[nfb-talk] Captcha, (I've had enough!)

John Heim john at johnheim.net
Fri Apr 15 14:08:09 UTC 2011


Well, there are no logical flaws in the system.  You couldn't do your 
banking on-line if there were. Essentially, this certificate validation idea 
is the same as what banks use. When you do your banking on line, your PC 
asks the bank computer to prove its who it says it is. That's done with a 
certificate. Essentially, I'm proposing that we all do the same thing on our 
computers that banks do on theirs.

Right off hand I don't remember the sequence of events in validating a 
certificate. But a certificate is essentially just half of an encryption 
key. You have to have both halfes to make it work.  You would have a private 
key that you would need to keep private.  The private half of the key could 
be stolen by malware and web sites would have to have some way to 
automatically revoke those. But I am sure most web sites already have a way 
to automatically detect when an account has been taken over by a spammer and 
automatically shutting it down. There is no perfect scheme but the 
certificate validation is more secure than a captcha.

I suspect that most web sites would prefer the certificate validation scheme 
over the captcha scheme and the reason personal certificates haven't caught 
on is that the web sites figure their customers will never go for them. 
People don't understand certificates. While its not hard to install a cert, 
its harder than solving a captcha (for most people). Plus, people still 
think they're anonymous on the internet.  I just wish more sites would offer 
it as an option. They could offer certificate validation as an alternative 
to captcha for those of us who understand it and can't do captchas.

From: "Steve Jacobson" <steve.jacobson at visi.com>
To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
Sent: Thursday, April 14, 2011 2:59 PM
Subject: Re: [nfb-talk] Captcha, (I've had enough!)


> John,
>
> I think that we may need to develop an approach to offer to websites, and 
> this may be one.  Another catch that I see is that it may never be the 
> case that
> one could expect to get by a CAPTCHA because of inconsistent downloading 
> of root certificates.  Still, it might be a way to reach some sort of 
> solution with
> large sites that require CAPTCHAs.  Could a certificate be "stolen" by a 
> disreputable web site?  I am guessing malware could do it, but could a web 
> site get
> enough information about your certificate when validating it against the 
> root to use it somewhere else?  Thank you for the education.
>
> Best regards,
>
> Steve Jacobson
>
> On Thu, 14 Apr 2011 14:33:04 -0500, John Heim wrote:
>
>>Answering your questions one at a time...
>
>>1. wouldn't the site determine which type of certificate that would need 
>>to
>>be submitted?
>
>>Yes, it would.  But a site could accept certificates from any number of
>>different certificate authorities.  A place that issues digital 
>>certificates
>>is known as a certificate authority. Its a fairly simple process to add to
>>your list of recognized certificate authorities. Each certificate 
>>authority
>>issues a special certificate known as a root cert. This root cert is then
>>used to validate the authenticity of certs issued by that certificate
>>authority. The process of recognizing a new certificate authority is 
>>simply
>>to download the root cert for that authority and add it to your list of
>>known certificate authorities.
>
>>2. aren't their sources that would permit spammers to get certificates?
>
>>Yes. In fact, anyone can generate their own certificates.  But it doesn't 
>>do
>>any good to generate a certificate if the person you're sending it to
>>doesn't have the root certificate.  If a certificate authority issued
>>certificates to spammers, you could stop accepting the certs they issue by
>>just deleting their root certificate.  Obviously, certificate authorities
>>are highly motivated to make sure people trust the certs they issue. If 
>>not,
>>they're out of business.
>
>>3.  Is this process expensive?
>
>>No. Its essentially free not counting set up time, etc. But the software
>>itself and the root certs are free.
>
>>4. What's the catch?
>
>>I know you didn't ask this but its a good question.  The catch is that the
>>certificate would allow web sites to track you all over the internet. If 
>>you
>>downloaded some porn, did some banking, updated your facebook page,
>>downloaded some more porn, and then edited your own entry on wikipedia, 
>>all
>>those sites could share information about you. They wouldn't necessarily
>>learn much from the certificate itself. But since a certificate positively
>>identifies you, they'd be able to share information with each other about
>>your web habits. Of course, anyone who still thinks they are anonymous on
>>the internet is fooling themselves anyway.  But this is the main reason 
>>this
>>authentication method hasn't caught on. People don't want the web sites 
>>they
>>visit to know who they are.
>
>>From: "Steve Jacobson" <steve.jacobson at visi.com>
>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>Sent: Thursday, April 14, 2011 1:47 PM
>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>
>
>>> John,
>>>
>>> This seems like an interesting approach to the problem.  I have a couple
>>> of questions, though.
>>>
>>> In this case, wouldn't it be the web site that would be requesting a
>>> certificate, so wouldn't the site determine which type of certificate 
>>> that
>>> would need to be
>>> submitted?  Also, while I understand the process for getting a 
>>> certificate
>>> from the source you mentioned, aren't their other sources that would
>>> permit
>>> spammers to get certificates?  I will readily admit that this 
>>> certificate
>>> process has always been a bit of a mystery to me.  Is this process
>>> expensive for a web
>>> site to implement, understanding that the generations of CAPTCHAs are ot
>>> free.
>>>
>>> Best regards,
>>>
>>> Steve Jacobson
>>>
>>> On Thu, 14 Apr 2011 13:06:28 -0500, John Heim wrote:
>>>
>>>>Well, the whole point of a captcha is that is supposed to be something a
>>>>computer cannot recognize. If a computer recognizes it, then by
>>>>definition,
>>>>it is not a captcha.
>>>
>>>>Yes, I think it would be a very good idea for the NFB to work toward
>>>>getting
>>>>web designers to enable different authorization protocols. For example, 
>>>>a
>>>>site could accept a digital certificate as authorization for a download.
>>>>The
>>>>web site could automatically ask the browser for a certificate and if it
>>>>has
>>>>one, the download could begin. This would all be transparent to the user
>>>>once they installed a certificate on their PC.
>>>
>>>>And it doesn't have to cost the end user a penny. There is at least one
>>>>place to get free digital certificates. Its called cacert.org (see
>>>>www.cacert.org). To get an account, you have to be "assured" by 2 other
>>>>members or you have to have 2 notarized statements verifying your
>>>>identity.
>>>
>>>>If more places used this kind of authorization, we could create accounts
>>>>for
>>>>people at NFB conventions and show them how to install their 
>>>>certificates.
>>>
>>>>----- Original Message ----- 
>>>>From: "Peter Donahue" <pdonahue2 at satx.rr.com>
>>>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>Sent: Wednesday, April 13, 2011 11:04 AM
>>>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>
>>>
>>>>> Hello everyone,
>>>>>
>>>>>    Audio captchas are of no use to the deaf-blind . For God sakes if 
>>>>> we
>>>>> can
>>>>> develop the technology that allowed us to put a blind guy behind the
>>>>> wheel
>>>>> of an automobile and drive it independently we should be able to find 
>>>>> a
>>>>> way
>>>>> to allow captchas to be recognized by screen readers while protecting
>>>>> Web
>>>>> sites and such from the bad guys. The belief that the technology to do
>>>>> this
>>>>> is not there doesn't wash with me.
>>>>>
>>>>> Peter Donahue
>>>>>
>>>>>
>>>>> ----- Original Message ----- 
>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>> Sent: Wednesday, April 13, 2011 8:38 AM
>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>
>>>>>
>>>>> John, what's really bad, is if there are multiple blind people in a
>>>>> church denomination, and their site's contact form, or church locater,
>>>>> are inaccessible.
>>>>> My organization's Website is like that.
>>>>> They have an audio file that's supposed to play the captcha, but it
>>>>> won't
>>>>> play.
>>>>> I'll post the Website here.
>>>>> www.upci.org
>>>>> I've contacted their IT department, but they have done nothing about
>>>>> this.
>>>>> Blessings, Joshua
>>>>>
>>>>> On 4/13/11, John Heim <john at johnheim.net> wrote:
>>>>>> A few months ago, the Department of Justice said that the ADA applies
>>>>>> to
>>>>>> web
>>>>>> sites. This is a big deal. Since the Department of Justice is
>>>>>> responsible
>>>>>> for enforcing laws like the ADA, if the Department of Justice says 
>>>>>> the
>>>>>> ADA
>>>>>> applies to web sites, then it does.  A business would have to go to
>>>>>> court
>>>>>> to
>>>>>> show that the DOJ overstepped its bounds in making that 
>>>>>> determination.
>>>>>> But
>>>>>> the burden of proof would be on them. Well, anyway, the point is that
>>>>>> CAPTCHAs are now illegal.
>>>>>>
>>>>>> IMO, this is one of the toughest issues we face. My own boss came to 
>>>>>> me
>>>>>> yesterday wanting to put a captcha on our web site. I had to talk
>>>>>> really
>>>>>> long to get her to not do it. It was a really tough sell and I only 
>>>>>> got
>>>>>> her
>>>>>> to agree on a provisional basis. If an alternate solution I came up
>>>>>> with
>>>>>> doesn't work, she will probably insist on using the captcha. Her 
>>>>>> point
>>>>>> is
>>>>>> that the page we want to protect simply isn't visited very often by
>>>>>> blind
>>>>>> people. Its not worth the trouble to make it accessible.
>>>>>>
>>>>>> I've pointed out that its a matter of principle. I've even mentioned
>>>>>> what
>>>>>> a
>>>>>> bitter thing it would be for me to install captcha software. I've
>>>>>> pointed
>>>>>> out our legal responsibilities. All this makes little to no 
>>>>>> difference.
>>>>>> All
>>>>>> that really matters is that captchas work. Honestly, I was sitting
>>>>>> there
>>>>>> thinking of trying to write software to break captchas and sending it
>>>>>> to
>>>>>> every spammer I can find.
>>>>>>
>>>>>> By the way, my boss is not a bad person by any means. She is very 
>>>>>> open
>>>>>> minded. I just think that if you're not blind, you don't see what the
>>>>>> problem is.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>> To: <nfb-talk at nfbnet.org>
>>>>>> Sent: Tuesday, April 12, 2011 10:25 PM
>>>>>> Subject: [nfb-talk] Captcha, (I've had enough!)
>>>>>>
>>>>>>
>>>>>>> Hi, it's Joshua Lester.
>>>>>>> I've posted this on the Faith Talk list, and the Music list, but I'm
>>>>>>> not having any success.
>>>>>>> I've just thought of a question.
>>>>>>> I'd like everyone's feedback.
>>>>>>> How can we better influence the Webmasters of their sites, to make
>>>>>>> more accessible contact forms?
>>>>>>> How can they make them, where they can differentiate, between Jaws,
>>>>>>> and
>>>>>>> a
>>>>>>> Robot?
>>>>>>> I want them to make the captcha, where Jaws can catch it, and read 
>>>>>>> it
>>>>>>> to
>>>>>>> us.
>>>>>>> What can we do?
>>>>>>> Thanks for your ideas.
>>>>>>> This is for all Websites.
>>>>>>> Blessings, Joshua
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfb-talk mailing list
>>>>>>> nfb-talk at nfbnet.org
>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>>> for
>>>>>>> nfb-talk:
>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> nfb-talk mailing list
>>>>>> nfb-talk at nfbnet.org
>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>> nfb-talk:
>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/jlester8462%40students.pccua.edu
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nfb-talk mailing list
>>>>> nfb-talk at nfbnet.org
>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>> To unsubscribe, change your list options or get your account info for
>>>>> nfb-talk:
>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/pdonahue2%40satx.rr.com
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nfb-talk mailing list
>>>>> nfb-talk at nfbnet.org
>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>> To unsubscribe, change your list options or get your account info for
>>>>> nfb-talk:
>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>
>>>
>>>
>>>>_______________________________________________
>>>>nfb-talk mailing list
>>>>nfb-talk at nfbnet.org
>>>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>To unsubscribe, change your list options or get your account info for
>>>>nfb-talk:
>>>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nfb-talk mailing list
>>> nfb-talk at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> nfb-talk:
>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>
>
>
>>_______________________________________________
>>nfb-talk mailing list
>>nfb-talk at nfbnet.org
>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>To unsubscribe, change your list options or get your account info for 
>>nfb-talk:
>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>
>
>
>
>
> _______________________________________________
> nfb-talk mailing list
> nfb-talk at nfbnet.org
> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
> To unsubscribe, change your list options or get your account info for 
> nfb-talk:
> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
> 





More information about the nFB-Talk mailing list