[OpenID] OpenID's effect on CAPTCHA
Deron Meranda
deron.meranda at gmail.com
Fri Mar 27 20:43:34 UTC 2009
On Fri, Mar 27, 2009 at 4:25 PM, Chris Messina <chris.messina at gmail.com> wrote:
> I believe that this is also where PAPE comes in to some degree. ...
Yes, PAPE could be used to give you a good hint, once more OPs start
using it. But as you mentioned, you still have to believe what the OP says,
and a rogue OP can say anything it wants, which makes PAPE not
quite as powerful as it might appear to be.
Perhaps an adaptive approach could be made. Where you initially
assume that an OpenID from a certain provider safeguards against
non-human bots; and thus you don't add a captcha layer.
However, you can perhaps monitor spam (bot-behavior) thresholds
per-provider, and then kick in an extra captcha workflow only for those
providers that you've had a recorded history of spam abuse from.
Then again, this has the same flaws as any blacklisting approach,
where there is an essentially unlimited supply of OPs. But at least
here you're making the decision per-OP, and not per-identity.
--
Deron Meranda
More information about the general
mailing list