I like his message -- especially the end whre he says "While we do still have
a11y issues, I think we're getting closer to fixing them. When we do fix them,
all sites using reCAPTCHA will benefit",
From: Ben Maurer
Subject: Re: CAPTCHA examples for Mozillazine?
> So here are a few of the things I've gotten out of both working
> on reCAPTCHA and from the discussion on this list:
> - Writing a CAPTCHA is hard. There are lots of UI elements that
> folks miss -- for example, having a reload button when a CAPTCHA
> isn't readable, getting the UI interaction right for a11y
> - Designing a secure CAPTCHA is even harder. Very few CAPTCHA
> implementations actually stand up to attacks. Common CAPTCHAs
> (such as the phpBB one) get broken. It's also a bit tricky to
> design the CAPTCHA so that replay attacks don't work.
> - Secure audio captchas take quite a bit of effort. You need to
> gather a large number of voice samples to get it to be secure.
> These samples can not be shared, otherwise it will greatly aid
> an attacker. Similarly, synthized audio is not sufficient for CAPTCHAs.
> - It's very easy to write a CAPTCHA that allows you to DoS the
> server. I've seen CAPTCHA scripts that allow a remote DoS with
> 10-20 req/s.
> - Browsers suck at playing audio. When they do play it correctly,
> visually impaired users can't control the audio (pause, volume,
> I think that a CAPTCHA service, such as reCAPTCHA is the best
> way for sites that don't have the resources to engineer a
> CAPTCHA. While creating open source captchas is a potential
> solution, I think that's gone badly, in general. One of the
> advantages of reCAPTCHA is that we're able to analyize user
> behavior on a large set of solutions. We can also make security
> updates (in how we generate images) very quickly.
> While we do still have a11y issues, I think we're getting closer
> to fixing them. When we do fix them, all sites using reCAPTCHA
> will benefit
dev-accessibility mailing list
[hidden email] https://lists.mozilla.org/listinfo/dev-accessibility