CAPTCHA Service

Overview

Modern web sites often require a security check to ensure the client is a human, and not a sophisticated computer program typically known as a "bot". The most common method for ensuring human interaction is to provide a problem, usually in the form of some image recognition, that humans can solve without much difficulty but is, at the same time, sufficiently difficult for a computer to solve correctly at anything greater than a statistically random rate. This type of problem and its implementation is known as a CAPTCHA, which is an acronym for "Completely Automated Public Turing Test To Tell Computers and Humans Apart".

CAPTCHA Service Example

Like most CAPTCHA implementations, the Notequalsoft CAPTCHA Service also relies on image recognition. However, as a web service there are no additional components to install on others servers or client PCs.

Security

CAPTCHA Service Example

Images generated by the Notequalsoft CAPCHA Service provide an above average level of security, but not as high as most commercial implementations. Each character in the query phrase is generated in a random font, at random size, and drawn in a random color at a random rotation. While this level of pertubtation is not as severe as other implementations, it is effective at disabling most OCR algorithms. Additional pertubation effects may be added in the future without affecting compatibility with existing applications.

The query phrase embedded into the CAPTCHA image is never trasmitted to the client in plain text. A public key is transmitted instead, and this key is returned to the server when validating the response. The public key may only be used for validation once and then forever becomes invalid. This ensures that the Notequalsoft CAPTCHA Service is not susceptible to "replay attacks", where a known public key/respsonse combination may be reused in multiple validation attempts. In addition, the public key automatically expires after approximiately 30 minutes, with a minimum of 20 minutes and a maximum of 40 minutes. This feature limits the amount of time to "solve" the CAPTCHA, preventing abuse by external parties.

CAPTCHA Service Example

The query phrase is generated randomly: neither the server session ID, image filename, nor public key may be used to reconstruct the query phrase programmatically. Forty-one unique characters with a randomly selected phrase length of six to eight characters provides a possible set of 8,184,429,607,243 (416 + 417 + 488) unique query phrases. This is many times larger than the possible set of English words used in most common implementations (including the "official" CAPTCHA implementation, reCAPTCHA), which are prone to dictionary attacks at a much greater success rate than randomly generated phrases. Becuase the Notequalsoft CAPTCHA Service is not prone to dictionary or repetition attacks, an automated process has less than a 1 in 8 trillion chance of providing a proper response for any given query. Assuming one attempt per second, it would take an automated process an average of 129,678 years to provide a proper query response to the server.

Usage

The Notequalsoft CAPTCHA Service falls under the Notequalsoft Web Services Usage Contract. Please review this page for terms before implementing the Notequalsoft CAPTCHA Service on your web page or in your applications.

Methods

Generate(int Width, int Height)
returns (string ImageUri, int ImageWidth, int ImageHeight, string PublicKey)

Generates a CAPTCHA image of specific size and corresponding public key for validation.

The actual image generated may be of slightly different size than the arguments passed to the function, to ensure both legibility and reasonableness, hence the need to return the actual generated size to the callee.

 

CAPTCHA Service Example

Validate(string PublicKey, string Response)
returns (boolean Valid, boolean Success)

Validates a CAPTCHA response for the specified public key.

A public key that has expired will be treated as invalid, regardless of whether the response was correct or not. Success will only be set if both the public key is valid and the correct response was supplied.

Implementations

The following implementations may be used to simplfy the interface between your application or web page and the Notequalsoft CAPTCHA Service.

 

The Notequalsoft CAPTCHA Service is a standard W3C®-compliant Web Service that supports Basic Profile 1.1 and Simple Object Access Protocol (SOAP) versions 1.1 and 1.2. You may develop your own implementation around these standards, so long as its usage does not violate the terms of the Notequalsoft Web Services Usage Contract.

The following files may be required by your implementation: