Yeah definitely, this is what I said on the blog post.
It is bespoke and good enough to deter the 99% and slow down the 1% - if they ever decide to bother with an already free and non-membership required services platform.
Well then in fingers case, it would work the first time and then not work again, you can’t cache the result, it changes every page load. (Unless you did something funky with the library)
Workflow:
GET /finger.jpg
finger_controller
> {answer, image} = Finger.generate(2)
> {"35", <<1, 3, 4, ... >>}
> session_put(answer)
> respond(image)
GET /important
important stuff template
<form action=important method-post>
<img src=finger.jpg>
<input type=number name=finger>
</form>
POST /important
important stuff controller
> if form.finger == session_get(finger) then do stuff
They can cache that jpg all they want it will be valid only first time and if it solved by a human.
you could define a random route for the finger controller also if you wanted them never caching that statically named dynamic picture.
If I were to actually deal with them I would send a zip bomb or corrupt chunked 100MB file everytime directly from nginx for their IP ranges when they wanted to cache something.
After I had my fun, I would drop the IP ranges at the FW perimeter
Google’s recaptcha v3 (or was it v4… whichever was the one that uses an excess amount of JS to try to scan everything about you) is trying for that, I may not like all the tracking and JS stuff it does, but it works quite well at figuring out browser ‘usage’ and tracking and such to determine who’s a bot, all without showing a captcha to the actual person (unless certain criteria are met).
They are not caching the image url or anything, they are probably just caching a simple fourier transform of it which will technically be a cache of that unique combination.
Those transforms are immune to resizing etc, and the only way you can break similarity scores is by warping the image, hence why a lot of the old captchas had words that looked like they were viewed through a lens.
You need to randomly (even inside what is technically the same permutation like 1-3-2-1) place the images and skew them in ratio and placement for such a caching to not work.
Luckily very achievable with the way we stitch with ImageMagick. I am the only user so far, don’t think need to go to those levels just yet
I am finding out people just enter the sums on the first try rather than reading the instructions.
changing to sums would drastically increase the possibility of a right guess from min 1/44 to 1/8 but that seems like human nature or conditioned internet-based behavior so far.
ps: given stats are for a set of n=2 images as I use on my website. the number gets smaller as you increase to max n=9
