Sunday, May 04, 2008

Google CAPTCHA broken

CAPTCHAs are those annoying little images that we have to use now to stop spammers from creating free e-mail accounts on the Internet. GMail, for several years now, has been considered a "safe haven" free e-mail address site where only manual signups were possible. This was made possible via their own homegrown CAPTCHA technology. But now it has been broken:

Article on The Register

Google actually uses its own CAPTCHA technology across multiple sites. For instance, Blogger requires filling out a CAPTCHA when posting comments to blog entries or having an account, which, unfortunately, uses the Google CAPTCHA.

What triggered this post is something I heard combined with a recent comment on an older blog posting.

At the top of every blog on Blogger is a little "Flag This Blog" button. I suspect that if enough people click that, it causes Blogger to declare the blog spam. Or at least it factors in. It could also include sudden bursts in traffic and maybe actual analysis of the blog entries itself. I'm assuming the person has to be logged in to use the button, which means they have to have used Google CAPTCHA. If they don't have to be logged in, this paragraph will make me look really silly.

At any rate, what I want to talk about is when to use third-party components instead of rolling your own. The authors of the original CAPTCHA have a pretty good idea of how spammers think and operate and have created reCAPTCHA. Programmers tend to think this way, "I'm going to reinvent the wheel regardless of what is out there already." Google has a lot of people who think that the world will end if they don't build it themselves.

When I was looking to implement a CAPTCHA plugin for MyProBB, I went looking around for the best CAPTCHA I could find first. reCAPTCHA quickly came to the top of my list. It is secure (public/private keys), the concepts seem fairly sound, they are the creators of the original CAPTCHA (so they know what they are doing), it helps make the Internet a better place (reads books), it has lots of features, it looks good, it has the right amount of visual "pop", it is free (nice plus but not important), and it is hosted on mostly neutral territory (an educational institution vs. a corporation). Plus, implementing it is super easy. The end result is that the reCAPTCHA plugin for MyProBB is the simplest plugin for MyProBB in terms of complexity - it makes a pretty good example plugin to learn from if you want to make new plugins for MyProBB.

Google programmers could learn a lot from me. Doing it yourself is not always a brilliant decision. Obviously, if Google relied on the reCAPTCHA servers, that would be a bad idea (someone would take down those servers real fast) but Google might be able to license/buy the back-end source code for a hefty chunk of change.

1 comment:

  1. Yikes, didn't know it had been broken. I absolutely agree on using third party implementations that have been tried and true. In my company, we integrate a lot of third party products with our VoIP solutions (although we did implement our own SIP stack). In fact, when I first joined the place, my first task was to write installation/configuration modules to integrate things like Apache/Tomcat and other things into our products.