That's a pretty cool idea, but I don't like that it's an added step for the user when submitting a form.
I used to get a TON of spam on my website(s) until I threw in a hidden text field. When the form is submitted I assume the submission is spam if the hidden text field's value isn't blank. I don't get spam anymore and people don't have to mess around with a captcha (plus nobody's complained).
...although I'm sure it's only a matter of time until the spammers figure this technique out.
[The ghurlman response must be a response to the OP, not this comment. This approach is perfectly accessible -- better than any captcha!]
I use the "honeypot" field trick as well, and really like it, but this approach has some problems worth mentioning.
For one, make sure you give real users a way to contact you if they somehow get trapped -- you'd think it won't happen, but have you tested every available form-filler plugin out there? A few months ago Google released a new version of Chrome that started putting email addresses into my hidden field. Maybe Chrome thought it was a "confirm your email" field? No idea; I fixed the problem by adding an HTML label for it. But it's a damned good thing I wasn't just secretly discarding the input, or I'd have lost a lot of purchases.
Next, as you mentioned, if anyone targets you specifically, it's trivial to circumvent this with a single line of code in a bot.
There are ways to make it harder to circumvent, though -- use all random field names, insert the hidden field at random locations in the sequence of fields, etc.. I'm still using the simple approach, though, since it's still working. :)
Read again: he includes a hidden field for the "normal" user (blind or not) and spambots fill that field out anyway and get caught. Pretty clever, but not hard to work around as a spammer if this get widely adopted.
Blind users would have a different sort of HTML rendering mechanisms (screen readers, braille output, OCR, etc) that might make hidden tags visible input unless you somehow indicated to them that the field was a honeypot. I'm not sure on the details, but the concept of hiding a field from the user's view probably doesn't translate very well once you leave the visual rendering arena.
I can't speak authoritatively, but I believe the "hidden" attribute of a field is not a visual cue, it is a presentational cue. In other words, it hides it from all presentations, whether visual, audible, tactile, or other.
"Please leave this field blank:" probably works wonders. Visually impaired users aren't mentally impaired, regardless of what the Upright Citizen's Brigade has taught you.
I have concerns about this. While it is a neat concept and the implementation is impressive, the reality may be problematic. A lot of users may not have the dexterity to accomplish this task with a pointing device, like my Mother. Not to mention anyone with special needs that requires an alternate input device.
I would think "bad eyesight" would be more commonplace than people with disabilities that require an alternative input method.
I deal with real clients (read older people) every day and they can barely read the actual text on the screen, let alone text that is skewed and mangled in an attempt to foil machines.
i gave up trying to do creative spam filtering long ago. email address obfuscation, greylisting, etc. i put my domains behind postini (shame they got bought out by google) and never have to deal with spam anymore. my e-mail address is in plain sight in lots of places, and i only get false positives once in a rare while that i have to login to postini and forward to my inbox.
same thing with spam comments on my site. i didn't bother with captchas or other annoying requirements like openid. it submits everything through defensio (http://www.defensio.com/) on the backend and if it looks like spam, you just have to put in an email address to manually confirm the comment and re-train defensio. otherwise people can leave anonymous comments without any hassles. the amount of comments that need to get manually verified are very low, and i never see spam get through.
Hell, in it's current form it's entirely client-side; hardly seems like it should even count as a CAPTCHA. $(form).attr("action", $("#mc-action").val()) and you're done.
Even with server-side validation, it's still trivial to break; it only requires tracking a line through an otherwise blank image.
This is fundamentally unusable as a CAPTCHA, and can't be made significantly better. The whole point of a CAPTCHA is to be difficult for computers and doable for humans, hence stuff like warped characters and image categorization. Tracking a line against a blank BG is not difficult for a computer.
> as it doesn't have widespread use, they won't bother putting in the effort
But this can be said about almost any Javascripty custom trick, and there are ones that no effort from user and don't have accessibility issues beyond requiring JS.
I did look at the readme. The client-side issue isn't a real problem. The fact that it's easy for computers to solve, on the other hand...
I get that it's a proof of concept, but it's a concept that doesn't work. You can't make recognizing a line easy for humans and difficult for a computer. The best you could do is introduce noise and make the line a shape that humans are likely to recognize... and bam, we're back at warped characters.
It would be easy to solve if you were doing it perfectly... harder otherwise... and I bet if you do a perfect shape (ie completely on the line) it gets refused. Or at least, that would be clever if so.
I don't see where it addresses problem of generating large enough number of shapes that are hard enough to recognize with computer vision.
I'm afraid that nice gesture recognition algorithm is not enough to defend against bots programmed to recognize known solutions & replay (slightly randomized) predefined answers.
Interesting idea. I thought it might be more confusing if it described the shape to draw and put the 'prototype' line of a different shape in the box. Robots would be trying to match the prototype, humans would be drawing the requested shape.
For whatever reason I don't have the dexterity to draw a correct shape very quickly :-) That suggests if the captcha was used a lot (like every time I submitted a comment or something) I would quickly become frustrated and stop participating.
The plugin actually combines two libs, the Ribbon brush is used only for display (could be any brush if you switch out that class in the JS), meanwhile the points you draw are also tested against the Protractor gesture recognition algorithm.
I used to get a TON of spam on my website(s) until I threw in a hidden text field. When the form is submitted I assume the submission is spam if the hidden text field's value isn't blank. I don't get spam anymore and people don't have to mess around with a captcha (plus nobody's complained).
...although I'm sure it's only a matter of time until the spammers figure this technique out.