Captcha: razlika između inačica
Izbrisani sadržaj Dodani sadržaj
m r2.7.3) (robot Mijenja: fi:Kuvavarmennus |
m vraćeno na 2. siječnja 2022. Oznaka: uklanjanje |
||
| (Nije prikazano 17 međuinačica 9 suradnika) | |||
| Redak 1: | Redak 1: | ||
[[Datoteka:Captcha.jpg|mini|290px|Rane "CAPTCHA" testove kao ove, generirane uz pomoć programa EZ-Gimpy, koristio je [[Yahoo!]]. Međutim, razvijena je tehnologija za čitanje ovog tipa CAPTCHA testova<ref name="autogenerated1">{{cite web | |
[[Datoteka:Captcha.jpg|mini|290px|Rane "CAPTCHA" testove kao ove, generirane uz pomoć programa EZ-Gimpy, koristio je [[Yahoo!]]. Međutim, razvijena je tehnologija za čitanje ovog tipa CAPTCHA testova<ref name="autogenerated1">{{cite web |last1=Greg |first1=Mori |last2=Malik |first2=Jitendra |url=http://www.cs.sfu.ca/~mori/research/gimpy/ |title=Breaking a Visual CAPTCHA |publisher=Simon Fraser University |accessdate=2008-12-21}}</ref>]] |
||
[[Datoteka:Modern-captcha.jpg|mini|290px|Moderni CAPTCHA ne pokušava stvoriti iskrivljenu pozadinu i zakrivljenje teksta, već se usmjerava na otežavanje [[Segmentacija (image processing)|segmentacije]] dodavanjem zakrivljenih linija]] |
[[Datoteka:Modern-captcha.jpg|mini|290px|Moderni CAPTCHA ne pokušava stvoriti iskrivljenu pozadinu i zakrivljenje teksta, već se usmjerava na otežavanje [[Segmentacija (image processing)|segmentacije]] dodavanjem zakrivljenih linija]] |
||
[[Datoteka:KCAPTCHA with crowded symbols.gif|mini|290px|Drugi način za otežavanje segmentacije je zgušnjavanje simbola. Ovo je oblik CAPTCHA-e |
[[Datoteka:KCAPTCHA with crowded symbols.gif|mini|290px|Drugi način za otežavanje segmentacije je zgušnjavanje simbola. Ovo je oblik CAPTCHA-e kojeg trenutno koristi Yahoo!. Ovo se može pokazati teškim za pročitati čak i nekim ljudima, pa je u ovom primjeru teško reći je li lijeva riječ "klopsh" ili "kbpsh".]] |
||
'''CAPTCHA''' ili '''Captcha''' ({{IPA|/ˈkæptʃə/}}) vrsta je [[autentikacija "izazov-odgovor"|autentikacije "izazov-odgovor"]] koji se koristi u [[računarstvo|računarstvu]] da bi odredilo je li korisnik čovjek ili računalo, s ciljem sprječavanja pristupa zlonamjernim računalnim programima. Proces najčešće podrazumjeva jedno [[računalo]] ([[server]]), koji traži od korisnika da odradi jednostavan test koji računalo može generirati i ocijeniti. Pretpostavka je da drugo računalo nije u stanju riješiti taj test, pa se svaki korisnik koji unese točan odgovor se smatra čovjekom. Uobičajeni CAPTCHA testovi traže od korisnika da unese nekoliko simbola (najčešće slova i/ili brojeva) koji su prikazana na slici, koja je na neki način iskrivljena. Zbog toga se ponekad naziva "obrnuti [[Turingov test]]", jer podrazumijeva stroj koji cilja na prepoznavanje ljudi, za razliku od originalnog turingovog testa kojeg izvode ljudi da bi prepoznali računala. |
'''CAPTCHA''' ili '''Captcha''' ({{IPA|/ˈkæptʃə/}}) vrsta je [[autentikacija "izazov-odgovor"|autentikacije "izazov-odgovor"]] koji se koristi u [[računarstvo|računarstvu]] da bi odredilo je li korisnik čovjek ili računalo, s ciljem sprječavanja pristupa zlonamjernim računalnim programima. Proces najčešće podrazumjeva jedno [[računalo]] ([[server]]), koji traži od korisnika da odradi jednostavan test koji računalo može generirati i ocijeniti. Pretpostavka je da drugo računalo nije u stanju riješiti taj test, pa se svaki korisnik koji unese točan odgovor se smatra čovjekom. Uobičajeni CAPTCHA testovi traže od korisnika da unese nekoliko simbola (najčešće slova i/ili brojeva) koji su prikazana na slici, koja je na neki način iskrivljena. Zbog toga se ponekad naziva "obrnuti [[Turingov test]]", jer podrazumijeva stroj koji cilja na prepoznavanje ljudi, za razliku od originalnog turingovog testa kojeg izvode ljudi da bi prepoznali računala. |
||
Skraćenica ''CAPTCHA'' nastala je 2000. godine, a osmislili su je [[Luis von Ahn]], [[Manuel Blum]], Nicholas J. Hopper (svi |
Skraćenica ''CAPTCHA'' nastala je 2000. godine, a osmislili su je [[Luis von Ahn]], [[Manuel Blum]], Nicholas J. Hopper (svi s [[Carnegie Mellon University]]), i [[John Langford (računalni znanstvenik)|John Langford]] (tada u [[International Business Machines|IBM]]-u). Skraćenica dolazi od engleskog ''Completely Automated Public Turing test to tell Computers and Humans Apart'' (u prijevodu: potpuno automatizirani javni Turingov test za razlikovanje računala od ljudi). |
||
Carnegie Mellon University je pokušao zaštititi ovu riječ,<ref>{{cite news |
Carnegie Mellon University je pokušao zaštititi ovu riječ,<ref>{{cite news |title=Computer Literacy Tests: Are You Human? |url=http://www.time.com/time/magazine/article/0,9171,1812084,00.html |quote=The Carnegie Mellon team came back with the CAPTCHA. (It stands for "completely automated public Turing test to tell computers and humans apart"; no, the acronym doesn't really fit.) The point of the CAPTCHA is that reading those swirly letters is something that computers aren't very good at. |publisher=Time (časopis) |access-date=8. srpnja 2009. |archive-url=https://web.archive.org/web/20090430102132/http://www.time.com/time/magazine/article/0,9171,1812084,00.html |archive-date=30. travnja 2009.}}</ref> no od zahtjeva su odustali 21. travnja 2008.<ref>{{cite web |url=http://tarr.uspto.gov/servlet/tarr?regser=serial&entry=78500434 |title=Latest Status of CAPTCHA Trademark Application |publisher=USPTO |date=2008-04-21 |accessdate=2008-12-21}}</ref> Trenutno, tvorci CAPTCHA-a preporučuju korištenje sustava [[reCAPTCHA]] kao službene implementacije.<ref>{{cite web |url=http://www.captcha.net/ |title=reCAPTCHA homepage |publisher=Captcha.net |accessdate=2008-12-21 |archiveurl=https://web.archive.org/web/20120404215102/http://www.captcha.net/ |archivedate=4. travnja 2012.}}</ref> |
||
== Svojstva == |
== Svojstva == |
||
| Redak 23: | Redak 23: | ||
== Povijest == |
== Povijest == |
||
[[Moni Naor]] je prvi koji je teoretizirao o načinima provjere dolazi li zahtjev od osobe ili od [[internet bot|bota]]. |
[[Moni Naor]] je prvi koji je teoretizirao o načinima provjere dolazi li zahtjev od osobe ili od [[internet bot|bota]]. |
||
<ref>{{cite paper | |
<ref>{{cite paper |author=Moni Naor |date=Srpanj 1996. |url=http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps |format=PS |title=Verification of a human in the loop or Identification via the Turing Test |accessdate=2008-07-06}}</ref> Primitivni CAPTCHA test su [[1997.]] razvili [[Andrei Broder]], [[Martin Abadi]], [[Krishna Bharat]] i [[Mark Lillibridge]], da bi spriječili internet botove da dodaju [[URL]]-ove od njihovih pretraživača.<ref>[http://www.freepatentsonline.com/6195698.html] US Patent no. 6,195,698, "Method for selectively restricting access to computer systems"</ref> |
||
Da bi slike učinili otpornijim na [[Optičko prepoznavanje znakova|OCR]] ({{en|Optical Character Recognition}}), tim je simulirao situacije, koristili su primjere iz priručnika za skener gdje su prikazani znakovi krivo očitani uz pomoć [[Optičko prepoznavanje znakova|OCR]]-a. 2000. godine, [[Luis von Ahn]] i [[Manuel Blum]] smislili su izraz 'CAPTCHA', koji je podrazumijevao općeniti program za razlokivanje ljudi od računala. Osmislili su višestruke primjere CAPTCHA-e, uključujući prve naširoko korištene CAPTCHA-a, one koje je u početku koristio [[Yahoo!]]. |
Da bi slike učinili otpornijim na [[Optičko prepoznavanje znakova|OCR]] ({{en|Optical Character Recognition}}), tim je simulirao situacije, koristili su primjere iz priručnika za skener gdje su prikazani znakovi krivo očitani uz pomoć [[Optičko prepoznavanje znakova|OCR]]-a. 2000. godine, [[Luis von Ahn]] i [[Manuel Blum]] smislili su izraz 'CAPTCHA', koji je podrazumijevao općeniti program za razlokivanje ljudi od računala. Osmislili su višestruke primjere CAPTCHA-e, uključujući prve naširoko korištene CAPTCHA-a, one koje je u početku koristio [[Yahoo!]]. |
||
| Redak 35: | Redak 35: | ||
== Dostupnost == |
== Dostupnost == |
||
S obzirom da se CAPTCHAs oslanja na vizualnu percepciju, korisnici koji ne mogu čitati CAPTCHA-u (zbog raznih ograničenja, npr. teškoća u čitanju) neće moći proći ovaj CAPTCHA-test. Stoga internet stranice koje koriste CAPTCHA-u mogu korisniku omogućiti i audio test, uz vizualni, što je i službena preporuka na CAPTCHA stranicama. Ova kombinacija predstavlja do sada najdostupniji postojeći CAPTCHA test. |
S obzirom na to da se CAPTCHAs oslanja na vizualnu percepciju, korisnici koji ne mogu čitati CAPTCHA-u (zbog raznih ograničenja, npr. teškoća u čitanju) neće moći proći ovaj CAPTCHA-test. Stoga internet stranice koje koriste CAPTCHA-u mogu korisniku omogućiti i audio test, uz vizualni, što je i službena preporuka na CAPTCHA stranicama. Ova kombinacija predstavlja do sada najdostupniji postojeći CAPTCHA test. |
||
'''Pokušaji da se CAPTCHA |
'''Pokušaji da se CAPTCHA učini još dostupnijim''' |
||
No, čak i audio i vizualni CAPTCHA testovi mogu biti nedostatni za neke korisnike, koji su npr. i slijepi i gluhi. Pokušaji uključuju postavljanje jednostavnih matematičkih pitanja ("Koliko je 1+1?") ili pitanja na koje svi znaju odgovor ("Koje je boje nebo za vedrog dana?"). No, ovi testovi ne zadovoljavaju neke osnovne zahtjeve kao što su automatsko generiranje, a i napadač s iskustvom ih lako probije. Stoga ove testove ne možemo nazivati CAPTCHA jer ne daju sigurnost koju pruža CAPTCHA. |
No, čak i audio i vizualni CAPTCHA testovi mogu biti nedostatni za neke korisnike, koji su npr. i slijepi i gluhi. Pokušaji uključuju postavljanje jednostavnih matematičkih pitanja ("Koliko je 1+1?") ili pitanja na koje svi znaju odgovor ("Koje je boje nebo za vedrog dana?"). No, ovi testovi ne zadovoljavaju neke osnovne zahtjeve kao što su automatsko generiranje, a i napadač s iskustvom ih lako probije. Stoga ove testove ne možemo nazivati CAPTCHA jer ne daju sigurnost koju pruža CAPTCHA. |
||
== Zaobilaženje CAPTCHA-e == |
== Zaobilaženje CAPTCHA-e == |
||
Postoji nekoliko pristupa pri pokušajima da se zaobiđe CAPTCHA: |
Postoji nekoliko pristupa pri pokušajima da se zaobiđe CAPTCHA: |
||
* iskorištavanje bugova koji dopuštaju napadaču da posve zaobiđe CAPTCHA test, |
* iskorištavanje bugova koji dopuštaju napadaču da posve zaobiđe CAPTCHA test, |
||
* poboljšanje softvera za prepoznavanje znakova ili |
* poboljšanje softvera za prepoznavanje znakova ili |
||
| Redak 54: | Redak 54: | ||
Neki se CAPTCHA zaštitni sustavi mogu zaobići i bez uporabe [[Optical character recognition|OCR]]-a, jednostavno uz pomoć ponovne uporabe [[session ID]]-a poznate CAPTCHA slike. |
Neki se CAPTCHA zaštitni sustavi mogu zaobići i bez uporabe [[Optical character recognition|OCR]]-a, jednostavno uz pomoć ponovne uporabe [[session ID]]-a poznate CAPTCHA slike. |
||
Pravilno dizajnirana CAPTCHA ne dozvoljava višestrike pokušaje prolaska testa. Ovo sprječava ponovno korištenje ispravnih testova i pogađanje iz više pokušaja nakon neprolaska na testu.<ref>{{cite web | |
Pravilno dizajnirana CAPTCHA ne dozvoljava višestrike pokušaje prolaska testa. Ovo sprječava ponovno korištenje ispravnih testova i pogađanje iz više pokušaja nakon neprolaska na testu.<ref>{{cite web |url=http://www.puremango.co.uk/cm_breaking_captcha_115.php |title=Breaking CAPTCHAs Without Using OCR |accessdate=2006-08-22 |year=2005 |work=Howard Yeend (pureMango.co.uk) |archiveurl=https://web.archive.org/web/20170625165854/http://www.puremango.co.uk/2005/11/breaking_captcha_115/ |archivedate=25. lipnja 2017.}}</ref> Druge CAPTCHA implementacije koriste hash (kao što je [[MD5]] hash) rješenja kao ključ koji se šalje klijentu da validira CAPTCHA-u. Ponekad je CAPTCHA tako mali, da se njgov harh kod može probiti.<ref>{{cite web |url=http://milw0rm.com/cracker/list.php |title=Online services allow MD5 hashes to be cracked |accessdate=2007-01-04 |archive-date=28. veljače 2009. |archive-url=https://web.archive.org/web/20090228195435/http://www.milw0rm.com/cracker/list.php |url-status=dead}}</ref> |
||
Nadalje, hash može pomoći u pokušaju probijanja temeljam [[OCR]]-a. Sigurnija schema bi bila ona |
Nadalje, hash može pomoći u pokušaju probijanja temeljam [[OCR]]-a. Sigurnija schema bi bila ona s korištenjem [[HMAC]]-a. |
||
Na kraju, neke implementacije CAPTCHA-e koriste konačni (mali) broj slika. S vremenom, kada napadač prikupi dovoljno slika, CAPTCHA se može probiti jednostavnom usporedbom hash-a CAPTCHA-e |
Na kraju, neke implementacije CAPTCHA-e koriste konačni (mali) broj slika. S vremenom, kada napadač prikupi dovoljno slika, CAPTCHA se može probiti jednostavnom usporedbom hash-a CAPTCHA-e s hashom nekom od pohranjenih slika. |
||
'''Računalno prepoznavanje znakova''' |
'''Računalno prepoznavanje znakova''' |
||
| Redak 67: | Redak 67: | ||
# Klasifikacija: identificiranje znakova u svakom dijelu slike |
# Klasifikacija: identificiranje znakova u svakom dijelu slike |
||
Koraci 1 i 3 su lak zadatak za računala<ref>{{cite paper | |
Koraci 1 i 3 su lak zadatak za računala.<ref>{{cite paper |author=Kumar Chellapilla, Kevin Larson, Patrice Simard, Mary Czerwinski |year=2005 |url=http://www.ceas.cc/papers-2005/160.pdf |format=PDF |title=Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs) |publisher=Microsoft Research |accessdate=2006-08-02}}</ref> Jedini korak gdje je čovjek i dana jači od računala je segmentacija. |
||
{{prijevod-eng}} |
{{prijevod-eng}} |
||
| Redak 73: | Redak 73: | ||
If the background clutter consists of shapes similar to letter shapes, and the letters are connected by this clutter, the segmentation becomes nearly impossible with current software. Hence, an effective CAPTCHA should focus on the segmentation. |
If the background clutter consists of shapes similar to letter shapes, and the letters are connected by this clutter, the segmentation becomes nearly impossible with current software. Hence, an effective CAPTCHA should focus on the segmentation. |
||
Several research projects have broken real world CAPTCHAs, including one of Yahoo's early CAPTCHAs called "EZ-Gimpy"<ref name=autogenerated1 /> and the CAPTCHA used by popular sites such as Paypal,<ref>{{cite web|first=Kurt |last=Kluever |url=http://www.kloover.com/2008/05/12/breaking-the-paypalcom-captcha/ |title=Breaking the PayPal CAPTCHA |publisher=Kloover.com |date= |
Several research projects have broken real world CAPTCHAs, including one of Yahoo's early CAPTCHAs called "EZ-Gimpy"<ref name="autogenerated1" /> and the CAPTCHA used by popular sites such as Paypal,<ref>{{cite web |first=Kurt |last=Kluever |url=http://www.kloover.com/2008/05/12/breaking-the-paypalcom-captcha/ |title=Breaking the PayPal CAPTCHA |publisher=Kloover.com |date=12. svibnja 2008. |accessdate=2008-12-21}}</ref> LiveJournal, phpBB, and other open source solutions.<ref>{{cite web |first=Kurt |last=Kluever |url=http://www.kloover.com/2008/02/28/breaking-the-asp-security-image-generator/ |title=Breaking ASP Security Image Generator |publisher=Kloover.com |date=28. veljače 2008. |accessdate=2008-12-21}}</ref><ref>{{cite web |first=Sam |last=Hocevar |url=http://sam.zoy.org/pwntcha/ |title=PWNtcha - captcha decoder |publisher=Sam.zoy.org |accessdate=2008-12-21}}</ref><ref>{{cite web |first=Kruglov |last=Sergei |url=http://www.captcha.ru/en/breakings/ |title=Defeating of some weak CAPTCHAs |publisher=Captcha.ru |accessdate=2008-12-21}}</ref> |
||
In January 2008 Network Security Research released their program for automated Yahoo! CAPTCHA recognition.<ref>{{cite web|url=http://network-security-research.blogspot.com/ |title=Network Security Research and AI |accessdate=2008-12-21}}</ref> [[Windows Live Hotmail]] and [[Gmail]], the other two major free email providers, were cracked shortly after.<ref>{{cite news | |
In January 2008 Network Security Research released their program for automated Yahoo! CAPTCHA recognition.<ref>{{cite web |url=http://network-security-research.blogspot.com/ |title=Network Security Research and AI |accessdate=2008-12-21}}</ref> [[Windows Live Hotmail]] and [[Gmail]], the other two major free email providers, were cracked shortly after.<ref>{{cite news |last=Dawson |title=Windows Live Hotmail CAPTCHA Cracked, Exploited |date=2008-04-15 |publisher=SourceForge |url=http://tech.slashdot.org/article.pl?sid=08/04/15/1941236&from=rss |work=Slashdot |accessdate=2008-04-16}}</ref><ref>{{cite news |last=Dawson |title=Gmail CAPTCHA Cracked |date=2008-02-26 |publisher=SourceForge |url=http://it.slashdot.org/article.pl?sid=08/02/27/0045242 |work=Slashdot |accessdate=2008-04-16}}</ref> |
||
In February 2008 it was reported that spammers had achieved a success rate of 30% to 35%, using a bot, in responding to CAPTCHAs for Microsoft's Live Mail service<ref>Gregg Keizer, [http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061558 "Spammers' bot cracks Microsoft's CAPTCHA: Bot beats Windows Live Mail's registration test 30% to 35% of the time, says Websense"], ''Computerworld"', February 7, 2008</ref> and a success rate of 20% against Google's Gmail CAPTCHA.<ref>{{cite web |first=Sumeet |last=Prasad |url=http://www.websense.com/securitylabs/blog/blog.php?BlogID=174 |title=Google’s CAPTCHA busted in recent spammer tactics |publisher=Websense |date=2008-02-22 |accessdate=2008-12-21}}</ref> A Newcastle University research team has defeated the segmentation part of Microsoft's CAPTCHA with a 90% success rate, and claim that this could lead to a complete crack with a greater than 60% rate.<ref>{{cite paper | |
In February 2008 it was reported that spammers had achieved a success rate of 30% to 35%, using a bot, in responding to CAPTCHAs for Microsoft's Live Mail service<ref>Gregg Keizer, [http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061558 "Spammers' bot cracks Microsoft's CAPTCHA: Bot beats Windows Live Mail's registration test 30% to 35% of the time, says Websense"], ''Computerworld"', February 7, 2008</ref> and a success rate of 20% against Google's Gmail CAPTCHA.<ref>{{cite web |first=Sumeet |last=Prasad |url=http://www.websense.com/securitylabs/blog/blog.php?BlogID=174 |title=Google’s CAPTCHA busted in recent spammer tactics |publisher=Websense |date=2008-02-22 |accessdate=2008-12-21}}</ref> A Newcastle University research team has defeated the segmentation part of Microsoft's CAPTCHA with a 90% success rate, and claim that this could lead to a complete crack with a greater than 60% rate.<ref>{{cite paper |last1=Yan |first1=Jeff |last2=El Ahmad |first2=Ahmad Salah |url=http://homepages.cs.ncl.ac.uk/jeff.yan/msn_draft.pdf |title=A Low-cost Attack on a Microsoft CAPTCHA |format=PDF |publisher=School of Computing Science, Newcastle University, UK |date=13. travnja 2008. |accessdate=2008-12-21}}</ref> |
||
== Human solvers == |
== Human solvers == |
||
CAPTCHA is vulnerable to a [[relay attack]] that uses humans to solve the puzzles. One approach involves relaying the puzzles to a group of human operators who can solve CAPTCHAs. In this scheme, a computer fills out a form and when it reaches a CAPTCHA, it gives the CAPTCHA to the human operator to solve. |
CAPTCHA is vulnerable to a [[relay attack]] that uses humans to solve the puzzles. One approach involves relaying the puzzles to a group of human operators who can solve CAPTCHAs. In this scheme, a computer fills out a form and when it reaches a CAPTCHA, it gives the CAPTCHA to the human operator to solve. |
||
Another variation of this technique involves copying the CAPTCHA images and using them as CAPTCHAs for a high-traffic site owned by the attacker. With enough traffic, the attacker can get a solution to the CAPTCHA puzzle in time to relay it back to the target site.<ref>{{cite web | |
Another variation of this technique involves copying the CAPTCHA images and using them as CAPTCHAs for a high-traffic site owned by the attacker. With enough traffic, the attacker can get a solution to the CAPTCHA puzzle in time to relay it back to the target site.<ref>{{cite web |url=http://www.boingboing.net/2004/01/27/solving_and_creating.html |title=Solving and creating CAPTCHAs with free porn |accessdate=2006-08-22 |last=Doctorow |first=Cory |date=2004-01-27 |work=Boing Boing}}</ref> In October 2007, a piece of malware appeared [[Computer virus#History|in the wild]] which enticed users to solve CAPTCHAs in order to see progressively further into a series of striptease images.<ref>{{cite news |url=http://ap.google.com/article/ALeqM5jnNrQKxFzt7mPu3DZcP7_UWr8UfwD8SKE6Q80 |archiveurl=http://web.archive.org/web/20071106170737/http://ap.google.com/article/ALeqM5jnNrQKxFzt7mPu3DZcP7_UWr8UfwD8SKE6Q80 |archivedate=2007-11-06 |title=Scams Use Striptease to Break Web Traps |first=Jordan |last=Robertson |date=2007-11-01 |location=San Jose, California |agancy=Associated Press}}</ref><ref>{{cite web |last=Vaas |first=Lisa |url=http://www.pcmag.com/article2/0,2704,2210674,00.asp |title=Striptease Used to Recruit Help in Cracking Sites |publisher=PC Magazine |date=2007-11-01 |accessdate=2008-12-21}}</ref> |
||
These methods have been used by spammers to set up thousands of accounts on free email services such as Gmail and Yahoo!. |
These methods have been used by spammers to set up thousands of accounts on free email services such as Gmail and Yahoo!. |
||
<ref>{{cite web | |
<ref>{{cite web |url=http://www.theregister.co.uk/2008/04/10/web_mail_throttled/ |title=Spam filtering services throttle Gmail to fight spammers |accessdate=2008-04-10 |date=2008-04-10}}</ref> |
||
Since Gmail and Yahoo! are unlikely to be blacklisted by anti-spam systems, spam sent through these compromised accounts is less likely to be blocked. |
Since Gmail and Yahoo! are unlikely to be blacklisted by anti-spam systems, spam sent through these compromised accounts is less likely to be blocked. |
||
== Legal concerns == |
== Legal concerns == |
||
The circumvention of CAPTCHAs may violate the anti-circumvention clause of the [[Digital Millennium Copyright Act]] (DMCA) in the [[United States]]. In 2007, [[Ticketmaster]] sued software maker RMG Technologies<ref>{{cite web |
The circumvention of CAPTCHAs may violate the anti-circumvention clause of the [[Digital Millennium Copyright Act]] (DMCA) in the [[United States]]. In 2007, [[Ticketmaster]] sued software maker RMG Technologies<ref>{{cite web |last1=Ulanoff |first1=Lance |title=Deep-Sixing CAPTCHA |work=PC Magazine |publisher=Ziff Davis Media |date=31. listopada 2007. |url=http://www.pcmag.com/article2/0,2704,2209782,00.asp |accessdate=2007-12-12}}</ref> for its product which circumvented the ticket seller's CAPTCHAs on the basis that it violates the anti-circumvention clause of the DMCA. In October 2007, an [[injunction]] was issued stating that Ticketmaster would likely succeed in making its case.<ref>{{cite web |url=http://www.scribd.com/doc/404395/ticketmaster-v-rmg |title=TicketMaster v. RMG}}</ref> In June 2008, Ticketmaster filed for Default Judgment against RMG. The Court granted Ticketmaster the Default and entered an $18.2M judgment in favor of Ticketmaster. |
||
| last =Ulanoff |
|||
| first =Lance |
|||
| coauthors = |
|||
| title =Deep-Sixing CAPTCHA |
|||
| work =PC Magazine |
|||
| publisher =Ziff Davis Media |
|||
| date =October 31, 2007 |
|||
| url =http://www.pcmag.com/article2/0,2704,2209782,00.asp |
|||
| format = |
|||
| doi = |
|||
| accessdate = 2007-12-12}}</ref> for its product which circumvented the ticket seller's CAPTCHAs on the basis that it violates the anti-circumvention clause of the DMCA. In October 2007, an [[injunction]] was issued stating that Ticketmaster would likely succeed in making its case.<ref>{{cite web | url = http://www.scribd.com/doc/404395/ticketmaster-v-rmg |title=TicketMaster v. RMG}}</ref> In June 2008, Ticketmaster filed for Default Judgment against RMG. The Court granted Ticketmaster the Default and entered an $18.2M judgment in favor of Ticketmaster. |
|||
CAPTCHA without audio may also violate the [[Americans With Disabilities Act]], according to the [[American Council of the Blind]].<ref>{{cite web | |
CAPTCHA without audio may also violate the [[Americans With Disabilities Act]], according to the [[American Council of the Blind]].<ref>{{cite web |url=http://www.acb.org/board-minutes/bm070802.html |title=Minutes of the August 2, 2007 Board Teleconference Meeting - American Council of the Blind}} </ref> |
||
== Image-recognition CAPTCHAs == |
== Image-recognition CAPTCHAs == |
||
Some researchers promote image recognition CAPTCHAs as a possible alternative for text-based CAPTCHAs. |
Some researchers promote image recognition CAPTCHAs as a possible alternative for text-based CAPTCHAs. |
||
To date, only [[rapidshare]] made use of an image based CAPTCHA. Many amateur users of the [[phpBB]] forum software (which has suffered greatly from spam) have implemented an [[open source]] image recognition CAPTCHA system in the form of an addon called KittenAuth<ref name="kittenauth">[http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth The Cutest Human-Test: KittenAuth] from ThePCSpy.com </ref> which in its default form presents a question requiring the user to select a stated type of animal from an array of thumbnail images of assorted animals. The images (and the challenge questions) can be customized, for example to present questions and images which would be easily answered by the forum's target userbase. Furthermore, for a time, [[RapidShare]] free users had to get past a CAPTCHA where you had to only enter letters attached to a cat, while others were attached to dogs.<ref>{{cite web |author=David |url=http://www.randomwire.com/2008/06/04/attached-to-a-captcha/ |title=Attached to a Captcha |publisher=randomwire.com |date= |
To date, only [[rapidshare]] made use of an image based CAPTCHA. Many amateur users of the [[phpBB]] forum software (which has suffered greatly from spam) have implemented an [[open source]] image recognition CAPTCHA system in the form of an addon called KittenAuth<ref name="kittenauth">[http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth The Cutest Human-Test: KittenAuth] from ThePCSpy.com </ref> which in its default form presents a question requiring the user to select a stated type of animal from an array of thumbnail images of assorted animals. The images (and the challenge questions) can be customized, for example to present questions and images which would be easily answered by the forum's target userbase. Furthermore, for a time, [[RapidShare]] free users had to get past a CAPTCHA where you had to only enter letters attached to a cat, while others were attached to dogs.<ref>{{cite web |author=David |url=http://www.randomwire.com/2008/06/04/attached-to-a-captcha/ |title=Attached to a Captcha |publisher=randomwire.com |date=4. lipnja 2008. |accessdate=2008-12-21}}</ref> This was later removed because users had trouble entering the correct letters. |
||
Image recognition CAPTCHAs face many potential problems which have not been fully studied. It is difficult for a small site to acquire a large dictionary of images which an attacker does not have access to and without a means of automatically acquiring new labelled images, an image based challenge does not meet the definition of a CAPTCHA. KittenAuth, by default, only had 42 images in its database.<ref name="kittenauth" /> Microsoft's "Asirra," which it is providing as a free web service, attempts to address this by means of Microsoft Research's partnership with [[Petfinder.com]], which has provided it with more than three million images of cats and dogs, classified by people at thousands of US animal shelters.<ref>[http://research.microsoft.com/asirra/ Asirra] from [[Microsoft Research]] ([[Portable Document Format|PDF]])</ref> Unfortunately for Microsoft, researchers claim to have written a program than can break the Microsoft Asirra CAPTCHA.<ref>{{cite paper|first=Philippe |last=Golle|url=http://crypto.stanford.edu/~pgolle/papers/dogcat.html |title=Machine Learning Attacks Against the Asirra CAPTCHA |publisher=Stanford Crypto |
Image recognition CAPTCHAs face many potential problems which have not been fully studied. It is difficult for a small site to acquire a large dictionary of images which an attacker does not have access to and without a means of automatically acquiring new labelled images, an image based challenge does not meet the definition of a CAPTCHA. KittenAuth, by default, only had 42 images in its database.<ref name="kittenauth" /> Microsoft's "Asirra," which it is providing as a free web service, attempts to address this by means of Microsoft Research's partnership with [[Petfinder.com]], which has provided it with more than three million images of cats and dogs, classified by people at thousands of US animal shelters.<ref>[http://research.microsoft.com/asirra/ Asirra] from [[Microsoft Research]] ([[Portable Document Format|PDF]])</ref> Unfortunately for Microsoft, researchers claim to have written a program than can break the Microsoft Asirra CAPTCHA.<ref>{{cite paper |first=Philippe |last=Golle |url=http://crypto.stanford.edu/~pgolle/papers/dogcat.html |title=Machine Learning Attacks Against the Asirra CAPTCHA |publisher=Stanford Crypto |accessdate=2008-12-21}}</ref> |
||
Human solvers are a potential weakness for strategies such as Asirra. If the database of cat and dog photos can be downloaded, then paying workers $0.01 to classify each photo as either a dog or a cat means that almost the entire database of photos can be deciphered for $30,000. Photos that are subsequently added to the Asirra database are then a relatively small data set that can be classified as they first appear. Causing minor changes to images each time they appear will not prevent a computer from recognizing a repeated image as there are robust image comparator functions (e.g., [[hash function|image hashes]], [[color histogram]]s) that are insensitive to many simple image distortions. Warping an image sufficiently to fool a computer will likely also be troublesome to a human.<ref>[http://research.microsoft.com/asirra/papers/CCS2007.pdf Asirra: A CAPTCHA that Exploits Interest-Aligned Manual Image Categorization] from [[Microsoft Research]] ([[Portable Document Format|PDF]])</ref> |
Human solvers are a potential weakness for strategies such as Asirra. If the database of cat and dog photos can be downloaded, then paying workers $0.01 to classify each photo as either a dog or a cat means that almost the entire database of photos can be deciphered for $30,000. Photos that are subsequently added to the Asirra database are then a relatively small data set that can be classified as they first appear. Causing minor changes to images each time they appear will not prevent a computer from recognizing a repeated image as there are robust image comparator functions (e.g., [[hash function|image hashes]], [[color histogram]]s) that are insensitive to many simple image distortions. Warping an image sufficiently to fool a computer will likely also be troublesome to a human.<ref>[http://research.microsoft.com/asirra/papers/CCS2007.pdf Asirra: A CAPTCHA that Exploits Interest-Aligned Manual Image Categorization] from [[Microsoft Research]] ([[Portable Document Format|PDF]])</ref> |
||
== Collateral benefits == |
== Collateral benefits == |
||
Some of the original inventors of the CAPTCHA system have implemented a means by which some of the effort and time spent by people who are responding to challenges can be harnessed as a distributed work system. This system, called [[reCAPTCHA]], works by including "solved" and "unrecognized" elements (images which were not successfully recognized via [[optical character recognition|OCR]]) in each challenge. The respondent thus answers both elements and roughly half of his or her effort validates the challenge while the other half is captured as work<ref>{{cite journal | |
Some of the original inventors of the CAPTCHA system have implemented a means by which some of the effort and time spent by people who are responding to challenges can be harnessed as a distributed work system. This system, called [[reCAPTCHA]], works by including "solved" and "unrecognized" elements (images which were not successfully recognized via [[optical character recognition|OCR]]) in each challenge. The respondent thus answers both elements and roughly half of his or her effort validates the challenge while the other half is captured as work.<ref>{{cite journal |author=Luis von Ahn, Ben Maurer, Colin McMillen, David Abraham and Manuel Blum |year=2008 |url=http://www.cs.cmu.edu/~biglou/reCAPTCHA_Science.pdf |format=PDF |title=reCAPTCHA: Human-Based Character Recognition via Web Security Measures |journal=Science |volume=321 |pages=1465–1468}}</ref> |
||
== See also == |
== See also == |
||
| Redak 121: | Redak 110: | ||
== Izvori == |
== Izvori == |
||
<!-- See [[Wikipedia:Footnotes]] for instructions. --> |
<!-- See [[Wikipedia:Footnotes]] for instructions. --> |
||
{{izvori| |
{{izvori|30em}} |
||
== Vanjske poveznice == |
== Vanjske poveznice == |
||
| Redak 128: | Redak 117: | ||
[[Kategorija:Računarstvo]] |
[[Kategorija:Računarstvo]] |
||
[[ar:كابتشا]] |
|||
[[bg:CAPTCHA]] |
|||
[[bs:CAPTCHA]] |
|||
[[ca:Test de CAPTCHA]] |
|||
[[cs:CAPTCHA]] |
|||
[[da:CAPTCHA]] |
|||
[[de:CAPTCHA]] |
|||
[[en:CAPTCHA]] |
|||
[[eo:CAPTCHA]] |
|||
[[es:Captcha]] |
|||
[[fa:کپچا]] |
|||
[[fi:Kuvavarmennus]] |
|||
[[fr:CAPTCHA]] |
|||
[[gl:CAPTCHA]] |
|||
[[he:CAPTCHA]] |
|||
[[hu:Captcha]] |
|||
[[hy:CAPTCHA]] |
|||
[[id:CAPTCHA]] |
|||
[[is:CAPTCHA]] |
|||
[[it:CAPTCHA]] |
|||
[[ja:CAPTCHA]] |
|||
[[kk:CAPTCHA]] |
|||
[[ko:CAPTCHA]] |
|||
[[lt:CAPTCHA]] |
|||
[[lv:CAPTCHA]] |
|||
[[ml:കാപ്ച്ച]] |
|||
[[ms:CAPTCHA]] |
|||
[[nl:Captcha]] |
|||
[[no:CAPTCHA]] |
|||
[[pl:CAPTCHA]] |
|||
[[pt:CAPTCHA]] |
|||
[[ro:CAPTCHA]] |
|||
[[ru:CAPTCHA]] |
|||
[[scn:CAPTCHA]] |
|||
[[simple:CAPTCHA]] |
|||
[[sr:Стопка]] |
|||
[[sv:Robotfilter]] |
|||
[[ta:காப்ட்சா]] |
|||
[[th:แค๊ปท์ชา]] |
|||
[[tr:CAPTCHA]] |
|||
[[uk:CAPTCHA]] |
|||
[[uz:CAPTCHA]] |
|||
[[vi:CAPTCHA]] |
|||
[[zh:验证码]] |
|||
[[zh-min-nan:Captcha]] |
|||
Posljednja izmjena od 20. veljače 2022. u 17:01
CAPTCHA ili Captcha (/ˈkæptʃə/) vrsta je autentikacije "izazov-odgovor" koji se koristi u računarstvu da bi odredilo je li korisnik čovjek ili računalo, s ciljem sprječavanja pristupa zlonamjernim računalnim programima. Proces najčešće podrazumjeva jedno računalo (server), koji traži od korisnika da odradi jednostavan test koji računalo može generirati i ocijeniti. Pretpostavka je da drugo računalo nije u stanju riješiti taj test, pa se svaki korisnik koji unese točan odgovor se smatra čovjekom. Uobičajeni CAPTCHA testovi traže od korisnika da unese nekoliko simbola (najčešće slova i/ili brojeva) koji su prikazana na slici, koja je na neki način iskrivljena. Zbog toga se ponekad naziva "obrnuti Turingov test", jer podrazumijeva stroj koji cilja na prepoznavanje ljudi, za razliku od originalnog turingovog testa kojeg izvode ljudi da bi prepoznali računala.
Skraćenica CAPTCHA nastala je 2000. godine, a osmislili su je Luis von Ahn, Manuel Blum, Nicholas J. Hopper (svi s Carnegie Mellon University), i John Langford (tada u IBM-u). Skraćenica dolazi od engleskog Completely Automated Public Turing test to tell Computers and Humans Apart (u prijevodu: potpuno automatizirani javni Turingov test za razlikovanje računala od ljudi).
Carnegie Mellon University je pokušao zaštititi ovu riječ,[2] no od zahtjeva su odustali 21. travnja 2008.[3] Trenutno, tvorci CAPTCHA-a preporučuju korištenje sustava reCAPTCHA kao službene implementacije.[4]
Svojstva[uredi | uredi kôd]
CAPTCHA sustav je sredstvo za automatsko generiranje novih izazova koje:
- suvremeni softver nije u stanju točno riješiti
- većina ljudi može uspješno riješiti
- se ne oslanja na pretpostavku da je ovaj tip CAPTCHA -a novi za napadača
Iako checkbox "klikni ovdje ako nisi bot" može poslužiti za razlikovanje ljudi od računala, to nije CAPTCHA jer se oslanja na činjenicu napadač nije potrošio nešto vremena da provali u određenu formu. Metode "klikni ovdje" su vrlo lake za probijanje.
Uskraćivanje algoritma može povećati integritet ograničenog skupa sustava, kao u praksi sigurnosti kroz neshvatljivost. Najvažniji faktor u odlučivanju treba li algoritam biti otvoreni ili ograničen je veličina sustava.
Iako algoritam koji izdrži testiranje stručnjaka za sigurnost može biti smatran konceptualno sigurnijim od netestiranog algoritma, netestirani algoritmi specifični za ograničen broj sustava su ujedno i manje interesantni i onima koji se upuštaju u zloporabu. Razbijanje CAPTCHA-e najčešće zahtijeva određeni trud specifičan upravo za tu CAPTCHA implementaciju, pa osoba koja planira zloporabu može zaključiti da taj CAPTCHA nije vrijedan truda.
Povijest[uredi | uredi kôd]
Moni Naor je prvi koji je teoretizirao o načinima provjere dolazi li zahtjev od osobe ili od bota. [5] Primitivni CAPTCHA test su 1997. razvili Andrei Broder, Martin Abadi, Krishna Bharat i Mark Lillibridge, da bi spriječili internet botove da dodaju URL-ove od njihovih pretraživača.[6]
Da bi slike učinili otpornijim na OCR (eng. Optical Character Recognition), tim je simulirao situacije, koristili su primjere iz priručnika za skener gdje su prikazani znakovi krivo očitani uz pomoć OCR-a. 2000. godine, Luis von Ahn i Manuel Blum smislili su izraz 'CAPTCHA', koji je podrazumijevao općeniti program za razlokivanje ljudi od računala. Osmislili su višestruke primjere CAPTCHA-e, uključujući prve naširoko korištene CAPTCHA-a, one koje je u početku koristio Yahoo!.
Primjene[uredi | uredi kôd]
CAPTCHA se koristi za prevenciju protiv automatskog softvera koji može poduzeti akcije s ciljem snižavanja kvalitete danog sustava, bilo zloporabom, bilo trošenjem resursa. CAPTCHA mogu štiti sustave ranjive prema e-mail spamu, kao što su webmail servisi Gmail, Hotmail, i Yahoo! Mail.
CAPTCHA su do sada aktivno korišteni ta sprječavanje automatskog postiranja na blogove, internet forume i wikije, bez obzira radi li se o komercijalne promocije ili uznemiravanja i vandaliziranja (troliranja).
CAPTCHA se također koristi i kao limitator kod pretjerane uporabe resursa, pa se kod npr. prevelikog broja akcija u jedinici vremena, pred korisnika može postaviti zahtjev da se riješi CAPTCHA test prije nastavka rada.
Dostupnost[uredi | uredi kôd]
S obzirom na to da se CAPTCHAs oslanja na vizualnu percepciju, korisnici koji ne mogu čitati CAPTCHA-u (zbog raznih ograničenja, npr. teškoća u čitanju) neće moći proći ovaj CAPTCHA-test. Stoga internet stranice koje koriste CAPTCHA-u mogu korisniku omogućiti i audio test, uz vizualni, što je i službena preporuka na CAPTCHA stranicama. Ova kombinacija predstavlja do sada najdostupniji postojeći CAPTCHA test.
Pokušaji da se CAPTCHA učini još dostupnijim
No, čak i audio i vizualni CAPTCHA testovi mogu biti nedostatni za neke korisnike, koji su npr. i slijepi i gluhi. Pokušaji uključuju postavljanje jednostavnih matematičkih pitanja ("Koliko je 1+1?") ili pitanja na koje svi znaju odgovor ("Koje je boje nebo za vedrog dana?"). No, ovi testovi ne zadovoljavaju neke osnovne zahtjeve kao što su automatsko generiranje, a i napadač s iskustvom ih lako probije. Stoga ove testove ne možemo nazivati CAPTCHA jer ne daju sigurnost koju pruža CAPTCHA.
Zaobilaženje CAPTCHA-e[uredi | uredi kôd]
Postoji nekoliko pristupa pri pokušajima da se zaobiđe CAPTCHA:
- iskorištavanje bugova koji dopuštaju napadaču da posve zaobiđe CAPTCHA test,
- poboljšanje softvera za prepoznavanje znakova ili
- korištenje jeftine radne snage za prolaženje testova (en:Human-based computation
- sirova sila - višestruki uzastopni napadi
Nesigurna implementacija
Kao i svaki drugi sigurnosni sustav, greške u dizajnu mogu spriječiti postizanje teoretske sigurnosti u praksi. Mnoge implementacije CAPTCHA-e, posebno one koje nisu pregledali sigurnosni eksperti, ranjive su na napade.
Neki se CAPTCHA zaštitni sustavi mogu zaobići i bez uporabe OCR-a, jednostavno uz pomoć ponovne uporabe session ID-a poznate CAPTCHA slike.
Pravilno dizajnirana CAPTCHA ne dozvoljava višestrike pokušaje prolaska testa. Ovo sprječava ponovno korištenje ispravnih testova i pogađanje iz više pokušaja nakon neprolaska na testu.[7] Druge CAPTCHA implementacije koriste hash (kao što je MD5 hash) rješenja kao ključ koji se šalje klijentu da validira CAPTCHA-u. Ponekad je CAPTCHA tako mali, da se njgov harh kod može probiti.[8]
Nadalje, hash može pomoći u pokušaju probijanja temeljam OCR-a. Sigurnija schema bi bila ona s korištenjem HMAC-a.
Na kraju, neke implementacije CAPTCHA-e koriste konačni (mali) broj slika. S vremenom, kada napadač prikupi dovoljno slika, CAPTCHA se može probiti jednostavnom usporedbom hash-a CAPTCHA-e s hashom nekom od pohranjenih slika.
Računalno prepoznavanje znakova
Do sada je prevedeno niz istraživanja s ciljem probijanja vizualnog CAPTCHA testa, a neki od njih su bili uspješni. Programi koji su razbijali CAPTCHA se temelje na ovim funkcionalnostima:
- Redukcija šuma - odstranjivanje pozadinskog šuma
- Segmentacija (procesiranje slika) - podjela slike na regije od kojih svaka sadrži po jedan znak
- Klasifikacija: identificiranje znakova u svakom dijelu slike
Koraci 1 i 3 su lak zadatak za računala.[9] Jedini korak gdje je čovjek i dana jači od računala je segmentacija.
 |
Ovaj članak ili dio članka, djelomično ili uopće nije preveden s engleskog jezika. (Rasprava) Pomozite u prijevodu vodeći računa o stilu i pravopisu. Izvornik se možda nalazi na popisu drugih jezika. |
Izvori[uredi | uredi kôd]
- ↑ Greg, Mori; Malik, Jitendra. Breaking a Visual CAPTCHA. Simon Fraser University. Pristupljeno 21. prosinca 2008.
- ↑ Computer Literacy Tests: Are You Human?. Time (časopis). Inačica izvorne stranice arhivirana 30. travnja 2009. Pristupljeno 8. srpnja 2009..
The Carnegie Mellon team came back with the CAPTCHA. (It stands for "completely automated public Turing test to tell computers and humans apart"; no, the acronym doesn't really fit.) The point of the CAPTCHA is that reading those swirly letters is something that computers aren't very good at.
- ↑ Latest Status of CAPTCHA Trademark Application. USPTO. 21. travnja 2008. Pristupljeno 21. prosinca 2008.
- ↑ reCAPTCHA homepage. Captcha.net. Inačica izvorne stranice arhivirana 4. travnja 2012. Pristupljeno 21. prosinca 2008.
- ↑ Moni Naor. Srpanj 1996. Verification of a human in the loop or Identification via the Turing Test (PS) (disertacija). Pristupljeno 6. srpnja 2008.
- ↑ [1] US Patent no. 6,195,698, "Method for selectively restricting access to computer systems"
- ↑ Breaking CAPTCHAs Without Using OCR. Howard Yeend (pureMango.co.uk). 2005. Inačica izvorne stranice arhivirana 25. lipnja 2017. Pristupljeno 22. kolovoza 2006.
- ↑ Online services allow MD5 hashes to be cracked. Inačica izvorne stranice arhivirana 28. veljače 2009. Pristupljeno 4. siječnja 2007.
- ↑ Kumar Chellapilla, Kevin Larson, Patrice Simard, Mary Czerwinski. 2005. Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs) (PDF) (disertacija). Microsoft Research. Pristupljeno 2. kolovoza 2006.CS1 održavanje: više imena: authors list (link)
