[nfb-talk] Captcha, (I've had enough!)
Mike Freeman
k7uij at panix.com
Fri Apr 15 17:44:50 UTC 2011
I remember that when PGP encryption was introduced to the world (and these certificate schemes are not unlike PGP encryption), key-signing parties such as you describe below were envisioned. I suspect that, like much else involving human interaction these days, such get-togethers fell victim to the tendency of people to communicate via machine rather than face-to-face.
While I am sympathetic to your notion that conventions might be good places for such endeavors, I suspect that this would be at best chaotic in practice, not unlike our long registration lines (although, in truth, we move them along quite quickly). Also, I could envision howls of protest from blind persons who did not choose to join either NFB or ACB (presumably, ACB would conduct a similar session).
But your suggestion is as good as, if not better than, those of the rest of us at this point. <smile>
Mike Freeman
sent from my iPhone
On Apr 15, 2011, at 10:34, "John Heim" <john at johnheim.net> wrote:
> Just in case its not clear, I didn't think up this validation scheme. I found out about this years ago when I went to a seminar about on-line security. The speaker was talking about something called the "web of trust". The idea is that real live human beings make sure you are who you say you are in a face to face meeting. They sign documents for you which you then submit to the certificate authority when creating your account. Now that they know you, its called being "assured", you can in turn assure other people. Groups of nerds sometimes have "key signing parties" where people get together over food & drinks and everyone who is not already assured gets their forms signed. It seems to me that this would be an ideal activity for an NFB convention.
>
> My first key signing party was years and years ago and the speaker thought that by now, it would be a common authentication scheme on the internet. But as far as I know, the only place that uses it is the cacert.org web site itself.
>
> ----- Original Message ----- From: "Steve Jacobson" <steve.jacobson at visi.com>
> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
> Sent: Friday, April 15, 2011 9:54 AM
> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>
>
>> John,
>>
>> Okay, this is clearer now. Somehow I was thinking that the validation would have to work in reverse but that isn't the case. This does seem like one more
>> alternative to suggest. I can't think of a case where my identity won't be known anyway by sites presenting the CAPTCHA.
>>
>> Best regards,
>>
>> Steve Jacobson
>>
>> On Fri, 15 Apr 2011 09:08:09 -0500, John Heim wrote:
>>
>>> Well, there are no logical flaws in the system. You couldn't do your
>>> banking on-line if there were. Essentially, this certificate validation idea
>>> is the same as what banks use. When you do your banking on line, your PC
>>> asks the bank computer to prove its who it says it is. That's done with a
>>> certificate. Essentially, I'm proposing that we all do the same thing on our
>>> computers that banks do on theirs.
>>
>>> Right off hand I don't remember the sequence of events in validating a
>>> certificate. But a certificate is essentially just half of an encryption
>>> key. You have to have both halfes to make it work. You would have a private
>>> key that you would need to keep private. The private half of the key could
>>> be stolen by malware and web sites would have to have some way to
>>> automatically revoke those. But I am sure most web sites already have a way
>>> to automatically detect when an account has been taken over by a spammer and
>>> automatically shutting it down. There is no perfect scheme but the
>>> certificate validation is more secure than a captcha.
>>
>>> I suspect that most web sites would prefer the certificate validation scheme
>>> over the captcha scheme and the reason personal certificates haven't caught
>>> on is that the web sites figure their customers will never go for them.
>>> People don't understand certificates. While its not hard to install a cert,
>>> its harder than solving a captcha (for most people). Plus, people still
>>> think they're anonymous on the internet. I just wish more sites would offer
>>> it as an option. They could offer certificate validation as an alternative
>>> to captcha for those of us who understand it and can't do captchas.
>>
>>> From: "Steve Jacobson" <steve.jacobson at visi.com>
>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>> Sent: Thursday, April 14, 2011 2:59 PM
>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>
>>
>>>> John,
>>>>
>>>> I think that we may need to develop an approach to offer to websites, and
>>>> this may be one. Another catch that I see is that it may never be the
>>>> case that
>>>> one could expect to get by a CAPTCHA because of inconsistent downloading
>>>> of root certificates. Still, it might be a way to reach some sort of
>>>> solution with
>>>> large sites that require CAPTCHAs. Could a certificate be "stolen" by a
>>>> disreputable web site? I am guessing malware could do it, but could a web
>>>> site get
>>>> enough information about your certificate when validating it against the
>>>> root to use it somewhere else? Thank you for the education.
>>>>
>>>> Best regards,
>>>>
>>>> Steve Jacobson
>>>>
>>>> On Thu, 14 Apr 2011 14:33:04 -0500, John Heim wrote:
>>>>
>>>>> Answering your questions one at a time...
>>>>
>>>>> 1. wouldn't the site determine which type of certificate that would need
>>>>> to
>>>>> be submitted?
>>>>
>>>>> Yes, it would. But a site could accept certificates from any number of
>>>>> different certificate authorities. A place that issues digital
>>>>> certificates
>>>>> is known as a certificate authority. Its a fairly simple process to add to
>>>>> your list of recognized certificate authorities. Each certificate
>>>>> authority
>>>>> issues a special certificate known as a root cert. This root cert is then
>>>>> used to validate the authenticity of certs issued by that certificate
>>>>> authority. The process of recognizing a new certificate authority is
>>>>> simply
>>>>> to download the root cert for that authority and add it to your list of
>>>>> known certificate authorities.
>>>>
>>>>> 2. aren't their sources that would permit spammers to get certificates?
>>>>
>>>>> Yes. In fact, anyone can generate their own certificates. But it doesn't
>>>>> do
>>>>> any good to generate a certificate if the person you're sending it to
>>>>> doesn't have the root certificate. If a certificate authority issued
>>>>> certificates to spammers, you could stop accepting the certs they issue by
>>>>> just deleting their root certificate. Obviously, certificate authorities
>>>>> are highly motivated to make sure people trust the certs they issue. If
>>>>> not,
>>>>> they're out of business.
>>>>
>>>>> 3. Is this process expensive?
>>>>
>>>>> No. Its essentially free not counting set up time, etc. But the software
>>>>> itself and the root certs are free.
>>>>
>>>>> 4. What's the catch?
>>>>
>>>>> I know you didn't ask this but its a good question. The catch is that the
>>>>> certificate would allow web sites to track you all over the internet. If
>>>>> you
>>>>> downloaded some porn, did some banking, updated your facebook page,
>>>>> downloaded some more porn, and then edited your own entry on wikipedia,
>>>>> all
>>>>> those sites could share information about you. They wouldn't necessarily
>>>>> learn much from the certificate itself. But since a certificate positively
>>>>> identifies you, they'd be able to share information with each other about
>>>>> your web habits. Of course, anyone who still thinks they are anonymous on
>>>>> the internet is fooling themselves anyway. But this is the main reason
>>>>> this
>>>>> authentication method hasn't caught on. People don't want the web sites
>>>>> they
>>>>> visit to know who they are.
>>>>
>>>>> From: "Steve Jacobson" <steve.jacobson at visi.com>
>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>> Sent: Thursday, April 14, 2011 1:47 PM
>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>
>>>>
>>>>>> John,
>>>>>>
>>>>>> This seems like an interesting approach to the problem. I have a couple
>>>>>> of questions, though.
>>>>>>
>>>>>> In this case, wouldn't it be the web site that would be requesting a
>>>>>> certificate, so wouldn't the site determine which type of certificate
>>>>>> that
>>>>>> would need to be
>>>>>> submitted? Also, while I understand the process for getting a
>>>>>> certificate
>>>>>> from the source you mentioned, aren't their other sources that would
>>>>>> permit
>>>>>> spammers to get certificates? I will readily admit that this
>>>>>> certificate
>>>>>> process has always been a bit of a mystery to me. Is this process
>>>>>> expensive for a web
>>>>>> site to implement, understanding that the generations of CAPTCHAs are ot
>>>>>> free.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Steve Jacobson
>>>>>>
>>>>>> On Thu, 14 Apr 2011 13:06:28 -0500, John Heim wrote:
>>>>>>
>>>>>>> Well, the whole point of a captcha is that is supposed to be something a
>>>>>>> computer cannot recognize. If a computer recognizes it, then by
>>>>>>> definition,
>>>>>>> it is not a captcha.
>>>>>>
>>>>>>> Yes, I think it would be a very good idea for the NFB to work toward
>>>>>>> getting
>>>>>>> web designers to enable different authorization protocols. For example,
>>>>>>> a
>>>>>>> site could accept a digital certificate as authorization for a download.
>>>>>>> The
>>>>>>> web site could automatically ask the browser for a certificate and if it
>>>>>>> has
>>>>>>> one, the download could begin. This would all be transparent to the user
>>>>>>> once they installed a certificate on their PC.
>>>>>>
>>>>>>> And it doesn't have to cost the end user a penny. There is at least one
>>>>>>> place to get free digital certificates. Its called cacert.org (see
>>>>>>> www.cacert.org). To get an account, you have to be "assured" by 2 other
>>>>>>> members or you have to have 2 notarized statements verifying your
>>>>>>> identity.
>>>>>>
>>>>>>> If more places used this kind of authorization, we could create accounts
>>>>>>> for
>>>>>>> people at NFB conventions and show them how to install their
>>>>>>> certificates.
>>>>>>
>>>>>>> ----- Original Message ----- From: "Peter Donahue" <pdonahue2 at satx.rr.com>
>>>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>>> Sent: Wednesday, April 13, 2011 11:04 AM
>>>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>>
>>>>>>
>>>>>>>> Hello everyone,
>>>>>>>>
>>>>>>>> Audio captchas are of no use to the deaf-blind . For God sakes if
>>>>>>>> we
>>>>>>>> can
>>>>>>>> develop the technology that allowed us to put a blind guy behind the
>>>>>>>> wheel
>>>>>>>> of an automobile and drive it independently we should be able to find
>>>>>>>> a
>>>>>>>> way
>>>>>>>> to allow captchas to be recognized by screen readers while protecting
>>>>>>>> Web
>>>>>>>> sites and such from the bad guys. The belief that the technology to do
>>>>>>>> this
>>>>>>>> is not there doesn't wash with me.
>>>>>>>>
>>>>>>>> Peter Donahue
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message ----- From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>>>> To: "NFB Talk Mailing List" <nfb-talk at nfbnet.org>
>>>>>>>> Sent: Wednesday, April 13, 2011 8:38 AM
>>>>>>>> Subject: Re: [nfb-talk] Captcha, (I've had enough!)
>>>>>>>>
>>>>>>>>
>>>>>>>> John, what's really bad, is if there are multiple blind people in a
>>>>>>>> church denomination, and their site's contact form, or church locater,
>>>>>>>> are inaccessible.
>>>>>>>> My organization's Website is like that.
>>>>>>>> They have an audio file that's supposed to play the captcha, but it
>>>>>>>> won't
>>>>>>>> play.
>>>>>>>> I'll post the Website here.
>>>>>>>> www.upci.org
>>>>>>>> I've contacted their IT department, but they have done nothing about
>>>>>>>> this.
>>>>>>>> Blessings, Joshua
>>>>>>>>
>>>>>>>> On 4/13/11, John Heim <john at johnheim.net> wrote:
>>>>>>>>> A few months ago, the Department of Justice said that the ADA applies
>>>>>>>>> to
>>>>>>>>> web
>>>>>>>>> sites. This is a big deal. Since the Department of Justice is
>>>>>>>>> responsible
>>>>>>>>> for enforcing laws like the ADA, if the Department of Justice says
>>>>>>>>> the
>>>>>>>>> ADA
>>>>>>>>> applies to web sites, then it does. A business would have to go to
>>>>>>>>> court
>>>>>>>>> to
>>>>>>>>> show that the DOJ overstepped its bounds in making that
>>>>>>>>> determination.
>>>>>>>>> But
>>>>>>>>> the burden of proof would be on them. Well, anyway, the point is that
>>>>>>>>> CAPTCHAs are now illegal.
>>>>>>>>>
>>>>>>>>> IMO, this is one of the toughest issues we face. My own boss came to
>>>>>>>>> me
>>>>>>>>> yesterday wanting to put a captcha on our web site. I had to talk
>>>>>>>>> really
>>>>>>>>> long to get her to not do it. It was a really tough sell and I only
>>>>>>>>> got
>>>>>>>>> her
>>>>>>>>> to agree on a provisional basis. If an alternate solution I came up
>>>>>>>>> with
>>>>>>>>> doesn't work, she will probably insist on using the captcha. Her
>>>>>>>>> point
>>>>>>>>> is
>>>>>>>>> that the page we want to protect simply isn't visited very often by
>>>>>>>>> blind
>>>>>>>>> people. Its not worth the trouble to make it accessible.
>>>>>>>>>
>>>>>>>>> I've pointed out that its a matter of principle. I've even mentioned
>>>>>>>>> what
>>>>>>>>> a
>>>>>>>>> bitter thing it would be for me to install captcha software. I've
>>>>>>>>> pointed
>>>>>>>>> out our legal responsibilities. All this makes little to no
>>>>>>>>> difference.
>>>>>>>>> All
>>>>>>>>> that really matters is that captchas work. Honestly, I was sitting
>>>>>>>>> there
>>>>>>>>> thinking of trying to write software to break captchas and sending it
>>>>>>>>> to
>>>>>>>>> every spammer I can find.
>>>>>>>>>
>>>>>>>>> By the way, my boss is not a bad person by any means. She is very
>>>>>>>>> open
>>>>>>>>> minded. I just think that if you're not blind, you don't see what the
>>>>>>>>> problem is.
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Joshua Lester" <jlester8462 at students.pccua.edu>
>>>>>>>>> To: <nfb-talk at nfbnet.org>
>>>>>>>>> Sent: Tuesday, April 12, 2011 10:25 PM
>>>>>>>>> Subject: [nfb-talk] Captcha, (I've had enough!)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hi, it's Joshua Lester.
>>>>>>>>>> I've posted this on the Faith Talk list, and the Music list, but I'm
>>>>>>>>>> not having any success.
>>>>>>>>>> I've just thought of a question.
>>>>>>>>>> I'd like everyone's feedback.
>>>>>>>>>> How can we better influence the Webmasters of their sites, to make
>>>>>>>>>> more accessible contact forms?
>>>>>>>>>> How can they make them, where they can differentiate, between Jaws,
>>>>>>>>>> and
>>>>>>>>>> a
>>>>>>>>>> Robot?
>>>>>>>>>> I want them to make the captcha, where Jaws can catch it, and read
>>>>>>>>>> it
>>>>>>>>>> to
>>>>>>>>>> us.
>>>>>>>>>> What can we do?
>>>>>>>>>> Thanks for your ideas.
>>>>>>>>>> This is for all Websites.
>>>>>>>>>> Blessings, Joshua
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> nfb-talk mailing list
>>>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>>>> To unsubscribe, change your list options or get your account info
>>>>>>>>>> for
>>>>>>>>>> nfb-talk:
>>>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> nfb-talk mailing list
>>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>>>>> nfb-talk:
>>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/jlester8462%40students.pccua.edu
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nfb-talk mailing list
>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>>>> nfb-talk:
>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/pdonahue2%40satx.rr.com
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nfb-talk mailing list
>>>>>>>> nfb-talk at nfbnet.org
>>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>>>> nfb-talk:
>>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfb-talk mailing list
>>>>>>> nfb-talk at nfbnet.org
>>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>>> nfb-talk:
>>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> nfb-talk mailing list
>>>>>> nfb-talk at nfbnet.org
>>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>>> To unsubscribe, change your list options or get your account info for
>>>>>> nfb-talk:
>>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>>>
>>>>
>>>>
>>>>> _______________________________________________
>>>>> nfb-talk mailing list
>>>>> nfb-talk at nfbnet.org
>>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>>> To unsubscribe, change your list options or get your account info for
>>>>> nfb-talk:
>>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nfb-talk mailing list
>>>> nfb-talk at nfbnet.org
>>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>>> To unsubscribe, change your list options or get your account info for
>>>> nfb-talk:
>>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>>>>
>>
>>
>>> _______________________________________________
>>> nfb-talk mailing list
>>> nfb-talk at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for nfb-talk:
>>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/steve.jacobson%40visi.com
>>
>>
>>
>>
>>
>> _______________________________________________
>> nfb-talk mailing list
>> nfb-talk at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
>> To unsubscribe, change your list options or get your account info for nfb-talk:
>> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/john%40johnheim.net
>
>
> _______________________________________________
> nfb-talk mailing list
> nfb-talk at nfbnet.org
> http://www.nfbnet.org/mailman/listinfo/nfb-talk_nfbnet.org
> To unsubscribe, change your list options or get your account info for nfb-talk:
> http://www.nfbnet.org/mailman/options/nfb-talk_nfbnet.org/k7uij%40panix.com
More information about the nFB-Talk
mailing list