The design and implementation of a secure CAPTCHA against man-in-the-middle attacks

摘要

In this paper, we propose a novel security protocol for the implementation of CAPTCHA tests that feature advance mechanisms against man-in-the-middle (MITM, for short) attacks. This type of attack is fulfilled by a malicious entity, the MITM, that leverages on unaware users to mass-solve CAPTCHA tests shielding the access to a service. The protocol that we propose uses collision-resistant hash functions modeled as random oracles to guarantee that the solution to a CAPTCHA test solved by an end user is valid only for the server to which the user is connected to. This will prevent MITM attacks because the user is not directly connected to the server. We developed a reference implementation for our protocol that has a low impact and is easy to use, featuring a software plug-in running in the Firefox web browser, on the client side, and a Java servlet-based application, on the server side. Copyright (c) 2013 John Wiley & Sons, Ltd.