Monday, September 7, 2009

VK couple's testing -- insecure protocol!

Friday's XKCD comic dealt with the question "How can I tell if my internet relationship is real, or just a chatbot?"

The VK couple's testing page was realized and announced in a follow-up blog post. As I understand it, you and your significant other go to this website. At the top, there's a [presumably unique] test ID. At the bottom, there's a "partner's link." So you send your partner the link, and you both reveal the letters/numbers you see, and you are each reassured of the other's non-bot status.

But here's the problem. If the bot is chatting with "thousands of connections at once," then it could just send your link to one of them and have them read it, passing the answer back to you. This breaks the security of the system, as no matter how you set it up, one person has to send a link to another person. This is a weak point, as a chatbot can use two real people to verify its own "real person" status.

VK couple's testing is interesting, but needs a more secure protocol.

[Update: I browsed the comments of the blog post, and many people pointed out the same vulnerability. One suggested fix for this insecure hole is to have the form require the names of both parties, a "signature" of sorts. This reduces the likelihood of failure, but since names are not unique, the bot could still set up an insecurity by mimicking the name of another real person, who it uses to solve the captcha. Likewise, timestamped tests make it harder, but not impossible, to break the protocol.]

This post's theme word: nugatory, "of little value; trifling" or "having no force; ineffective."


sandycharm said...

That is a valid point! Still, Turing test was pretty funny.

JC said...

All you would need is two people to separately request the VK Couples URL/Link (at which time it generates the unique double-captcha) and logs those 2 IP address (or sends cookies).
Then when you visit the link, it checks to see if the visitors to the unique link match the IP/cookies.