[nfb-talk] Captcha, (I've had enough!)

John Heim john at johnheim.net
Fri Apr 15 17:34:22 UTC 2011


Just in case its not clear, I didn't think up this validation scheme. I 
found out about this years ago when I went to a seminar about on-line 
security.  The speaker was talking about something called the "web of 
trust". The idea is that real live human beings make sure you are who you 
say you are in a face to face meeting. They sign documents for you which you 
then submit to the certificate authority when creating your account. Now 
that they know you, its called being "assured", you can in turn assure other 
people.  Groups of nerds sometimes have "key signing parties" where people 
get together over food & drinks and everyone who is not already assured gets 
their forms signed. It seems to me that this would be an ideal activity for 
an NFB convention.

My first key signing party was years and years ago and the speaker thought 
that by now, it would be a common authentication scheme on the internet. But 
as far as I know, the only place that uses it is the cacert.org web site 
itself.

----- Original Message ----- 
From: "Steve Jacobson" <steve.jacobson at visi.com>
To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
Sent: Friday, April 15, 2011 9:54 AM
Subject: Re: [nfb-talk] Captcha, (I've had enough!)


> John,
>
> Okay, this is clearer now.  Somehow I was thinking that the validation 
> would have to work in reverse but that isn't the case.  This does seem 
> like one more
> alternative to suggest.  I can't think of a case where my identity won't 
> be known anyway by sites presenting the CAPTCHA.
>
> Best regards,
>
> Steve Jacobson
>
> On Fri, 15 Apr 2011 09:08:09 -0500, John Heim wrote:
>
>>Well, there are no logical flaws in the system.  You couldn't do your
>>banking on-line if there were. Essentially, this certificate validation 
>>idea
>>is the same as what banks use. When you do your banking on line, your PC
>>asks the bank computer to prove its who it says it is. That's done with a
>>certificate. Essentially, I'm proposing that we all do the same thing on 
>>our
>>computers that banks do on theirs.
>
>>Right off hand I don't remember the sequence of events in validating a
>>certificate. But a certificate is essentially just half of an encryption
>>key. You have to have both halfes to make it work.  You would have a 
>>private
>>key that you would need to keep private.  The private half of the key 
>>could
>>be stolen by malware and web sites would have to have some way to
>>automatically revoke those. But I am sure most web sites already have a 
>>way
>>to automatically detect when an account has been taken over by a spammer 
>>and
>>automatically shutting it down. There is no perfect scheme but the
>>certificate validation is more secure than a captcha.
>
>>I suspect that most web sites would prefer the certificate validation 
>>scheme
>>over the captcha scheme and the reason personal certificates haven't 
>>caught
>>on is that the web sites figure their customers will never go for them.
>>People don't understand certificates. While its not hard to install a 
>>cert,
>>its harder than solving a captcha (for most people). Plus, people still
>>think they're anonymous on the internet.  I just wish more sites would 
>>offer
>>it as an option. They could offer certificate validation as an alternative
>>to captcha for those of us who understand it and can't do captchas.
>
>>From: "Steve Jacobson" <steve.jacobson at visi.com>
>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>Sent: Thursday, April 14, 2011 2:59 PM
>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>
>
>>> John,
>>>
>>> I think that we may need to develop an approach to offer to websites, 
>>> and
>>> this may be one.  Another catch that I see is that it may never be the
>>> case that
>>> one could expect to get by a CAPTCHA because of inconsistent downloading
>>> of root certificates.  Still, it might be a way to reach some sort of
>>> solution with
>>> large sites that require CAPTCHAs.  Could a certificate be "stolen" by a
>>> disreputable web site?  I am guessing malware could do it, but could a 
>>> web
>>> site get
>>> enough information about your certificate when validating it against the
>>> root to use it somewhere else?  Thank you for the education.
>>>
>>> Best regards,
>>>
>>> Steve Jacobson
>>>
>>> On Thu, 14 Apr 2011 14:33:04 -0500, John Heim wrote:
>>>
>>>>Answering your questions one at a time...
>>>
>>>>1. wouldn't the site determine which type of certificate that would need
>>>>to
>>>>be submitted?
>>>
>>>>Yes, it would.  But a site could accept certificates from any number of
>>>>different certificate authorities.  A place that issues digital
>>>>certificates
>>>>is known as a certificate authority. Its a fairly simple process to add 
>>>>to
>>>>your list of recognized certificate authorities. Each certificate
>>>>authority
>>>>issues a special certificate known as a root cert. This root cert is 
>>>>then
>>>>used to validate the authenticity of certs issued by that certificate
>>>>authority. The process of recognizing a new certificate authority is
>>>>simply
>>>>to download the root cert for that authority and add it to your list of
>>>>known certificate authorities.
>>>
>>>>2. aren't their sources that would permit spammers to get certificates?
>>>
>>>>Yes. In fact, anyone can generate their own certificates.  But it 
>>>>doesn't
>>>>do
>>>>any good to generate a certificate if the person you're sending it to
>>>>doesn't have the root certificate.  If a certificate authority issued
>>>>certificates to spammers, you could stop accepting the certs they issue 
>>>>by
>>>>just deleting their root certificate.  Obviously, certificate 
>>>>authorities
>>>>are highly motivated to make sure people trust the certs they issue. If
>>>>not,
>>>>they're out of business.
>>>
>>>>3.  Is this process expensive?
>>>
>>>>No. Its essentially free not counting set up time, etc. But the software
>>>>itself and the root certs are free.
>>>
>>>>4. What's the catch?
>>>
>>>>I know you didn't ask this but its a good question.  The catch is that 
>>>>the
>>>>certificate would allow web sites to track you all over the internet. If
>>>>you
>>>>downloaded some porn, did some banking, updated your facebook page,
>>>>downloaded some more porn, and then edited your own entry on wikipedia,
>>>>all
>>>>those sites could share information about you. They wouldn't necessarily
>>>>learn much from the certificate itself. But since a certificate 
>>>>positively
>>>>identifies you, they'd be able to share information with each other 
>>>>about
>>>>your web habits. Of course, anyone who still thinks they are anonymous 
>>>>on
>>>>the internet is fooling themselves anyway.  But this is the main reason
>>>>this
>>>>authentication method hasn't caught on. People don't want the web sites
>>>>they
>>>>visit to know who they are.
>>>
>>>>From: "Steve Jacobson" <steve.jacobson at visi.com>
>>>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>Sent: Thursday, April 14, 2011 1:47 PM
>>>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>
>>>
>>>>> John,
>>>>>
>>>>> This seems like an interesting approach to the problem.  I have a 
>>>>> couple
>>>>> of questions, though.
>>>>>
>>>>> In this case, wouldn't it be the web site that would be requesting a
>>>>> certificate, so wouldn't the site determine which type of certificate
>>>>> that
>>>>> would need to be
>>>>> submitted?  Also, while I understand the process for getting a
>>>>> certificate
>>>>> from the source you mentioned, aren't their other sources that would
>>>>> permit
>>>>> spammers to get certificates?  I will readily admit that this
>>>>> certificate
>>>>> process has always been a bit of a mystery to me.  Is this process
>>>>> expensive for a web
>>>>> site to implement, understanding that the generations of CAPTCHAs are 
>>>>> ot
>>>>> free.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Steve Jacobson
>>>>>
>>>>> On Thu, 14 Apr 2011 13:06:28 -0500, John Heim wrote:
>>>>>
>>>>>>Well, the whole point of a captcha is that is supposed to be something 
>>>>>>a
>>>>>>computer cannot recognize. If a computer recognizes it, then by
>>>>>>definition,
>>>>>>it is not a captcha.
>>>>>
>>>>>>Yes, I think it would be a very good idea for the NFB to work toward
>>>>>>getting
>>>>>>web designers to enable different authorization protocols. For 
>>>>>>example,
>>>>>>a
>>>>>>site could accept a digital certificate as authorization for a 
>>>>>>download.
>>>>>>The
>>>>>>web site could automatically ask the browser for a certificate and if 
>>>>>>it
>>>>>>has
>>>>>>one, the download could begin. This would all be transparent to the 
>>>>>>user
>>>>>>once they installed a certificate on their PC.
>>>>>
>>>>>>And it doesn't have to cost the end user a penny. There is at least 
>>>>>>one
>>>>>>place to get free digital certificates. Its called cacert.org (see
>>>>>>www.cacert.org). To get an account, you have to be "assured" by 2 
>>>>>>other
>>>>>>members or you have to have 2 notarized statements verifying your
>>>>>>identity.
>>>>>
>>>>>>If more places used this kind of authorization, we could create 
>>>>>>accounts
>>>>>>for
>>>>>>people at NFB conventions and show them how to install their
>>>>>>certificates.
>>>>>
>>>>>>----- Original Message ----- 
>>>>>>From: "Peter Donahue" <pdonahue2 at satx.rr.com>
>>>>>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>>Sent: Wednesday, April 13, 2011 11:04 AM
>>>>>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>
>>>>>
>>>>>>> Hello everyone,
>>>>>>>
>>>>>>>    Audio captchas are of no use to the deaf-blind . For God sakes if
>>>>>>> we
>>>>>>> can
>>>>>>> develop the technology that allowed us to put a blind guy behind the
>>>>>>> wheel
>>>>>>> of an automobile and drive it independently we should be able to 
>>>>>>> find
>>>>>>> a
>>>>>>> way
>>>>>>> to allow captchas to be recognized by screen readers while 
>>>>>>> protecting
>>>>>>> Web
>>>>>>> sites and such from the bad guys. The belief that the technology to 
>>>>>>> do
>>>>>>> this
>>>>>>> is not there doesn't wash with me.
>>>>>>>
>>>>>>> Peter Donahue
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message ----- 
>>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>>> Sent: Wednesday, April 13, 2011 8:38 AM
>>>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>>>
>>>>>>>
>>>>>>> John, what's really bad, is if there are multiple blind people in a
>>>>>>> church denomination, and their site's contact form, or church 
>>>>>>> locater,
>>>>>>> are inaccessible.
>>>>>>> My organization's Website is like that.
>>>>>>> They have an audio file that's supposed to play the captcha, but it
>>>>>>> won't
>>>>>>> play.
>>>>>>> I'll post the Website here.
>>>>>>> www.upci.org
>>>>>>> I've contacted their IT department, but they have done nothing about
>>>>>>> this.
>>>>>>> Blessings, Joshua
>>>>>>>
>>>>>>> On 4/13/11, John Heim <john at johnheim.net> wrote:
>>>>>>>> A few months ago, the Department of Justice said that the ADA 
>>>>>>>> applies
>>>>>>>> to
>>>>>>>> web
>>>>>>>> sites. This is a big deal. Since the Department of Justice is
>>>>>>>> responsible
>>>>>>>> for enforcing laws like the ADA, if the Department of Justice says
>>>>>>>> the
>>>>>>>> ADA
>>>>>>>> applies to web sites, then it does.  A business would have to go to
>>>>>>>> court
>>>>>>>> to
>>>>>>>> show that the DOJ overstepped its bounds in making that
>>>>>>>> determination.
>>>>>>>> But
>>>>>>>> the burden of proof would be on them. Well, anyway, the point is 
>>>>>>>> that
>>>>>>>> CAPTCHAs are now illegal.
>>>>>>>>
>>>>>>>> IMO, this is one of the toughest issues we face. My own boss came 
>>>>>>>> to
>>>>>>>> me
>>>>>>>> yesterday wanting to put a captcha on our web site. I had to talk
>>>>>>>> really
>>>>>>>> long to get her to not do it. It was a really tough sell and I only
>>>>>>>> got
>>>>>>>> her
>>>>>>>> to agree on a provisional basis. If an alternate solution I came up
>>>>>>>> with
>>>>>>>> doesn't work, she will probably insist on using the captcha. Her
>>>>>>>> point
>>>>>>>> is
>>>>>>>> that the page we want to protect simply isn't visited very often by
>>>>>>>> blind
>>>>>>>> people. Its not worth the trouble to make it accessible.
>>>>>>>>
>>>>>>>> I've pointed out that its a matter of principle. I've even 
>>>>>>>> mentioned
>>>>>>>> what
>>>>>>>> a
>>>>>>>> bitter thing it would be for me to install captcha software. I've
>>>>>>>> pointed
>>>>>>>> out our legal responsibilities. All this makes little to no
>>>>>>>> difference.
>>>>>>>> All
>>>>>>>> that really matters is that captchas work. Honestly, I was sitting
>>>>>>>> there
>>>>>>>> thinking of trying to write software to break captchas and sending 
>>>>>>>> it
>>>>>>>> to
>>>>>>>> every spammer I can find.
>>>>>>>>
>>>>>>>> By the way, my boss is not a bad person by any means. She is very
>>>>>>>> open
>>>>>>>> minded. I just think that if you're not blind, you don't see what 
>>>>>>>> the
>>>>>>>> problem is.
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>>>> To: <nfb-talk at nfbnet.org>
>>>>>>>> Sent: Tuesday, April 12, 2011 10:25 PM
>>>>>>>> Subject: [nfb-talk] Captcha, (I've had enough!)
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi, it's Joshua Lester.
>>>>>>>>> I've posted this on the Faith Talk list, and the Music list, but 
>>>>>>>>> I'm
>>>>>>>>> not having any success.
>>>>>>>>> I've just thought of a question.
>>>>>>>>> I'd like everyone's feedback.
>>>>>>>>> How can we better influence the Webmasters of their sites, to make
>>>>>>>>> more accessible contact forms?
>>>>>>>>> How can they make them, where they can differentiate, between 
>>>>>>>>> Jaws,
>>>>>>>>> and
>>>>>>>>> a
>>>>>>>>> Robot?
>>>>>>>>> I want them to make the captcha, where Jaws can catch it, and read
>>>>>>>>> it
>>>>>>>>> to
>>>>>>>>> us.
>>>>>>>>> What can we do?
>>>>>>>>> Thanks for your ideas.
>>>>>>>>> This is for all Websites.
>>>>>>>>> Blessings, Joshua
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> nfb-talk mailing list
>>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>>> To unsubscribe, change your list options or get your account info
>>>>>>>>> for
>>>>>>>>> nfb-talk:
>>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nfb-talk mailing list
>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>>>> for
>>>>>>>> nfb-talk:
>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/jlester8462%40students.pccua.edu
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfb-talk mailing list
>>>>>>> nfb-talk at nfbnet.org
>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>>> for
>>>>>>> nfb-talk:
>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/pdonahue2%40satx.rr.com
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfb-talk mailing list
>>>>>>> nfb-talk at nfbnet.org
>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>>> for
>>>>>>> nfb-talk:
>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>
>>>>>
>>>>>
>>>>>>_______________________________________________
>>>>>>nfb-talk mailing list
>>>>>>nfb-talk at nfbnet.org
>>>>>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>To unsubscribe, change your list options or get your account info for
>>>>>>nfb-talk:
>>>>>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nfb-talk mailing list
>>>>> nfb-talk at nfbnet.org
>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>> To unsubscribe, change your list options or get your account info for
>>>>> nfb-talk:
>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>
>>>
>>>
>>>>_______________________________________________
>>>>nfb-talk mailing list
>>>>nfb-talk at nfbnet.org
>>>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>To unsubscribe, change your list options or get your account info for
>>>>nfb-talk:
>>>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nfb-talk mailing list
>>> nfb-talk at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> nfb-talk:
>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>
>
>
>>_______________________________________________
>>nfb-talk mailing list
>>nfb-talk at nfbnet.org
>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>To unsubscribe, change your list options or get your account info for 
>>nfb-talk:
>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>
>
>
>
>
> _______________________________________________
> nfb-talk mailing list
> nfb-talk at nfbnet.org
> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
> To unsubscribe, change your list options or get your account info for 
> nfb-talk:
> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
> 





More information about the nFB-Talk mailing list