willem.com

CAPTCHA Alternative

Protect your forms in a user friendly way

July 30, 2022 -

Chances are that you've encountered a CAPTCHA in the wild: they protect web forms by asking you to type over weirdly rendered characters or by asking you to select photos containing a particular thing. Why are they used and is there a user friendly alternative?

What is CAPTCHA?

Designed to tell computers and humans apart, CAPTCHA's often require you to do something that computer's can't easily do. Hence the acronym stands for: Completely Automated Public Turing test to tell Computers and Humans Apart. Web builders use CAPTHA's to protect their web forms against automated spam and abuse.

Typical CAPTCHA's you may encounter on the web (image credit: Wikipedia and Google)
Typical CAPTCHA's you may encounter on the web (image credit: Wikipedia and Google)

Why do you need form protection?

A typical web form uses two steps:

A typical web form: server processes information from a person, forwarding it to other people, like yourself. Malicious actors can easily fake the sending person, enabling automated abuse of your processing server
A typical web form: server processes information from a person, forwarding it to other people, like yourself. Malicious actors can easily fake the sending person, enabling automated abuse of your processing server

The problem with this typical approach is that the first step can easily be automated by malicious actors. They use another computer to repeatedly submit information to the server, forcing it to process loads of information, often containing spam messages. Hackers are especially keen on finding web forms where they can manipulate the "TO"-address, because then they can use your server to send spam messages to anybody in the world.

A CAPTCHA protects your form by obstructing a computer from automatically submitting information to your server.

Problems with CAPTCHA

Frankly, I think they're ugly and cumbersome, and I am not alone. They introduce a threshold for people: lowering conversion rates, click through rates, etc. In addition, they are often very unfriendly to people with sub optimal sight.

Critics also complain about Google being one of the most popular suppliers of free CAPTCHA tests. One may wonder why they offer such a service free of charge? It is an excellent way for them to get in the loop of many (commercial) customer journeys, feeding their algorithms with more data to profile people. It is something to consider if you value privacy and GPDR/cookie laws.

Alternative

That's why I set out to create an effective alternative for CAPTCHA's to be used on the web forms that I build for my customers. My approach is two-fold:

Cryptographic pre-submit signature: the post stamp

You must understand that malicious actors think economically: they will only do as much of an effort if the potential gain is worth it. If you make it hard enough for them to abuse your web form, chances are they'll move on and call it a day. Before I explain what I did, I must warn you:

Disclaimer: You must consider the goal of your form protection, in my case it is (greatly) reducing the number of spam messages while preserving user-friendliness. This allows me to think of a system that does not necessarily provide "bomb proof" protection, yet if you're trying to protect nuclear secrets then this approach might not fit you. Always consider your threat model!

To protect web forms I introduce an extra step that I dubbed "getting a post stamp". The steps of the protected web form then become like this:

By introducing a unique, use-only-once, token for each message it becomes much harder for malicious actors to automate the process of sending messages - protecting your form against spammers
By introducing a unique, use-only-once, token for each message it becomes much harder for malicious actors to automate the process of sending messages - protecting your form against spammers

Since 2016 I have been running this approach and the post processing servers have handled literally millions of messages, with extremely few messages (<100) being spam. Upon closer inspection, most of the spam that get through is "manual labour": possibly indicating malicious actors investigating the mechanism. As it appears to be too much of an effort to break the system, it is very effective in achieving my goal of protecting the web forms.

Conclusion

While CAPTCHA's are understandably very popular, it is not always necessary to have them on your web forms if you consider alternatives. It's my advice to make it harder for malicious actors and easier for your audience!

Did you enjoy this post?

If you found this content useful,
consider showing your appreciation
by buying me a coffee ❤️😋:

Reach out to me on :

@wlmiddelkoop

Latest Stories

all CloudCyber SecurityHackingPeopleServerWebdesignWork

Articles (155)