Hacker News new | past | comments | ask | show | jobs | submit login

The problem itself is described in the end: it's about using clickjacking to get a valid token on behalf of "good guys". And this problem has nothing to do with existing systems.

Google could have made it so much easier and more secure: a POST request to google.com/verify_me will have Origin header in it to prevent CSRF (only wordpress.com scripts will be able to get token). Also there would be no need to make a click. No CAPTCHA looks fancy but the real No CAPTCHA should always have visibility:none!




"No CAPTCHA looks fancy but the real No CAPTCHA should always have visibility:none!"

I agree, but I suppose they want something that's a Placeholder, if the user needs to type a captcha


Why? If no need to type any captcha - do the verification in the background, don't show me anything until you think I'm a bot


Because of page layout. Having a fixed size element is better than having something (that is not yours) that might be there or not.


There's still no need for a click.


IMHO the need for a click is just to lazy loading and thus, reducing server demand


Couldn't they just trigger that on form submission, then? "Please wait while we confirm you are human" is better than clicking and then waiting, and then submitting upon completion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: