Making defeating CAPTCHAs harder for bots

For a number of years, many websites have used CAPTCHAs to filter out interactions by bots. However, attackers have found ways to circumvent CAPTCHAs by programming bots to solve or bypass them, or even relay them for humans to solve. In order to reduce the chances of success of such attacks, CAPTCHAs can be strengthened by the addition of certain safeguards. In this paper, we discuss seven existing safeguards as well as five novel safeguards designed to make circumventing CAPTCHAs harder. These safeguards are not mutually exclusive and can add multiple layers of protection to a CAPTCHA. We further provide a high-level comparison of their effectiveness in addressing the threat posed by CAPTCHA-defeating techniques. In order to focus on safeguards that are usable, we restrict our attention to those which have minimal adverse effect on the user experience

One leak will sink a ship:WebRTC IP address leaks

The introduction of the WebRTC API to modern browsers has brought about a new threat to user privacy. This API causes a range of client IP addresses to become available to a visited website via JavaScript even if a VPN is in use. This a potentially serious problem for users utilizing VPN services for anonymity. In order to better understand the magnitude of this issue, we tested widely used browsers and VPN services to discover which client IP addresses can be revealed and in what circumstances. In most cases, at least one of the client addresses is leaked. The number and type of leaked IP addresses are affected by the choices of browser and VPN service, meaning that privacy-sensitive users should choose their browser and their VPN provider with care. We conclude by proposing countermeasures which can be used to help mitigate this issue