New CAPTCHA Services Being Reworked

by Jon Davis 2. August 2009 16:35

So a few posts back I mentioned (CAPTCHA This, Yo!), a web site name that took me all of about 5 seconds of creative exploration to come up with, whereby I was inspired by ReCAPTCHA and other similar CAPTCHA services but wanted to provide a more diverse, multi-format CAPTCHA web site/service that exposed a number of various CAPTCHA algorithms that multiple web sites can use.

The prototype failed when I forgot that cross-site scripting blocked my prototype once I deployed it. I felt so stupid, I’ve been doing this stuff for over a decade and hadn’t paid attention to the browsers’ evolution of blocking cross-site script calls; stuff I was able to do years ago I can’t do anymore because of browser security constraints.

So I spent some time looking at various workarounds. First I looked at Flash as a client-side proxy, which had me stumped because it just plain wouldn’t work and wouldn’t provide any feedback. Then I discovered JSONP, which is what Yahoo!’s APIs use. This had me stumped, too, but see my previous post; it didn’t work, either, but that’s because the browser won’t perform lately-invoked script references from ‘localhost’. Once I got around that, I decided JSONP will be the cross-domain scripting method of choice.

I might be abandoning, not because I want to abandon a CAPTCHA service but a) because it’s a ridiculous name, and b) because the scope changed. I figured out how to make the CAPTCHA algorithm a public-submissions based community without asking users to upload .NET interface-implementing assemblies to a server that runs stuff automatically. I also discovered that and are available, so I snagged those, and (a word merge of “human” and “authenticate”) as well.

I spent this evening compiling a rough draft of a spec that I’ll post on, eventually have posted on The rough draft doc has been written. The basic idea is simple: there are two (2) types of services, a Challenge service and a Challenge-Answer provider service. A Challenge-Answer provider service returns a JSON object consisting of a challenge (question, image, etc) and an answer (array of possible acceptable answers). This Challenge-Answer provider is invoked by either a Challenge service that passes the Challenge to the client that then passes the user’s answer to the consuming web site’s server that then calls the Challenge service to validate the answer, or by a web site’s server that retains the answer for validation on its own, without a Challenge server acting in the middle. The former is easier to implement, the latter is more performant.

So these are going to be the web site / service URLs: – Will define the spec – Will expose a formal list of spec compliant service providers (Challenge services and Challenge-Answer provider services) – Will be a branded CAPTCHA service that complies with spec. CAPTCHA algorithms are proprietary. - Will be a community-driven sandbox of CAPTCHA providers where user-created algorithms can be rated and commented on.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5


Computers and Internet | Web Development


Add comment

(Will show your Gravatar icon)  

  Country flag

  • Comment
  • Preview


Powered by BlogEngine.NET
Theme by Mads Kristensen

About the author

Jon Davis (aka "stimpy77") has been a programmer, developer, and consultant for web and Windows software solutions professionally since 1997, with experience ranging from OS and hardware support to DHTML programming to IIS/ASP web apps to Java network programming to Visual Basic applications to C# desktop apps.
Software in all forms is also his sole hobby, whether playing PC games or tinkering with programming them. "I was playing Defender on the Commodore 64," he reminisces, "when I decided at the age of 12 or so that I want to be a computer programmer when I grow up."

Jon was previously employed as a senior .NET developer at a very well-known Internet services company whom you're more likely than not to have directly done business with. However, this blog and all of have no affiliation with, and are not representative of, his former employer in any way.

Contact Me 

Tag cloud


<<  May 2021  >>

View posts in large calendar