Published on October 22nd, 2021 | by Sunit Nandi
0Why CAPTCHA is No Longer An Ideal Solution
CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart, is basically a simple, automated test that is designed to be fairly easy to be solved by human users (albeit annoying and time consuming), while at the same time being very difficult and ideally impossible to solve by programs, including bots.
For years, CAPTCHA has been the main solution for many websites and online services to block illegal bots from accessing and affecting online services, but in recent years questions have been raised of whether CAPTCHA is still the ideal option for that purpose.
While CAPTCHA is still fairly effective in combating most malicious bots, there are two main issues why CAPTCHA is considered no longer ideal:
CAPTCHA is Bad for User Experience
This one has been a major issue ever since CAPTCHA was introduced. CAPTCHA tests will naturally slow users down from achieving their objectives: browsing a website, watching a video, performing a search, and so on.
Visual-based CAPTCHA tests were often a nightmare for people with visual impairment and so many developers introduced audio CAPTCHA so users could hear the letters instead. However, audio-based tests took longer to solve and accessibility concerns still remain.
On the other hand, bots are getting better at solving CAPTCHAs, even in 2014, one of Google’s algorithms had a 66% higher success rate than human users at solving text CAPTCHAs.
This is where the dilemma arrives: the CAPTCHA tests need to be more difficult and challenging to block bots, but difficult questions will frustrate users even more. It’s very difficult if not impossible to develop a universal challenge that any human user can pass, and so an ideal CAPTCHA test simply doesn’t exist.
The Presence of CAPTCHA Farms
Another issue plaguing the usage of CAPTCHA in bot management is the presence of CAPTCHA farms.
CAPTCHA farms are simply a group of people paid to solve the CAPTCHA. A paid worker will solve the CAPTCHA test, then pass it back to the malicious bot or program.
As we can see, CAPTCHA farm services effectively render CAPTCHAs useless.
Even worse, CAPTCHA farms aren’t the only CAPTCHA-solving tools and services available for cybercriminals and hackers at the moment. Many cybercriminals are still trying to develop a machine learning AI to solve sophisticated CAPTCHAs effectively, and there will always be new technologies and methods to further weaken the already weak CAPTCHA.
Effective CAPTCHA Alternatives To Protect Your Website
Due to the issues with CAPTCHA, as discussed above, many businesses and individuals are now looking for CAPTCHA alternatives to protect their websites from bots.
Below we will discuss some of the CAPTCHA alternatives that are effective in protecting your websites from bots and other types of automated attacks:
Time-Based Detection
A relatively basic but effective approach in protecting your site from automated attacks, especially from spams, is to implement a time-based detection.
The principle here is relatively simple: bots are naturally designed to perform tasks at a much faster rate than human users, so we analyze how fast requests and in this case, form submissions are made by a user agent. If the submission is too fast, for example, then we can immediately block the traffic.
Bots can obviously slow down their activities to fool this system, but slowing them down will translate to these bots wasting resources (which can be expensive for the hacker/bot operator) so they might give up and attack other targets.
Honeypot
Honeypot is essentially tricking or misguiding bots so they are wasting their resources without getting their targets.
For example, we can put a hidden link (using fonts with the same color as the web page’s background, for example) on the web page. Legitimate users won’t find and click on this link, but a crawler bot will. We can immediately block the user agent that clicks on this link or redirect it to a fake page with fake content.
We can implement honeypot in various different ways. For example, in forms, we can add a hidden extra field that is only visible for bots using JavaScript or CSS scanning. Any submission with this field filled will be neglected so we can automatically filter form spams.
Yet another example is adding another checkbox below the “I am not a robot” checkbox featured in reCAPTCHA and other modern CAPTCHA tests that are hidden with CSS. Bots may tick both boxes, telling the system that it is a bot.
Web Application Firewall
We can technically implement signature-based filtering/detection via adequate WAF (Web Application Firewall). This can be effective for less sophisticated bots with known signatures, and known attacks like SQL injection. However, WAF-based blocking is typically no longer effective against sophisticated bots.
Using Advanced Bot Protection Solution
The best, most ideal CAPTCHA alternative to combat automated bots is to use a comprehensive bot detection and management solution that can automatically detect the presence of bots and mitigate the activities.
However, detecting and managing today’s sophisticated bots can be easier said than done. Bot operators are getting more advanced in programming their bots, and are using the latest technologies including AI and machine learning to mask the bots’ identities. So, differentiating these bots from legitimate human users can be a major challenge.
Not to mention, there are also good, beneficial bots like Googlebot that we wouldn’t want to accidentally block.
Thus, while this approach is the most effective, an adequately advanced solution is a necessity. AI-based real-time bot management solutions will effectively differentiate bots from human users, and good bots from bad bots automatically. So you no longer need CAPTCHA to combat these bots.