Tuesday, 28 December 2010

A few words about NuCaptcha

After my recent posting about the Cforms Captcha Bypass Vulnerability the folks over at NuCaptcha asked me to take a look at their offering. I took a poke around the free version of the product/service that they offer.

A Slightly Different Approach:
Lots of people are trying to come up with new and innovative approaches to the Captcha concept as OCR bots continually demolish a lot of the products out there. On top of that, there are pay services now, where humans will set and crunch captchas for you all day long. This leaves us with a question of how to change the game enough to continue moving forward. I've seen a lot of different ideas about this, and nu/captcha's is far from the most innovative. That being said, it works well enough for now. Their Captcha's are animated, and provide text that is and isn't part of the captcha. You are asked to enter in only the text that appears in red.

This is definitely a step in the right direction. That being said, the red text always appears at the end of the string. I would think it might be a little more effectively to randomly colourise charachters within the string, not clumping them together, and not putting them at a predictable location. also, since they are colour coded, I can certainly envision an OCR bot capable of distinguishing colours. This is compensated for a bit by all the animation in the background. Especially the ones with the full advertisements in the background. This provides a lot of 'noise' to help confuse any OCR bots. However, I don't think the NuCaptcha system is going to be impervious to OCR techniques, not by a long shot.

Ways i might suggest to improve this technique:

  1. Use random charachters out of the larger text string to colour code
  2. Colourise all charachters in the string, different colours and randomly select the 'correct' colour each request (one request wants the blue letters, the next the yellows, etc). sort of adding entropy to both the letters and colours
What about the paid OCR crackers? Well, Nucaptcha claims they address this by increasing the ammount of time it take a person to recognise and complete each captcha, by a few seconds. Whether this is true or not, I doubt that it will make much of a serious impact. that being said, if anyone has any better ideas out there, i'd love to hear them.

Where their technique really shines through is more in usability than security. I have gotten to the point where the pure sight of a captcha irritates me. They are often so illegible that an actual human has a hard time filling the stupid things out correctly on the first try. I do not feel any of that frustration with their system. Also the idea to blend advertising space into their solution is a pretty savy business move in my opinion.

The Pseudo-Technical:

so I took some preliminary dives through their offerings. They offer PHP,Java, and .NET APIs. I subjected the .NEt and JAVA APIs to some static analysis tools and let them run. I then ran some quick php examples and their WordPress plugin through a Web application Scanner and let it fly. I snatched at some of their SWF components and ran them through a decompiler app, and didn't find much of itnerest there. Finally I poked and prodded from within burpsuite looking for anything unusual.

The long and short of it is that I found nothing of real interest there. I have not, and probably will not go digging line by line through their source code. For one thing, it looks like a bunch of the real work is offloaded back to their environment to some internal webapps on their side. For another, nothing in my cursory examinations turned up anything the least bit indicative of a problem. Maybe someone more determined will come along and find something i missed.

So is nucaptcha the "most secure" captcha solution out there? Beats me. I don't honestly know how to make such a comparison in the market place. What i do know is that it works, it is end-user friendly, and it does not have any glaring defects. Perhaps not as glowing of a recommendation as they were hoping for, but anything more definitive is just asking for me to be proven wrong. cheers!

UPDATE: Christopher Bailey from NuCaptcha wanted me to point out that the red letters option is only one form the security Captcha can take. They have different variants as can be seen Here. The actual  captcha text is still always at a predictable location within the string though, so my suggestion about randomly selecting characters within the string still stands. Thanks to the folk from NuCaptcha for inviting me to take a peek though. I certainly appreciate their openness if nothing else.

No comments:

Post a Comment