[nfb-talk] Captcha, (I've had enough!)

Steve Jacobson steve.jacobson at visi.com
Fri Apr 15 14:54:16 UTC 2011 

John,

Okay, this is clearer now.  Somehow I was thinking that the validation would have to work in reverse but that isn't the case.  This does seem like one more 
alternative to suggest.  I can't think of a case where my identity won't be known anyway by sites presenting the CAPTCHA.

Best regards,

Steve Jacobson

On Fri, 15 Apr 2011 09:08:09 -0500, John Heim wrote:

>Well, there are no logical flaws in the system.  You couldn't do your 
>banking on-line if there were. Essentially, this certificate validation idea 
>is the same as what banks use. When you do your banking on line, your PC 
>asks the bank computer to prove its who it says it is. That's done with a 
>certificate. Essentially, I'm proposing that we all do the same thing on our 
>computers that banks do on theirs.

>Right off hand I don't remember the sequence of events in validating a 
>certificate. But a certificate is essentially just half of an encryption 
>key. You have to have both halfes to make it work.  You would have a private 
>key that you would need to keep private.  The private half of the key could 
>be stolen by malware and web sites would have to have some way to 
>automatically revoke those. But I am sure most web sites already have a way 
>to automatically detect when an account has been taken over by a spammer and 
>automatically shutting it down. There is no perfect scheme but the 
>certificate validation is more secure than a captcha.

>I suspect that most web sites would prefer the certificate validation scheme 
>over the captcha scheme and the reason personal certificates haven't caught 
>on is that the web sites figure their customers will never go for them. 
>People don't understand certificates. While its not hard to install a cert, 
>its harder than solving a captcha (for most people). Plus, people still 
>think they're anonymous on the internet.  I just wish more sites would offer 
>it as an option. They could offer certificate validation as an alternative 
>to captcha for those of us who understand it and can't do captchas.

>From: "Steve Jacobson" <steve.jacobson at visi.com>
>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>Sent: Thursday, April 14, 2011 2:59 PM
>Subject: Re: [nfb-talk] Captcha, (I've had enough!)


>> John,
>>
>> I think that we may need to develop an approach to offer to websites, and 
>> this may be one.  Another catch that I see is that it may never be the 
>> case that
>> one could expect to get by a CAPTCHA because of inconsistent downloading 
>> of root certificates.  Still, it might be a way to reach some sort of 
>> solution with
>> large sites that require CAPTCHAs.  Could a certificate be "stolen" by a 
>> disreputable web site?  I am guessing malware could do it, but could a web 
>> site get
>> enough information about your certificate when validating it against the 
>> root to use it somewhere else?  Thank you for the education.
>>
>> Best regards,
>>
>> Steve Jacobson
>>
>> On Thu, 14 Apr 2011 14:33:04 -0500, John Heim wrote:
>>
>>>Answering your questions one at a time...
>>
>>>1. wouldn't the site determine which type of certificate that would need 
>>>to
>>>be submitted?
>>
>>>Yes, it would.  But a site could accept certificates from any number of
>>>different certificate authorities.  A place that issues digital 
>>>certificates
>>>is known as a certificate authority. Its a fairly simple process to add to
>>>your list of recognized certificate authorities. Each certificate 
>>>authority
>>>issues a special certificate known as a root cert. This root cert is then
>>>used to validate the authenticity of certs issued by that certificate
>>>authority. The process of recognizing a new certificate authority is 
>>>simply
>>>to download the root cert for that authority and add it to your list of
>>>known certificate authorities.
>>
>>>2. aren't their sources that would permit spammers to get certificates?
>>
>>>Yes. In fact, anyone can generate their own certificates.  But it doesn't 
>>>do
>>>any good to generate a certificate if the person you're sending it to
>>>doesn't have the root certificate.  If a certificate authority issued
>>>certificates to spammers, you could stop accepting the certs they issue by
>>>just deleting their root certificate.  Obviously, certificate authorities
>>>are highly motivated to make sure people trust the certs they issue. If 
>>>not,
>>>they're out of business.
>>
>>>3.  Is this process expensive?
>>
>>>No. Its essentially free not counting set up time, etc. But the software
>>>itself and the root certs are free.
>>
>>>4. What's the catch?
>>
>>>I know you didn't ask this but its a good question.  The catch is that the
>>>certificate would allow web sites to track you all over the internet. If 
>>>you
>>>downloaded some porn, did some banking, updated your facebook page,
>>>downloaded some more porn, and then edited your own entry on wikipedia, 
>>>all
>>>those sites could share information about you. They wouldn't necessarily
>>>learn much from the certificate itself. But since a certificate positively
>>>identifies you, they'd be able to share information with each other about
>>>your web habits. Of course, anyone who still thinks they are anonymous on
>>>the internet is fooling themselves anyway.  But this is the main reason 
>>>this
>>>authentication method hasn't caught on. People don't want the web sites 
>>>they
>>>visit to know who they are.
>>
>>>From: "Steve Jacobson" <steve.jacobson at visi.com>
>>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>Sent: Thursday, April 14, 2011 1:47 PM
>>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>
>>
>>>> John,
>>>>
>>>> This seems like an interesting approach to the problem.  I have a couple
>>>> of questions, though.
>>>>
>>>> In this case, wouldn't it be the web site that would be requesting a
>>>> certificate, so wouldn't the site determine which type of certificate 
>>>> that
>>>> would need to be
>>>> submitted?  Also, while I understand the process for getting a 
>>>> certificate
>>>> from the source you mentioned, aren't their other sources that would
>>>> permit
>>>> spammers to get certificates?  I will readily admit that this 
>>>> certificate
>>>> process has always been a bit of a mystery to me.  Is this process
>>>> expensive for a web
>>>> site to implement, understanding that the generations of CAPTCHAs are ot
>>>> free.
>>>>
>>>> Best regards,
>>>>
>>>> Steve Jacobson
>>>>
>>>> On Thu, 14 Apr 2011 13:06:28 -0500, John Heim wrote:
>>>>
>>>>>Well, the whole point of a captcha is that is supposed to be something a
>>>>>computer cannot recognize. If a computer recognizes it, then by
>>>>>definition,
>>>>>it is not a captcha.
>>>>
>>>>>Yes, I think it would be a very good idea for the NFB to work toward
>>>>>getting
>>>>>web designers to enable different authorization protocols. For example, 
>>>>>a
>>>>>site could accept a digital certificate as authorization for a download.
>>>>>The
>>>>>web site could automatically ask the browser for a certificate and if it
>>>>>has
>>>>>one, the download could begin. This would all be transparent to the user
>>>>>once they installed a certificate on their PC.
>>>>
>>>>>And it doesn't have to cost the end user a penny. There is at least one
>>>>>place to get free digital certificates. Its called cacert.org (see
>>>>>www.cacert.org). To get an account, you have to be "assured" by 2 other
>>>>>members or you have to have 2 notarized statements verifying your
>>>>>identity.
>>>>
>>>>>If more places used this kind of authorization, we could create accounts
>>>>>for
>>>>>people at NFB conventions and show them how to install their 
>>>>>certificates.
>>>>
>>>>>----- Original Message ----- 
>>>>>From: "Peter Donahue" <pdonahue2 at satx.rr.com>
>>>>>To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>Sent: Wednesday, April 13, 2011 11:04 AM
>>>>>Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>
>>>>
>>>>>> Hello everyone,
>>>>>>
>>>>>>    Audio captchas are of no use to the deaf-blind . For God sakes if 
>>>>>> we
>>>>>> can
>>>>>> develop the technology that allowed us to put a blind guy behind the
>>>>>> wheel
>>>>>> of an automobile and drive it independently we should be able to find 
>>>>>> a
>>>>>> way
>>>>>> to allow captchas to be recognized by screen readers while protecting
>>>>>> Web
>>>>>> sites and such from the bad guys. The belief that the technology to do
>>>>>> this
>>>>>> is not there doesn't wash with me.
>>>>>>
>>>>>> Peter Donahue
>>>>>>
>>>>>>
>>>>>> ----- Original Message ----- 
>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>> Sent: Wednesday, April 13, 2011 8:38 AM
>>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>>
>>>>>>
>>>>>> John, what's really bad, is if there are multiple blind people in a
>>>>>> church denomination, and their site's contact form, or church locater,
>>>>>> are inaccessible.
>>>>>> My organization's Website is like that.
>>>>>> They have an audio file that's supposed to play the captcha, but it
>>>>>> won't
>>>>>> play.
>>>>>> I'll post the Website here.
>>>>>> www.upci.org
>>>>>> I've contacted their IT department, but they have done nothing about
>>>>>> this.
>>>>>> Blessings, Joshua
>>>>>>
>>>>>> On 4/13/11, John Heim <john at johnheim.net> wrote:
>>>>>>> A few months ago, the Department of Justice said that the ADA applies
>>>>>>> to
>>>>>>> web
>>>>>>> sites. This is a big deal. Since the Department of Justice is
>>>>>>> responsible
>>>>>>> for enforcing laws like the ADA, if the Department of Justice says 
>>>>>>> the
>>>>>>> ADA
>>>>>>> applies to web sites, then it does.  A business would have to go to
>>>>>>> court
>>>>>>> to
>>>>>>> show that the DOJ overstepped its bounds in making that 
>>>>>>> determination.
>>>>>>> But
>>>>>>> the burden of proof would be on them. Well, anyway, the point is that
>>>>>>> CAPTCHAs are now illegal.
>>>>>>>
>>>>>>> IMO, this is one of the toughest issues we face. My own boss came to 
>>>>>>> me
>>>>>>> yesterday wanting to put a captcha on our web site. I had to talk
>>>>>>> really
>>>>>>> long to get her to not do it. It was a really tough sell and I only 
>>>>>>> got
>>>>>>> her
>>>>>>> to agree on a provisional basis. If an alternate solution I came up
>>>>>>> with
>>>>>>> doesn't work, she will probably insist on using the captcha. Her 
>>>>>>> point
>>>>>>> is
>>>>>>> that the page we want to protect simply isn't visited very often by
>>>>>>> blind
>>>>>>> people. Its not worth the trouble to make it accessible.
>>>>>>>
>>>>>>> I've pointed out that its a matter of principle. I've even mentioned
>>>>>>> what
>>>>>>> a
>>>>>>> bitter thing it would be for me to install captcha software. I've
>>>>>>> pointed
>>>>>>> out our legal responsibilities. All this makes little to no 
>>>>>>> difference.
>>>>>>> All
>>>>>>> that really matters is that captchas work. Honestly, I was sitting
>>>>>>> there
>>>>>>> thinking of trying to write software to break captchas and sending it
>>>>>>> to
>>>>>>> every spammer I can find.
>>>>>>>
>>>>>>> By the way, my boss is not a bad person by any means. She is very 
>>>>>>> open
>>>>>>> minded. I just think that if you're not blind, you don't see what the
>>>>>>> problem is.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>>> To: <nfb-talk at nfbnet.org>
>>>>>>> Sent: Tuesday, April 12, 2011 10:25 PM
>>>>>>> Subject: [nfb-talk] Captcha, (I've had enough!)
>>>>>>>
>>>>>>>
>>>>>>>> Hi, it's Joshua Lester.
>>>>>>>> I've posted this on the Faith Talk list, and the Music list, but I'm
>>>>>>>> not having any success.
>>>>>>>> I've just thought of a question.
>>>>>>>> I'd like everyone's feedback.
>>>>>>>> How can we better influence the Webmasters of their sites, to make
>>>>>>>> more accessible contact forms?
>>>>>>>> How can they make them, where they can differentiate, between Jaws,
>>>>>>>> and
>>>>>>>> a
>>>>>>>> Robot?
>>>>>>>> I want them to make the captcha, where Jaws can catch it, and read 
>>>>>>>> it
>>>>>>>> to
>>>>>>>> us.
>>>>>>>> What can we do?
>>>>>>>> Thanks for your ideas.
>>>>>>>> This is for all Websites.
>>>>>>>> Blessings, Joshua
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nfb-talk mailing list
>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>>>> for
>>>>>>>> nfb-talk:
>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfb-talk mailing list
>>>>>>> nfb-talk at nfbnet.org
>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>>> nfb-talk:
>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/jlester8462%40students.pccua.edu
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> nfb-talk mailing list
>>>>>> nfb-talk at nfbnet.org
>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>> nfb-talk:
>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/pdonahue2%40satx.rr.com
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> nfb-talk mailing list
>>>>>> nfb-talk at nfbnet.org
>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>> nfb-talk:
>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>
>>>>
>>>>
>>>>>_______________________________________________
>>>>>nfb-talk mailing list
>>>>>nfb-talk at nfbnet.org
>>>>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>To unsubscribe, change your list options or get your account info for
>>>>>nfb-talk:
>>>>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nfb-talk mailing list
>>>> nfb-talk at nfbnet.org
>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>> To unsubscribe, change your list options or get your account info for
>>>> nfb-talk:
>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>
>>
>>
>>>_______________________________________________
>>>nfb-talk mailing list
>>>nfb-talk at nfbnet.org
>>>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>To unsubscribe, change your list options or get your account info for 
>>>nfb-talk:
>>>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>
>>
>>
>>
>>
>> _______________________________________________
>> nfb-talk mailing list
>> nfb-talk at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>> To unsubscribe, change your list options or get your account info for 
>> nfb-talk:
>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>> 


>_______________________________________________
>nfb-talk mailing list
>nfb-talk at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>To unsubscribe, change your list options or get your account info for nfb-talk:
>http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com

More information about the nFB-Talk mailing list