Captchas: An Annoying Illustration of Static Versus Dynamic Security
On November 16th, Adidas will re-release the Yeezy 350v2 zebra sneakers in stores across the US and their website Adidas.com.
These sneakers are highly desired and those lucky enough to score a pair can often re-sell them to people who were not so lucky for 5 to 8 times the retail price. With the release of any product that has a finite supply with a disproportionately high demand, there will always be the propensity for abuse by “bots”.
These bots are automated scripts and programs designed to purchase a product with the intention to resell, faster than a human can normally click through to make a legitimate purchase. By the time you add the product to your cart, the bots have already purchased them all. If you have ever tried to purchase tickets to a Taylor Swift concert, Air Jordan shoes, a Hatchimal last Christmas season, or the new iPhone on launch day, it is likely you were up against an army of bots competing for these items. If only there existed a good way to tell if a user was a bot or a human.
The word Captcha should strike fear and frustration in any internet user. Captcha is actually an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” (what a mouthful) Captchas are the universally loathed prompts many websites use to determine if the user accessing the website is a “robot” (bot) or a legitimate user. The original Captcha involved a website displaying an image of words, letters, or numbers to a user and requiring him, her, or it to correctly enter what they see. The words, letters, and numbers are often distorted in some fashion (such as a swirl filter or a thick line strikethrough) to prevent a script or bot from using OCR to read it and correctly enter the text in the given field.
Only when the user correctly enters the combination of words, letters, or numbers would they get to submit the form, enter the website, or purchase overpriced sneakers. There are many know exploits to circumvent Captcha, so soon it only served to keep out the most novice attackers while frustrating legitimate website visitors. Digital sweatshops offered services to solve one million Captcha images for as little as $1000 USD. Cloudflare famously required all TOR users to solve a Captcha in order to access a website under their protection.
Captcha version 2, also known as reCaptcha, sought to address several problems with the original captcha by making human verification more human-friendly. I remember when I was younger watching the Batman Animated Series cartoons when there was an episode where Batman’s sidekick Robin was presented with two Batman’s. One was the true Dark Knight and the other was a highly intelligent robot and Robin had to determine which was which in order to destroy the mechanical doppelgänger. Robin asked the two Batman’s “When was the last time you ate a good steak?” It was the first time I encountered something of a Turing test, where Mathematician Allan Turing devised a “test” comprising of a series of questions to help determine if the person you are talking to was a human or a computer. Computers are great at solving many problems, but Google believes they have found a set of problems that only humans can solve.
ReCaptcha involves a matrix of squares with various images displayed in them. The prompt asks users to click on all squares that meet a certain criteria such as “click all the squares that contain a bicycle” or “click all squares with a street light in it”. This is a marginal improvement over words that look like they came off of a Picasso painting, but is still frustrating for legitimate users. For example when clicking on squares with a street light, does that square with 3 pixels of street light count? What if I am coming from a part of the world where it is not known as a street light? In California, the thing commonly found in parks that squirts out water for people to get a drink is called a “water fountain”. I found out in Boston, they are called “bubblers”. Had I not known this random fact and I was presented with a reCaptcha asking to click on all squares with a “bubbler”, I would have been completely lost.
This is a major drawback with static security. ReCaptcha introduces a limited form of dynamic analysis where a user could build a reputation that would not require any Captcha challenges. For example a website could check the last 10 pages in a user’s browsing history to determine if it followed the pattern of a legitimate user or a bot. The browser could also track mouse movements to see if a user made a bee-line to minimize movements towards the “I am not a robot” button. A normal human user might overshoot the button or take a less optimal path.
Google recently announced that they have released reCaptcha version 3, which will not require any human intervention, much to the delight of internet users around the world. This next generation Captcha will aim to make bot verification a frictionless user experience by taking several factors into consideration as assigning a score to a website visitor. The website owner can set thresholds to allow or not allow users based on a predetermined score. Sites like Ticketmaster and Adidas.com may require a higher "human score" threshold to protect the integrity of their e-commerce platform as compared to someone trying to post a comment to my blog. Captcha version 3 will necessarily require tracking and a reduction in privacy in order to build a user profile and reputation. Google in fact encourages webmasters to install reCaptcha version 3 code on all webpages so a user score can be built across multiple pages and analytics can be gained on specific pages that contain the most bot activity.
Like Captcha, web security also has static and dynamic analysis for determining if a user should be allowed to visit a website. Static analysis will use reputation-based scores to determine if a website is benign or malicious at a certain point in time. This reputation list may be refreshed from time to time, but there will necessarily exist a point where this list becomes stale and outdated. Just because showtime.com is safe today, does not mean it will be safe tomorrow.
A better approach to security is adopting a zero trust model where all websites are treated as malicious until they are scanned and deemed to be safe. Even uncategorized and unknown websites can be scanned for malicious objects or indicators of compromise. A full website scan for dynamic analysis would necessarily require a proxy since the connection to every element must be terminated, scanned, and reestablished to ensure no malicious content is present. Simple DNS or reputation-based solutions lack the capability of seeing indicators of compromise such as a zero pixel iFrame. Proxy solutions that scan every byte of data on a website can perform various reputation checks such as:
Country check (Risky TLD such as .ru)
Unknown user agent
Domain registration date
SSL Certificate revocation status
Like ReCaptcha v3, a score is returned based on possible indicators of compromise. A company administrator can set a predetermined score threshold to allow users to visit websites with a defined low threat score and block websites with higher threat scores even if there are no obvious signs of a malicious website (cross-site scripting, phishing, bother callback, and the like). Dynamic analysis will almost always be more secure than static analysis, but require a proxy architecture. Many “budget” or “good enough” solutions lack the processing power to perform the proxy services and SSL inspection needed to ensure that users are fully protected.