SVGCaptcha



  • SVGCaptcha is a small library that creates captcha in SVG instead of PNG, GIF or JPG.

    Instead of adding libraries on server and load the server with image creation you place this burden on client's browser.

    SVG is becoming the de facto image standard for web and all modern browser support it.

    What a great idea! A captcha inclusive for both people and bots!


  • sockdevs

    Isn't browser support for SVG still a bit patchy? Or have they all caught up now?


  • sockdevs

    @RaceProUK said:

    Isn't browser support for SVG still a bit patchy?

    yes, but it's much better than it used to be.

    @shadowmod posts SVGs afterall ;-)



  • I opened the image url directly and here's what I got:

    The letters are selectable and ctrl+fable, so I took a look at it in the inspect editor:

    I guess it might defeat bots that ignore the pixel coordinates of each letter?
    but mostly humans who have their screen brightness so high they can't see yellow on white


  • sockdevs

    @accalia said:

    @shadowmod posts SVGs afterall

    I… really should pay more attention to things :blush:

    @hungrier said:

    The letters are selectable

    Which means, as your code snippet shows, the text can be lifted directly by a bot


  • sockdevs

    @hungrier said:

    The letters are selectable



  • I guess it works by detecting clients that enter the captcha correctly and dismissing them as bots.

    (FWIW- I guess doing SVG captchas wouldn't be too stupid if you instead rendered each letter as a set of slightly abused splines.)



  • @cvi said:

    (FWIW- I guess doing SVG captchas wouldn't be too stupid if you instead rendered each letter as a set of slightly abused splines.)

    So bots only get the almost solved OCR instead of the entire solution?


  • Notification Spam Recipient

    I'm hoping this is a joke... it's just too good.

    But I've seen way too many people who don't know what captchas do, and just think it's some kind of ritual to make online forms work.

    And there's also a boatload of websites out there using captchas trivially crackable with modern OCR.



  • I would have imagined that rendering the damn splines and then doing OCR on the pixel data would be easier than matching randomly abused splines against whatever (regularized) descriptor you're using for OCR. (Not an expert on OCR, though.)



  • @RaceProUK said:

    Which means, as your code snippet shows, the text can be lifted directly by a bot

    The source-order of the letters is not the on-screen order, which is assembled by shifting coordinates using transformation matrices. The on-screen order is what you actually have to enter; not the source order. So a bot cannot lift the text directly. It atleast has to discern how the characters were shuffled.
    (Ofcourse, with humanly readable translate() transformations like this, that's still easy to the point of being trivial, so this is still a complete failure.)



  • @anonymous234 said:

    captchas trivially crackable with modern OCR

    Yeah. Basically anything that uses straight-up reproducing of characters is a failure as a Captcha. If you want to keep out bots you'll really need to start using stuff that requires human visual understanding and cognition. Rebus puzzles are an option, maybe.



  • I've seen some captchas that give you some fairly easy-to-read (and OCR, naturally) text paired with instructions that can vary. So sometimes you get a straight-forward

    Enter this phrase:
    Hammer Time

    But there's also things like
    Enter the opposite:
    down


  • Notification Spam Recipient

    Like reCaptcha's latest crap:

    And as AI gets more advanced, captchas will get more and more complex.

    Ironically, reCaptcha is helping AI research, meaning the bots that break it will probably be using data collected by it:



  • Let me present you with Terhikki.

    After some disturbing cases of people practicing medicine without a license reached public attention in Finland, Valvira decided to invest in a public Web service for looking up a doctor's license status by name or SV number (an 11-digit, unique id issued to all licensed doctors of medicine)

    The service requires you to start with entering a captcha. Apparently, this was a post-release hackjob addition conjured in order to prevent people from querying the service incrementally by SV numbers and building a complete database of licensed medical personnel.

    If you look at the source code, you can see it picks a random number between 1 and 999 and loads /Captcha/Cnum.jpg. All in all, there are a total of 999 pre-generated captcha images, for example here's number 446:

    https://julkiterhikki.valvira.fi/Captcha/C446.jpg

    Loading all captcha images and decoding them should be trivial, even if you had to do it by hand.

    This service has been in operation since 2010.



  • Yeah, that's pretty dumb. Then again, these bots are pretty smart so maybe they'll be baffled by it's stupidity and give it a pass out of kindness?



  • @anonymous234 said:

    reCaptcha's latest crap

    They had this advanced and perfectly unobtrusive "I am not a robot" feature and replaced it with this shit? Also, what is that thing in the middle-left?



  • @hungrier said:

    I've seen some captchas that give you some fairly easy-to-read (and OCR, naturally) text paired with instructions that can vary. So sometimes you get a straight-forward

    Enter this phrase:
    Hammer Time

    But there's also things like
    Enter the opposite:
    down

    I think that's SolveMedia. They also run marketing captchas ("enter 'Walmart is awesome'").

    I think it's stupid to have a limited list of catchprases that you can easily reverse engineer and make your bot that much easier to teach. But oh well.


  • sockdevs

    @Maciejasjmj said:

    They had this advanced and perfectly unobtrusive "I am not a robot" feature and replaced it with this shit?

    as i understand it that "shit" is one of the tests that pops up when recaptcha has not yet gathered enough entropy to determine bot/vs non-bot.

    i would expect it to become more frequent to trigger as bots get better at bypassing it.



  • That shows up if you fail the "I'm not a robot" check.



  • Yeah, the entire point of CAPTCHA is to not have humans required to verify each individual test. That's what the first two letters mean. reCAPTCHA is pretty much the only direction you can go from there - using people to solve problems that computers can't and then using those solutions to make more.



  • I promised myself to not get involved with this topic.

    At this point in time I have two things to to say:

    1. Levenshtein
    2. What can be done can be undone, and vice versa

    I may or may not rant on about this topic at some future time, but for now:

    The point of captcha is to "prove" you are human. There is enough controversy about the efficacy of this as it is (See here for some details) - most of which is about accessibility. At the moment it works, I have seen a tendency to use real photos and I'm not sure that is a good idea, as OCR is getting better.

    But to get the Client (where the BOT is operating) to do it is really asking for trouble. Sometimes people are so stupid! Do they not read science fiction? One of the raison d'être of science fiction is to warn us about this sort of stupidity.



  • So I can defeat this Captcha by sorting letter tags by x-position and then concatenating the tag contents in sorted order? Sweet.


  • Discourse touched me in a no-no place

    @Ragnax said:

    The source-order of the letters is not the on-screen order, which is assembled by shifting coordinates using transformation matrices. The on-screen order is what you actually have to enter; not the source order. So a bot cannot lift the text directly. It atleast has to discern how the characters were shuffled.

    That might also defeat cut-n-paste, as I think that normally operates on the in-source order of the characters. Failing that, adding some extra letters in there that can't be seen (e.g., because they're the same colour as the background) will provide a bit more armouring. Still dumb as hell.

    OTOH, we must remember that this is a battle of wits between largely unarmed parties. The best I've seen though was putting an extra hidden field in the form called leave_blank. Bots like to put values in all fields. :smiley:


  • sockdevs

    As well as a time gate if you try to submit a form too quickly.



  • @dkf said:

    The best I've seen though was putting an extra hidden field in the form called leave_blank. Bots like to put values in all fields.

    Name it something like website or email and you're even more likely to have bots blindly fill it in.



  • @anonymous234 said:

    Like reCaptcha's latest crap

    Those things are too culturally-biased. “Select all images with sandwiches” — to get passed it I had to remember that in (some? many? all?) English-speaking countries, a hamburger is considered a sandwich.


  • Grade A Premium Asshole

    @Gurth said:

    to get passed it I had to remember that in (some? many? all?) English-speaking countries, a hamburger is considered a sandwich.

    Why the hell wouldn't a hamburger be considered a sandwich??



  • @dkf said:

    The best I've seen though was putting an extra hidden field in the form called leave_blank

    Worst name possible for a field like that.



  • Because many languages have a native name for one or more slices of bread with something on it/them, and only later been exposed to American hamburgers, resulting in the latter being called “hamburgers”. A “sandwich” over here is those English-style triangular slices of bread with stuff between them.



  • Are buns not just very small loaves of bread? Don't you slice them? Are burgers not "something"?



  • @Gurth said:

    A “sandwich” over here is those English-style triangular slices of bread with stuff between them.

    Cutting your sandwiches on the diagonal is like eating your eggs from the wrong end. Just Don't Do It.


  • Discourse touched me in a no-no place

    @boomzilla said:

    Cutting your sandwiches on the diagonal is like eating your eggs from the wrong end. Just Don't Do It.

    News at 10: Old man yells at truck stop for selling pre-packaged sandwiches cut, as he put it, "the wrong way."



  • Sorta beat me tuit. But yeah, there are a smorgasbord of definitions of a sandwich but there is only one for a hamburger. Generally a sandwich is "something" between two (or not in the case of an open sandwich or similar) other "somethings" that are considerably different to the original something but are similar to themselves.

    A burger, or hamburger, on the other hand is something (normally meat) between two buns.

    Sandwich can be a description that refer to (a minimum of 3) people in certain circumstances. Now. Having switched your train of thought, re-read the above paragraph and visit Urban Dictionary :)


  • Grade A Premium Asshole

    @loose said:

    there are a smorgasbord of definitions of a sandwich but there is only one for a hamburger

    Yeah, depends on who you are. Lots of people consider patties of processed vegetable protein (veggie "burgers") to be a hamburger. I certainly don't. ;)



  • @Gurth said:

    Those things are too culturally-biased. “Select all images with sandwiches” — to get passed it I had to remember that in (some? many? all?) English-speaking countries, a hamburger is considered a sandwich.

    Where is a hamburger not considered a sandwich?


  • Grade A Premium Asshole

    @boomzilla said:

    is like eating your eggs from the wrong end.

    There is a wrong end to eat eggs from?

    Normally I would agree with you on cutting sandwiches, with the exception of what you want to dunk them in soup. Another thing that I do that probably makes Texans cry is that I like to dunk peanut butter sandwiches in chili. Without slicing on the diagonal it will get messy very quickly and you will end up with chili all over your face.

    Now that I think about it, I would be willing to wager that there is a porn site out there somewhere that has that as their topic. No, I am not going to look for it.



  • I can't speak for @Gurth, but around here, the English word sandwich is only used for diagonally-cut white bread with (too much) stuff inbetween. The proper Dutch translation (belegd broodje) would include hamburgers (in a bun; the word "hamburger" can also refer to just the patty), however when seeing the word 'sandwich' most people would likely only think of the single thing the word refers to in Dutch.



  • @Polygeekery said:

    There is a wrong end to eat eggs from?

    What are you, some kind of yahoo?



  • @Polygeekery said:

    There is a wrong end to eat eggs from?

    Like many terms used these days, especially in the mechanics of computers and software, they had a perfectly natural existence prior to them being so hijacked.

    The technical term for which end you eat your egg from, well more a description of the type of person who chooses which end really, is just one of them.


  • Grade A Premium Asshole

    @boomzilla said:

    What are you, some kind of yahoo?

    Yes.



  • @Polygeekery said:

    @boomzilla said:
    What are you, some kind of yahoo?

    Yes.

    That's a tough life.


  • Discourse touched me in a no-no place

    @Polygeekery said:

    Texans cry

    Where do you even get these crazy ideas? We don't do that--we go shootin' rattlesnakes with bb guns.



  • @dkf said:

    leave_blank

    Racist!

    I propose to rename such field to leave_colored or maybe even leave_rainbow



  • @PleegWat said:

    but around here

    You mean in the Netherlands because in Flemish 'sandwich' generally only refers to a brioche or milk bread style small bread and not stuffed bread. English style would be a belegde boterham, keeping in par with belegd broodje that is normally a french style baguette type or something along that direction.



  • @loose said:

    which end you eat your egg from

    Is this the right time to start a discussion about how the toilet paper should be on the holder?



  • Absolutely



  • In some, many, or perhaps all places where people:
    @I said:

    have a native name for one or more slices of bread with something on it/them, and only later been exposed to American hamburgers, resulting in the latter being called “hamburgers”. A “sandwich” over here is those English-style triangular slices of bread with stuff between them.

    @PleegWat said:

    I can't speak for @Gurth, but around here, the English word sandwich is only used for diagonally-cut white bread with (too much) stuff inbetween.

    Given that we’re from the same country I’d kind of expect your definition of a sandwich to match mine :)

    @PleegWat said:

    the word "hamburger" can also refer to just the patty

    Luckily not as much as maybe 20 years ago. If you went to a chip shop and ordered a hamburger, nine times out of ten you got a plastic tray containing a deep-fried patty that looked and tasted like horse meat, drowned in curry ketchup. Nothing else. Ask for a broodje hamburger (“hamburger sandwich”, loosely translated) and you got the same but on a white bun. Ordering any of these is a mistake you only make once.



  • @Gurth said:

    Ordering any of these is a mistake you only make once.

    Nice turn of phrase :heart:



  • @Gurth said:

    Nothing else.

    :wtf: Not even in Belgium ...
    But in a frietkot I would ask for a Bicky Burger :stuck_out_tongue:


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.