Anyone using Asirra in production? Are there similar alternatives?

Question

The Asirra project is a Captcha alternative that shows you pictures of kittens and puppies to fend off bots and prove that the end user is a human.

Is anyone using Asirra (or something similar) in production? What alternatives are you aware of?

http://research.microsoft.com/en-us/um/redmond/projects/asirra/installation.aspx

Although I'd like to use images other than kittens, I noticed that from a implementation standpoint it's entirely managed though client side javascript. I would think that this type of solution would be easily cracked with a manually invoked form.submit method.

Is this technique common in the Captcha world? Is there a way to control the logic at the server side?

What are your thoughts on its implementation, alternatives, and how a more secure version could be made?

Google can recognise what is in an image, so surely that could be done with bots. — figgyc, Sep 29 '13 at 16:16
IMO the idea itself is flawed. You'd need a large categorized database to make this feasible, but I see no efficient way to generate such a database. A small database (e.g. with 3 million images) can be catagorized in its entirety by a spammer paying a few thousand dollars to people in low wage countries. After that you can use bots again. — CodesInChaos, Oct 01 '13 at 10:56

score 8 · Accepted Answer · edited May 23 '17 at 12:40

Not relating specifically to Asirra, but wrt CAPTCHA in general, I will elaborate on @Graham's point and direct you to the following links:

"Has reCaptcha been cracked / hacked / OCR'd / defeated / broken?" on SO
My answer to "Practical non-image based CAPTCHA approaches?" on SO
Presentation I gave on this topic at OWASP in 2008
Best idea yet (obligatory XKCD)
RSnake's opinion of another "new" type of CAPTCHA (but mostly still applies to Asirra)
Bruce Schneier, but mostly the comments

In case you're lazy here are the highlights...
The 3 general ways of breaking CAPTCHAs are:

Broken implementation (e.g. wrong configuration, wrong settings, static images, exposing the answer, etc) - but probably does not apply to Asirra, unless its configuration-dependant
Inherent reverse-computability - If you can build a program to blur something that is still readable, I can build one to unblur it. I.e OCR is pretty darn good, at least if the image is readable by a human.
Putting a human in the mix, either by:
- CAPTCHA farms: paying someone small amount of money, there is a MARKET for this: I've seen advertised on Ebay packages of 1000 CAPTCHAs "solved" for 4$, with a matching reliability % SLA
- CAPTCHA Proxies, e.g. you can access pr0n if you solve this CAPTCHA... or even make a game out of it.

To sum up (as I've often done on this topic):

CAPTCHA tries to solve the wrong problem, and it does it badly: even if it worked perfectly, the problem is not "I want to identify who is a computer and who is a human and allow only humans to use my site however they want", but rather "I want to prevent misuse and flooding on my site".
We shouldnt be trying to turing-test the users, we should be limiting what they could do.

Or even better:

Authentication (or identification) is a poor replacement for authorization.

Also, this came up on comp.risks today: http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/ — , Nov 28 '10 at 12:04

score 6 · Answer 2 · answered Nov 24 '10 at 09:25

6

Any CAPTCHA mechanism can be subverted by finding a weak economy and giving people there a small amount of money to solve a large amount of CAPTCHAs.

answered Nov 24 '10 at 09:25

score 2 · Answer 3 · answered Dec 16 '10 at 22:04

Asirra does client-side validation just for convenience -- that is, so you can design a web page that prevents the form from being submitted without the captcha being solved. This prevents the annoyance of navigating away from a filled-out form only to be told the captcha failed.

In asirra, as the installation page describes, the real security comes from the fact that the code you write on the back-end to do form processing has to also hit the Asirra service and make sure that the form was submitted with a valid ticket that is given out to clients only when the challenge has been solved.

Of course as the posters above describe, this "security" only really says that someone or something has identified 12 pictures as cats/dogs. There isn't a good way to know, for example, if the photos were actually solved by some advanced AI or by a guy in China working for $3/hr (see PixProfit.com)

makerofthings7 · Answer 4 · 2013-09-29T17:04:18.497

1

The MSFT Ajax Toolkit has a captcha-free implementation that uses a variety of transparent means to verify a user. EXAMPLE DEMO

This is pretty intelligent code that may be incorporated into other systems for the ultra-bot-paranoid.

edited Sep 29 '13 at 17:04

answered May 17 '11 at 16:50

makerofthings7

50,090
54
250
536

score 0 · Answer 5 · answered May 02 '11 at 07:41

0

Asirra is used by Microsoft's Club Bing. http://www.clubbing.com

http://decaptcher.com provides Asirra service but their service is very poor.

answered May 02 '11 at 07:41

Eyal

109
1

Anyone using Asirra in production? Are there similar alternatives?

5 Answers5

Linked