Element-web: Evaluate CAPTCHA options
The details of the new guest experience for Riot are on the project plan: vector-im/riot-meta#59
To make starting to use Riot as painless and as rewarding as possible, we want people to be able to experience full access after only having chosen their username.
This risks exposing the platform to abuse - to avoid this, we (reluctantly) want to deploy a CAPTCHA. The right CAPTCHA is a balance between accessibility, privacy, effectiveness, UX, reliability, aesthetics and price.
The scope of this task is to evaluate the CAPTCHA options and recommend the most appropriate technical solution.
I've reviewed some of the options already here: https://docs.google.com/spreadsheets/d/1wD_8TF_k3BYMGhN6YQtPvfC8gxVi0RNOx1fF24RJb20 (screenshot below)
The two frontrunners so far are:
- https://www.phpcaptcha.org/try-securimage/ (typical wiggly word CAPTCHA; includes audio support)
- https://visualcaptcha.net/ (picture-based CAPTCHA; includes audio support - more attractive but potentially easier to circumvent with effort)
lampholder
All 94 comments
i'll close https://github.com/vector-im/riot-web/issues/2759 as a dup of this one
ara4n
on 11 Apr 2017
phpcaptcha looks cosmetically rather terrible, but visualcaptcha looks promising?
ara4n
on 11 Apr 2017
I would definitely vote for option #2, visualcaptcha.net. Typical wiggly
word CAPTCHAs have been crackable for almost a decade; but image based
CAPTCHAs are considered safer.
http://gracelandtower.com/2014/05/10/is-captcha-obsolete/
Also, I agree -- it looks better.
tessgadwa
on 11 Apr 2017
VisualCaptcha certainly looks a whole lot better, and you're right is probably less vulnerable to off-the-shelf CAPTCHA crackers. I'd like to see a much larger image set (though that is something we can supply ourselves).
lampholder
on 11 Apr 2017
We could implement something along the lines of this (immediately after the user's having chosen their desired mxid):
lampholder
on 25 Apr 2017
@lampholder let's keep this discussion limited to the capcha itself.
lukebarnard1
on 25 Apr 2017
https://github.com/emotionLoop/visualCaptcha
Please note visualCaptcha is no longer actively developed :(
This may not necessarily be a showstopper if it works, but means we'd probably have to either maintain it ourselves or hope "the community" (ie. someone else) does
dbkr
on 27 Apr 2017
What is the point of adding captchas to Riot though? If they are not enforced by the Matrix protocol, it won't prevent spam and be an annoyance for the users.
devnoname120
on 25 Jun 2017
I believe the point is they would be enforced by the homeserver, so you can protect your homeserver against becoming a bot-dominated spam/abuse machine.
lampholder
on 21 Jul 2017
Apparently https://github.com/isislovecruft/gimp-captcha is quite nice, according to Tor folks, but looks like it depends on gimp(!) :(
ara4n
on 17 Oct 2017
apparently "whatever diaspora does" is good
ara4n
on 7 Jul 2018
It seems to just use a "dumb" old squiggly text Captcha
t3chguy
on 7 Jul 2018
Since google is blocked from my entire network, I cannot even complete the sign up for Riot due to the reliance on google. I vote for anything other than google.
fogmtv
on 20 Jul 2018
It's not really a riot thing, it's the server you're choosing to attempt to sign up on requiring it as part of sign up. Most public servers do
t3chguy
on 20 Jul 2018
@t3chguy This may be the case, but the matrix.org server is using Google Captcha. And people on Matrix HQ chat directed me to this ticket to voice my objection. In my view. google is using captcha to train their image AI.
fogmtv
on 24 Jul 2018
This ticket isn't for voicing objections to recaptcha. We already know that people don't like recaptcha. This ticket is for proposing alternatives and evaluating them.
uhoreg
on 24 Jul 2018
As per Matrix HQ: I think this ticket is at the status of gathering options to replace the captcha offered by matrix.org. This is a priority 1 issue and is therefore on the hot path for being dealt with.
Edit: It would be really great if github showed replies before I posted my comment
turt2live
on 24 Jul 2018
I see I don't have to argue my case against google recaptcha. All Google services are a no-go and the present implementation on riot.im is buggy when JS is managed per-site.
Please use any of the discussed alternatives interim but stop using google recaptcha now. I tried to get matrix a top spot on privacy-conscious recommendation lists but that's not possible as long as google services are used.
ilu33
on 29 Jul 2018
Google recaptcha is a huge privacy hole that deserves more attention imo.
Back in 2014, a reverse engineering attempt showed what it is capable of:
Google servers will receive and process, at least, the following information: Plug-ins; User-agent; Screen resolution; Execution time, timezone; Number of click/keyboard/touch actions (in the
Most helpful comment
So I just had to complete Re-Captcha 17 TIMES(yes I counted). I did it correctly every single time, I am 100% confident I did and no one can tell me otherwise. I have never had to spend this much time doing re-captcha, but why would Riot even be using that is beyond me, it ruins the point of an application like this.