Comments on: PHP Screencast: Hidden Captcha

By: Free Cash Cafe World

Free Cash Cafe World — Sat, 10 Apr 2010 00:25:24 +0000

Nice blog, this a superb post

By: Rickey Fegurgur

Rickey Fegurgur — Fri, 05 Mar 2010 01:45:30 +0000

Hi, I found this article while searching for help with JavaScript. I have recently changed browsers from Safari to Mozilla Firefox 3.1. Just recently I seem to have a issue with loading JavaScript. Everytime I browse page that requires Javascript, my browser does not load and I get a “runtime error javascript.JSException: Unknown name”. I cannot seem to find out how to fix the problem. Any aid is very appreciated! Thanks

By: Rosita Bekerman

Rosita Bekerman — Sun, 21 Feb 2010 16:44:28 +0000

I will visit again for another new interesting topic..

By: » Using captcha without displaying it — VileWorks

» Using captcha without displaying it — VileWorks — Sat, 23 Jan 2010 17:39:37 +0000

[...] Update: I wrote/recorded a follow up post/screencast explaining how to implement the hidden captcha. [...]

By: Ryan Cullen

Ryan Cullen — Sat, 05 Dec 2009 12:48:29 +0000

The best anti spam and email hiding solutions are the ones you create yourself as bot authors can’t be bothered to break them. Only when they go big time is it worth the effort.

By: Stefan

Stefan — Sat, 19 Sep 2009 15:03:26 +0000

@david:

I've heard this before, that there are spambots able to evaluate JavaScript. On this website I've had the Hidden Captcha system for a few months and I did not have any spam comments since then. Not one. If there will be more spambots with JavaScript support in the future, than Akismet will have to be turned back on and used together with Hidden Captcha. But at least there won't be as many comments in the Akismet spam list that I'll have to manually check for false positives.

The number of people without JavaScript is very small, but still I'm not denying them the right to comment. They just have to fill in the captcha. It's a very small compromise I'm making.

Anyone please correct me if you think I'm wrong, but I am not taking into account people that have to use screen readers AND don't have JavaScript support. Because I'm convinced there are no such cases: lack of JavaScript AND the need for a screen reader for the same visitor seems to far fetched.

If a bot can’t execute javascript why not remove the captcha input field? There is no need to give check the right value if you add the right value via javascript, is there? Just check if the field is present in the posted data or not.

Not sure if I'm getting this right, but if you mean using JavaScript to remove the captcha input field and then checking its presence on the server, then this wouldn't allow people without JavaScript to comment, would it?

By: david

david — Sat, 19 Sep 2009 09:14:03 +0000

If you base your idea on the fact that bots can’t execute javascript, the captcha is only needed for people who have javascript disabled. So if a bot has the ability to execute javascript it passes as a human while people with screenreaders and text only browsers will be marked as bots.

I think you better use a sentence with basic math than a captcha. Or a link to a random audio file with the correct field input.

If a bot can’t execute javascript why not remove the captcha input field? There is no need to give check the right value if you add the right value via javascript, is there? Just check if the field is present in the posted data or not.

By: Stefan

Stefan — Fri, 18 Sep 2009 00:18:39 +0000

@Josh L: Funny thing, I was talking in the article about Akismet's false positives and how this would allow me to deactivate Akismet. But I haven't actually deactivated it -- until I saw 1 spam comment today: yours. Obviously a false positive. My Akismet plugin is now deactivated. Don't call me obscure. You're obscure. Kiddin'. Thanks for telling me about the Security through obscurity principle, didn't know it actually had a name. And yes, to some degree, that's what I'm doing. Here's an example of how one could complicate the JavaScript to make it harder for a spam bot that can't evaluate JS code to get to the secret string:

secret  = '' + '';
secret += '' + '';
document.getElementsByName('code')[0].value = secret + '';

instead of simply:

document.getElementsByName('code')[0].value = '';

...Just adding to the obscurity.

By: Josh L

Josh L — Tue, 15 Sep 2009 00:14:54 +0000

Great idea. Regardless of effectiveness, to me the important thing is that people like yourself are creating alternatives, without which innovation is impossible. But Bartek does have a good point, which is that you are achieving something akin to security through obscurity. Your technique itself is not more secure (it is arguably not secure at all), the security comes from the fact that almost no one is going to write a comment bot for a single obscure website. Imagine that you're immigrating along the Oregon Trail, and that your wagon has decoration which implies you are carrying gold. When bandits target such wagons, they simply set fire to the wagon then retrieve their spoils. What you have done is the equivalent of removing the decorations that suggest gold, so the bandits decide not to target you in the first place. But if they did decide to target you, your wagon is not any less susceptible to fire.

By: Stefan

Stefan — Mon, 14 Sep 2009 13:39:11 +0000

@Bartek: I know the answer's in the HTML... But if anyone writes a bot that can find the answer (not very likely unless Hidden Captcha becomes as popular as Captcha itself, but still) it's just a matter of changing the JavaScript around so that it does the same thing, but the code is written differently.