On 8/27/2020 12:41 PM, Phil Stracchino wrote:
On 2020-08-27 13:15, Rich Kulawiec wrote:
3. Captchas are a worst practice in security and should never be used.
They can be and are defeated at will by any adversary who wants to
trouble themselves to do so. They're also user-hostile. There are much
better methods available for protecting Mailman instances from abusers.
I've said for some time that traditional captchas are by now almost a
REVERSE test. Ability to solve them should be taken as stronger
evidence that you are a bot than that you are a human, because bots are
better at solving them than humans are.
Image-style captchas like reCaptcha are better, but they too have a
shocking oversight: They do not scale well on increasingly-ubiquitous
high-resolution displays. I'm currently using a 32" 4K monitor, and
even after zooming the page as far as I can, I still sometimes have to
resort to a magnifying glass to be certain whether I'm seeing a
specified object somewhere in the background of one of the images.
Yay, topic drift.
IME the simple stupid server-side captchas are easy enough to solve and
will deter 100% of the random bang bots & bad search engines. And the
reason to use them is the page you're protecting can put non-trivial
load on the server when triggered. It has nothing to do with security,
nor bots actively trying to solve the captcha.
But reCaptchas aren't any better at defeating bots. I'm certain you'll
find at least one cite on that in RISKS and/or DefCon archives. And not
only as you say, half the images are invisible to the naked eye: I have
privacy badger and an adblock in my browser, I'm sure you can guess how
nice those javacrap recaptchas play with that.
Dima
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
