• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Lack of interest jQuery Draggable Captcha

Floren

Well-known member
#1
Last edited:

Forsaken

Well-known member
#2
I was wondering if we could implement a draggable captcha into Xenforo.
It is very elegant and provides a better alternative, compared to default captcha.

Few examples:
http://www.webdesignbeach.com/beachbar/ajax-fancy-captcha-jquery-plugin
http://demos.myjqueryplugins.com/qaptcha/
http://www.josscrowcroft.com/demos/motioncaptcha/
http://sitehelp.com.au/demos/dragcaptcha.php

My prefered one is MotionCaptcha. Simple and elegant.
This won't stop bots for long because it's easy enough to detect the shape and trace it.

It also brings up usability issues for people with sight disabilities; while it won't effect the majority it makes registration impossible for those that that cannot see or have issues seeing.
 

Arantor

Active member
#3
It's worse than that, actually. Most of them don't even require tracing.

I won't point out the exact details but let's just quickly examine them. Remember: bots won't be using JavaScript and all the fancy rules that you can implement against 'users' suddenly become irrelevant. Bots are also quite capable of sending AJAX requests these days.

ajax-fancy-captcha: When the CAPTCHA is loaded, an AJAX call is required. All a bot has to do is identify the CAPTCHA in use and it will trivially know how to query the server to get the answer to submit the second time.

qaptcha: A server just has to identify which CAPTCHA it is, and identify one variable within the <form> and make an AJAX call with that to set up a session variable, then update one variable in the POST variables before sending onwards.

motioncaptcha: The form's action variable is removed but it's buried inside the form itself for the CAPTCHA to insert it... there's no security here. There's no server side component whatsoever so you're *totally* reliant on the form variable not being found by a bot.

dragcaptcha: Again, totally on the client side. Bots will totally ignore this.