Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Is there a problem in making Captcha an HTML builtin with an attribute setting which type of Captcha

+0
−2

Many web login and contact form features could be set as standard HTML builtins without the need to develop and backend and/or (non HTML) frontend for them, for example:

  • Select field
  • Input Date field
  • Input Time field

In that StackExchange post I understood from one of the commenters that Captcha can't be such a standard feature, say by W3C:

Because this has absolutely nothing to do with HTML and this is not a coding standard or approach

I don't know why the commenter wrote that.


Is there a problem making Captchas a standard HTML builtin with attributes to set Captcha type? I mean, especially if it used just once per webpage, this can be nice, isn't it?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

2 answers

+7
−0

As the comments in that thread mention, Captcha is a service, not mere software. The distinction is that Captcha are in an arms race with spammers, and must continually evolve to remain effective.

In particular, many popular Captcha approaches have been made obsolete by advances in AI: The "distorted text as image" trick was made largely obsolete by advances in text recognition algorithms, and the "identify this image" trick will likely be made obsolete in the near future by innovations in image recognition fueled by the development of self driving cars (in fact, training AI systems is probably the reason Google offers reCAPTCHA as a service in the first place).

This continued evolution makes Captcha standardization difficult:

  • If W3C standardizes an implementation, it will require browser vendors to participate in this arms race, which they have no incentive to do. In addition, if the standardized approach becomes insecure, W3C and all browser vendors would need to fix that quickly, but the W3C standardization process often takes years, which is a wholly unsuitable time period for fixing security issues.
  • If W3C did not standardize the implementation, browsers would offer radically different levels of security. Since the website wishing to employ a Captcha must trust that security, it won't want to buy a pig in a poke, so will likely not use the browser feature, but continue to use Captcha services of known quality, making the standardized Captcha feature useless.

The only benefit standardization could possible provide is to define a uniform interface for embedding Captcha provided by third parties into a website, but since embedding Captchas is trivial with the means HTML already provides, this wouldn't add significant value.

So the key difference between Captchas and a date input is that Captchas must evolve alongside the state of the art in AI research, but date inputs can remain as they are for ever.

And by the way, even the standardization of date inputs by W3C was not really successful, because the browser implementations are of such varying quality that many web developers prefer custom JavaScript controls for consistency of user experience. For instance, MDN writes:

At the moment, the best way to deal with dates in forms in a cross-browser way is to have the user enter the day, month, and year in separate controls, or to use a JavaScript library such as jQuery date picker.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

0 comment threads

+3
−0

A standard form tag such as <input type="captcha"> won't exist. Browsers are not to be trusted to self-regulate a Captcha service.

Without getting into specific examples, there are browser extensions on the market that already employ sneaky techniques for solving Captchas programmatically. A field such as this can easily be "blanked" by any such extension or browser to have zero functionality.

I do want to speak to one service that is similar in function to reCaptcha: Android's SafetyNet. This very much is a drop-in solution, just written in Android-native code instead of HTML. It functions under the assumption that most users are using an unrooted Android device and are thus "trusted."

Again, without linking to examples and perhaps falling afoul of community guidelines, a rooted custom ROM Android device can blank this feature of the Android API.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

0 comment threads

Sign up to answer this question »