Matrix-doc: Find a non-google alternative to reCAPTCHA

Created on 7 Jun 2018  路  28Comments  路  Source: matrix-org/matrix-doc

recaptcha is non-free and people would like to have non-google implementations.

client-server feature

Most helpful comment

I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.

I came across some solutions and here is a quick summary

Captcha providers can widely be categorized in 2 categories :-

Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-

RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.

MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.

_Solve Media captcha_: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.

Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-

_BotDetect CAPTCHA_ : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.

_KeyCAPTCHA_ - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.

All 28 comments

see also https://github.com/vector-im/riot-web/issues/3606, which has some discussion of alternatives

There is no "alternative" in this discussion. It is just saying: it depends on matrix. Riot accepts different captcha providers because it will be just displayed as iframe. This has nothing to do with the UI, as far as i understood.
It is up to matrix to use another captcha service.

I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.

I came across some solutions and here is a quick summary

Captcha providers can widely be categorized in 2 categories :-

Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-

RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.

MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.

_Solve Media captcha_: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.

Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-

_BotDetect CAPTCHA_ : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.

_KeyCAPTCHA_ - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.

I don't really know why it's being discussed there, since it's not specific to riot at all, but https://github.com/vector-im/riot-web/issues/3606 seems to be the authoritative issue on this.

imo its a combination of both
matrix-synapse by default supports google recaptcha, but nothing else, even tho it provides interfaces to implement any other captcha provider.
unfortunately, not every admin is programmer, so not any admin can implement his own captcha provider. therefore it would make sense to drop the support for google recaptcha in matrix and provide another default(!) captcha.

or: provide a simple documentation how to use matrix-synapse with any client AND another captcha provider.

Since this is a spec issue, I have closed https://github.com/vector-im/element-web/issues/3606 and redirected further discussion here.

Good idea to move the discussion here since the root of the problem is the endorsement of recaptcha at the spec level.

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.

Ok then I would strongly propose hCaptcha as an alternative to be added or completely replacing reCaptcha. Cloudflare changed their captcha provide to hCaptcha recently, see here. I very much appreciate what Cloudflare does in general but especially regarding their privacy policy. An endorsement by Cloudflare in my eyes is good enought for hCaptcha to be at leased supported as an alternative to reCaptcha by Matrix.

The element-web issue has gone into quite a bit of discussion about the various captcha mechanisms. Realistically at this point someone needs to write a proposal for further discussion.

@turt2live ah ok thank you, well then I am going to write that proposal

Edit: done, I created a WIP proposal which is currently a Draft PR. See #2745

I'm surprised all the best ones in terms of UX haven't been mentioned. Granted, many are outdated, but I'm also surprised that nothing like them has been implemented/maintained over the last few years.

Here's a few I've found (none tested yet), ordered by how user-friendly their UX is.

  1. @SweetCaptcha. Demo
  2. AreYouAHuman. Demo. Docs
  3. Slider Captcha. Demo
  4. Image Rotation. Demo
  5. Icon Click

Honorable mentions:

  1. FunCaptcha. Demo
  2. 3D Captcha. Demo
  3. CaptCheck. Demo [Icon Click alternative]
  4. VisualCaptcha
  5. Minimal Math. Demo

I'll be testing the first 4, probably.

SweetCaptcha seems to be abandoned (it says you need to sign up on a website that no longer seems to be associated with any sort of captcha). AreYouAHuman refers to a website that seems to be down. I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective, and they would be impossible for blind users to complete.

Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.

Yes, like I said, the best ones are abandoned. But they're all open-source so they can be re-animated at any time.

If you're not interested in doing that, I think those other 3 are effective enough.

I would say the vast majority of Matrix users/operators will never implement their own captcha system, which is why everyone is upset that the default/built-in one is Google. Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.

Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.

From a spec perspective (i.e. the repo that this issue belongs to), we should allow any captcha. Choosing a default one would be up to the homeservers (not the client), and once the spec allows any captcha, then you can argue about about which one to use in the repos for the homeservers.

I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy.

Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question)

What do you think about it?

20sec on a non flagship smartphone is enough time for someone to uninstall the app, same as grecaptcha basically.

why not leave that decision to the homeserver hoster.
if he'd like to use a slow but privacy-friendly alternative, he can decide whats best for him.
i would instantly switch to that, use it and see what goes on.
registration is a one-time-thing. if a user is pissed because waiting for 20 seconds, he will be much more pissed because "no one is in matrix". at least imo and from my experience

Having any specific captcha service in the specification is absurd, so I don't know why people here are trying to pick an alternative. It should be way more flexible. The homeserver should give the client a URL to a webpage that uses whatever it wants to use to see if the user is legitimate or not.

The spec isn't even clear in how you're supposed to implement recaptcha. It only says you have to send a "captcha response" back. As a client implementor, how do I get that?

Looks like we just got a PR at https://github.com/matrix-org/synapse/pull/8797 to implement hcaptcha. (I'm a bit unclear on why hcaptcha is any better than recaptcha, given they're both proprietary centralised services, but yay for choice!)

Sounds like

Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.

is going to be needed sooner than later :)

Dendrite will need to support a captcha system at some point and personally I'm leaning towards hcaptcha because:

  • The API is similar to reCAPTCHA.
  • It helps ML labelling which is nice.
  • It's reasonably popular (e.g CloudFlare use it) which means it's more likely to be up and reliable.

It's more work to use a decentralised service but isn't something I'm opposed to.

@Kegsay: I agree with your arguments and would be very happy if you considered our solution, Friendly Captcha, as well 馃憤
I think that point 1 and 3 are valid for it as well.
Looking forward to your feedback! 馃槂

I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy.

Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question)

Friendly Captcha seems to have a 1k/monthly free tier limit which isn't ideal. Having it take 20s (!) on older mobiles is also not ideal, especially given we target mobiles of various ages. Twiddling thumbs for 20s feels a lot longer than solving a small labelling problem for 20s.

Sheesh, don't tie the spec to any specific 3rd party service :man_facepalming:

The goal is to find a way to support arbitrary captcha, not to pick a specific provider (as mentioned already on this issue). The point of looking at providers anyways to figure out whether or not people would be likely to use them so they can be accommodated as best as possible in the spec, as it's just not feasible to support every provider. We can however try to support most or popular captcha providers.

Something worth keeping in mind while pondering designs:

It would be nice if the signup process allowed for running a homeserver without a captcha. There are less intrusive ways to deal with automated signups, such as flagging them (based on behavior or inactivity) and deleting them later, and some admins might prefer to avoid things as user-hostile as captchas.

@foresto that's already possible, and designers should be aware of that.

Was this page helpful?
0 / 5 - 0 ratings