[nycphp-talk] capricious submission of forms
csnyder
chsnyder at gmail.com
Mon Feb 12 18:50:50 EST 2007
On 2/12/07, Chris Shiflett <shiflett at php.net> wrote:
> There's also the "porn attack" that has been used for years:
>
> 1. Request the form with the CAPTCHA you want to solve.
>
> 2. On a high-traffic page, promise free porn (representative of anything
> desired, although porn was the actual first use case) in exchange for
> the solution to the CAPTCHA from Step 1.
>
> 3. Submit the form from Step 1, along with the CAPTCHA solution obtained
> in Step 2.
I hadn't considered this before, but if you think about the problem in
terms of volume-per-hour, the captcha approach becomes preferable
again. The answer to a good captcha can't be scripted, so there's a
built-in rate limit. Even if you hire humans to decipher them, the
answer has to be manually typed.
Captchas are vulnerable to the porn-in-the-middle attack, but you
would have to have some really hot porn in order to post large volumes
of spam across millions of sites. Interesting...
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list