![]() ![]() The extreme case is that some X-savvy person may just move the pointer sometimes using the X's built-in capabilities, by dmenu and stuff, and even if that's highly unlikely, it still will fail. Touchscreens are common but human-ish, though you will have to cover them too. Joystick like the one seen on ThinkPad is uncommon but still used as the input device. ![]() The third one is that you can't be sure of the input device. The second assumption made here is that the (as pointed out) fuzzing is a thing. One wrong assumption covered, two more to go. Trained human is likely capable of doing it exactly like the Puppeteer does minus the fact that the pointer may move instantly in case of the machine doing it. So you accept a small amount of temporarily visible spam as the price of obfuscating the signals. The remaining 1% of the time they go to the hold queue, but are auto-deleted after a random delay of 2h-12h. Failed captchas are rejected 99% of time time. successful captchas go to the hold queue. You can then slow it down further with some randomization, while keeping the experience of real users the same. The attacker can't know if they passed the captcha until an hour has passed, which slows down their iteration a lot. Failed captchas cause the comment to be rejected. 10 in the last hour, successful captchas cause the comment to be put in a hold queue for an hour. ![]() If the number of failures is higher than e.g. The normal mode of operation is to give the user a clear error message if they failed the captcha, and have the post go through if they passed the captcha. The site can detect probing attempts, and if that happens switch into a mode where the captcha results are obfuscated.
0 Comments
Leave a Reply. |