sometimes described as a reverse Turing test.

This captcha of "smwm" obscures its message from computer interpretation by twisting the letters and adding a background color gradient

Applications

Captchas are used to prevent bots from using various types of computing services. Applications include preventing bots from taking part in online polls, registering for free email accounts (which may then be used to send spam), and, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender successfully pass a captcha test before the email message is delivered.

Characteristics

Captchas are typically fully automated, requiring little human maintenance or intervention in administering the test. This has obvious benefits in cost and reliability.

The algorithm used to create the captcha is often made public, though it may be covered by a patent. This is done to demonstrate that breaking it requires the solution of a hard problem in the field of artificial intelligence (AI) rather than just the discovery of the (secret) algorithm, which could be obtained through reverse engineering or other means.

Accessibility

Captchas based on reading text — or other visual-perception tasks — prevent visually impaired users from accessing the protected resource. However, captchas do not have to be visual. Any hard artificial intelligence problem, such as speech recognition, can be used as the basis of a captcha. Some implementations of captchas permit users to opt for an audio captcha. The development of audio captchas appears to have lagged behind that of visual captchas, however, and presently may not be as effective.

For non-sighted users (for example blind users), visual captchas present serious problems. Because captchas are designed to be unreadable by machines, common assistive technology tools such as screen readers cannot interpret them. Since captchas are often used in initial registration processes (for example eBay and Yahoo!, and some other sites), this challenge can completely block access. In certain jurisdictions site owners could become target of litigation if using Captchas that discriminate against certain people with disabilities.

Even for perfectly sighted individuals, new generations of captchas, designed to overcome sophisticated recognition software, can be very hard or impossible to read. Even some of the demo captchas at the software sites listed below are indecipherable to many if not all humans.

The W3C paper Inaccessibility of Visually-Oriented Anti-Robot Tests (http://www.w3.org/TR/turingtest/) outlined some of the accessibility problems with captchas.

Circumvention

Some free e-mail providers have used captchas in account registration, to deter spammers from obtaining large numbers of accounts automatically. Spammers have found a way to circumvent this restriction: simply present the captcha to a human user under false pretenses, and use the human's response to obtain the e-mail account.

To do this, the spammer must control a Web site to which human users wish to gain access — for instance, a pornography site. When a user goes to the spammer's porn site, the server starts a new account registration at the free e-mail provider. It downloads the provider's captcha and presents it to the user as a captcha for access to the porn site. The user, not knowing that the captcha is recycled, provides the correct response — and the spammer's software can then complete the e-mail account registration.

Mori et al. published a paper in IEEE CVPR'03 detailing a method for defeating one of the most popular Captchas (http://www.cs.berkeley.edu/~mori/gimpy/mori_gimpy.pdf), EZ-Gimpy, which was tested as being 92% accurate. The same method was also shown to defeat the more complex and less-widely deployed Gimpy program with an accuracy of 33%. However, the existence of implementations of their algorithm "in the wild" is indeterminate at this time.

Automated attacks on captchas are also growing more sophisticated. Projects like PWNtcha (http://sam.zoy.org/pwntcha/) have made significant progress in defeating commonly used captchas, which has contributed towards a general migration towards more sophisticated captchas.

There is also a way to circumvent the CAPTCHA protection without using OCR or free porn sites; simply by re-using the session ID of a known CAPTCHA image. See the article on puremango.co.uk for detailed information about this type of attack (http://www.puremango.co.uk/cm_breaking_captcha_115.php)

External links

• The Captcha Project (http://www.captcha.net)
• Inaccessibility of Visually-Oriented Anti-Robot Tests: Problems and Alternatives (http://www.w3.org/TR/turingtest/), a W3C recommendation.

Captcha implementations

Java

• The JCaptcha Project (http://jcaptcha.sourceforge.net), an open-source Java framework for Captcha definition and integration.
• The reCaptcha Project (http://www.crt.realtors.org/projects/reCaptcha/), a Java implementation. No link with JCaptcha.
• Proposal and source code for an audio based captcha (http://www.standards-schmandards.com/index.php?2005/01/01/11-captcha) written in Java.

PHP

• Image Verification Tutorial (http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=739&lngWId=8), a PHP + GD implementation on Planet Source Code
• Image Verification (http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=762&lngWId=8), a PHP + GD implementation.
• Auditor (http://php.webmaster-kit.com), yet another PHP + GD implementation.
• tacs (http://higginsforpresident.net/projects/tacs/), and yet another PHP + GD implementation.
• freeCap (http://www.puremango.co.uk/cm_freecap_113.php), and one more PHP + GD implementation, with hammering protection.
• PEAR's Text_CAPTCHA (http://pear.php.net/package/Text_CAPTCHA), a PHP implementation.
• tEABAG_3D CAPTCHA (http://www.ocr-research.org.ua), by OCR Research Team. 3D captchas using PHP4 + GD.
• GOTCHA! (http://phpbtree.com/captcha/index.php), yet another captcha using PHP4 + GD.

Perl

• Authen::Captcha (http://search.cpan.org/search?dist=Authen-Captcha), a Perl implementation.
• GD::SecurityImage (http://search.cpan.org/dist/GD-SecurityImage/), another Perl implementation (GD + Image::Magick).

.NET

• CAPTCHA Image (http://www.codeproject.com/aspnet/CaptchaImage.asp), a .NET implementation with explanation and source code (for use with ASP.NET)

Captcha services

• captchas.net, Free Captcha Service (image and audio)

Defeating Captchas

• Breaking CAPTCHAs without using OCR (http://www.puremango.co.uk/cm_breaking_captcha_115.php)
• How spammers crack captchas using free porn. (http://www.boingboing.net/2004/01/27/solving_and_creating.html)
• Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA (http://ieeexplore.ieee.org/iel5/8603/27265/01211347.pdf) (IEEE publication of the paper by Mori et al.; requires paid subscription)
• OCR Research Team defeats weak CAPTCHAs. (http://www.ocr-research.org.ua)
• Using AI to beat CAPTCHA and post comment spam (http://www.brains-N-brawn.com/aiCAPTCHA/)de:Captcha

es:Captcha fr:Captcha nl:Captcha sv:Captcha