Security consideration for CAPTCHA system

Asked Feb 08 '22 at 21:24

Active Feb 09 '22 at 13:08

Viewed 47 times

Hi everybody I am developing an image captcha system as a side project something like hcaptcha/Recaptcha - image classification/object localization.

I have a few questions regarding the security of such a system.

Is it acceptable to use pseudo-random number generators for choosing labels (e.g. crosswalk, car in Recaptcha) or shuffling images?
Is it acceptable to send encrypted answers to the browser to remain stateless? I've been suggested with fernet encryption as a good baseline in another StackOverflow post. I could use a sticky session and generate an encryption key at the start of the process and the key might not be stored in another location than ram.

edited Feb 09 '22 at 12:53

asked Feb 08 '22 at 21:24

Damian Grzanka

For 2, it really depends on how you implement the encryption. If you don't change the key for every request, an attacker could solve one captcha and replay it infinitely many times. – nobody Feb 11 '22 at 18:20

0 Answers0