Lemmy: Captcha for signups

Created on 13 Apr 2020  路  12Comments  路  Source: LemmyNet/lemmy

This was already discussed in #124, but I think it deserves a seperate issue.

One option that was mentioned is https://www.hcaptcha.com/, but that one looks terrible to me, with the main focus on monetisation and no mention of privacy or accesilibity issues.

There is also mtcaptcha which looks slightly better as they mention GDPR compliancy and proper accesiblity. But its still not great because we rely on a company.

What I would prefer is an open source option that we can embed directly in Lemmy. I havent looked for that, but there should be some projects that we could use.

enhancement

Most helpful comment

I agree, I don't wanna use any captcha that isn't fully open source and self-hostable/usable within lemmy.

All 12 comments

I agree, I don't wanna use any captcha that isn't fully open source and self-hostable/usable within lemmy.

An interesting document about CAPTCHA: https://www.w3.org/TR/turingtest/

We summarize our conclusions in the following points:

  1. Risk analyses of attempts to access a resource are generally desirable. Some on line resources are simply greater targets than others. It is critical that analyses include an evidence based determination of how challenging a CAPTCHA needs to be. Users should not be forced beyond what is strictly necessary to keep a site secure, e.g.,/ if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else.
  2. Whenever an interactive CAPTCHA is deemed important for security reasons, it is very beneficial to limit and minimize how often users are subjected to interactive CAPTCHA challenges. With CAPTCHA less interactivity is clearly more accessibility. As noted above, we're encouraged by the development of approaches such as Privacy Pass which, even though it still sometimes requires an interactive CAPTCHA challenge, it does so much less often.

    1. Whenever an interactive CAPTCHA is implemented, a variety of alternative challenges must be made available to engage different sensory and cognitive capabilities of the user in order that the user can choose an approach that best fits their abilities. We humans possess a variety of intellectual strengths and weaknesses. To fail to offer a variety of challenges is to ignore this simple truth.

    2. All else being equal, we prefer non-interactive approaches because these pose no accessibility challenges. However, they may expose the user to the collection of personal data.

      Third parties may be engaged to verify the authenticity of an access attempt. However, such solutions may give rise to privacy trade-offs.

So the real question is: do we need a CAPTCHA in the first place?

We need something to prevent spam bots from signing up automatically. If you have another suggestion I'm all ears. And yes accesibility is important of course.

One thing that could work and requires not additional effort from humans is a CSS/JS-hidden field. The bots will see the field and fill it with information because that's what they do, and humans will leave it blank.

An article on that technique.

Advantages: simple to put in place, fully accessible, no burden on humans.
Disandvantages: not bullet proof, but maybe we don't need to be yet.

edit: another way is to have step 1 input email, step 2 validate it, step 3 add the rest and create account. This would be quite effective IMHO.

That method only helps against generic bots, but not against bots that are targeting Lemmy specifically. And that will happen sooner or later. We dont want to do mandatory email verification, at least not for dev.lemmy.ml.

We dont want to do mandatory email verification, at least not for dev.lemmy.ml.

But maybe it鈥檚 worth considering the possibility of such a check so that administrators installing Lemmy can enable it for their instance if they want to?

We dont want to do mandatory email verification

I think it's something to consider if you want to fight spambots. To this day, validating an email is still the best way to go to weed out bots.

Please open a separate issue then.

perhaps we can add a simple captcha support like this, but I don't know how effective this is. And what is about disabled people? I think the best way is to make this optional for instances and offer as an alternative email verification.

And what is about disabled people?

is it possible to somehow produce audio from the output of that crate?

nope for that you need a text to speech library

Installing libespeak in docker, then using this binding library might be a very simple way to do add TTS.

The back-end could then serve an audiofile and the picture for signups.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Nutomic picture Nutomic  路  5Comments

DimensionalScoop picture DimensionalScoop  路  6Comments

juliangaal picture juliangaal  路  3Comments

mateMathieu picture mateMathieu  路  6Comments

dessalines picture dessalines  路  6Comments