Maung²'s Technical Adventures

Recent Posts

Tags

News

  • Microsoft Most Valuable Professional
    (Visual Developer - Security)

    Microsoft Certified Trainer

    Microsoft Certified Professional Developer
    (Enterprise Application Developer)

    Microsoft Certified Solution Developer (.NET)

    Microsoft Certified System Engineer
    (Windows NT 4.0/2000)

    Microsoft Certified Technology Specialist

    - Web Application Development
    - Windows Application Development
    - SharePoint 2003: Infrastructure
    - XML: Office 2003
    - TFS: Configuration and Development

    Certified Novell Administrator
    (Novell Netware 4.11)

Community

Email Notifications

Archives

Protect Your Web Site with Asirra

All web applications exposed on the Internet are vulnerable to brute-force password cracking, spammed posting, or denial of service attacks.

The solution to prevent such attacks is to use CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or HIP (Human Interactive Proof).  One of the most commonly used techniques is requiring the user to identify the letters or digits from the randomly generated, distorted or obscured pictures.  This technique is only effective if you have extremely large number of pictures, which make impossible for the attacker to reconstruct the image database.  Otherwise, the attacker can easily analyze and hard code all the possible combination of letters or digits in the attack program and easily bypass your HIP protection.

So, you might be wondering how one can handle such security issue and protect their web applications effectively. Worry not!

Asirra

Here is the solution, Asirra (Animal Species Image Recognition for Restricting Access), a research project from Microsoft and its partner PetFinder.com, and currently it is available for beta testing.  It is available as free web service and you can easily integrate with your web applications built on any platform.

Asirra will randomly display 12 pictures of cats and dogs from the large image database and requires the user to simply identify either all the cats or dogs pictures.  If only one picture were displayed, attacker has 50% chance of guessing it right, but fortunately, requiring the attacker to select all cats or dogs from 12 given pictures will greatly reduce the probability to 1/4096 chance.  There were similar HIP solutions which use animal pictures to tell Human and Computers apart, but they were not successful due to relatively small image databases as compared to Asirra, which has more than 2 million images of cats and dogs.

Visit Microsoft Research site to learn more about Asirra and try it out yourself how Asirra works.

Here is an extract from Microsoft Research site.

Asirra consists of two components:

  • A JavaScript client component that you add to your web page inside a form. Our code will add an Asirra challenge to your web page. If the challenge is solved correctly, the client code gets an Asirra Ticket from our server, and adds it to your form as a hidden input field.
  • A web service at Microsoft Research that your form processor should call each time a user form is submitted, to check that the ticket provided is valid.

The JavaScript works in all major browsers; it has been tested in IE6, IE7, Firefox 2, Safari, and Opera 9.

Don’t forget you are not just securing your web applications, but also you are helping those cute little animals to find their next owner and the home-sweet-home.

Posted: Apr 25 2007, 08:25 PM by MaungMaung | with 3 comment(s)
Filed under: , , , , ,

Comments

usoup said:

Security wise, it's pretty good and easy to use. But I'm not quite sure about its user-friendliness or accessbility or even bandwith tolerant. (Of course, convienence and security does not come hand in hand)

First, i can't imagine if i have to pick cats from the dogs every day when i want to sign in to my personal banking site. Worse, if i have to do it for 3 times a day, just to access sgdotnet. I'd be doing it for thousand times per year. :p

Second, the thumbnails was pretty small, that i need to mouse over to view them all. (My glasses degree are -6.5)

Third, it took me 15 seconds to load all the pics here. I can't imagine if i'm using a 56kbps modem at my hometown.

Well, hope to see improvements from this project.

# April 26, 2007 9:59 AM

chuawenching said:

Very interesting. But I am quite suprise, why not tortoise, bunny? Why cats and dog?

# April 26, 2007 11:06 AM

MaungMaung said:

<usoup>Second, the thumbnails was pretty small, that i need to mouse over to view them all. (My glasses degree are -6.5)</usoup>

Well, I think it is still better than looking at the distorted letters and digits.

<usoup>Third, it took me 15 seconds to load all the pics here. I can't imagine if i'm using a 56kbps modem at my hometown.</usoup>

That I agree. they should look into improving user experince.

# April 26, 2007 11:49 AM