Create an effective CAPTCHA that doesn't require JavaScript (Bounty: 1000 USD paid in XMR or BTC)

[LocalMonero]

Almost all existing CAPTCHA variants use JavaScript to check if the client is a robot or human.

Our platform provides the ability to access the site without the use of JavaScript, hence, any CAPTCHA that requires JavaScript is a no-go for us.

Our current CAPTCHA is OK but we want something more effective.

Requirements:

1. Can be served to a browser client;
2. Does not require JavaScript;
3. Is not resource-intensive to generate;
4. Cannot be solved in a reasonable amount of time by a robot;
5. Cannot be cracked by employing widely available machine learning tools, or would require an impractically long time to crack;
6. Does not compromise the privacy of the user (i.e. doesn't rely on personal identification)

[asheroto]

I used this with success. You can disable JS. It's not the exact solution to your request, but similar goals.

https://github.com/mebjas/CSRF-Protector-PHP

[LocalMonero]

@recanman that's basically what we have now. We need something more sophisticated and ML-resistant.

[recanman]

What about something audio-based? That wouldn't really work for clients that don't have a speaker, but is that a consideration?

[ghost]

@LocalMonero Many websites on the tor network use ring captchas. If you want I could publish the code

Could be look like this:

[LocalMonero]

@recanman sorry for the long response. No, that won't work.

@Vikalexea sure, we'd love to take a look.

[ghost]

I uploaded an PoC at github.com/Vikalexea/Simple-Captcha-POC

[ghost]

@LocalMonero I think the best answer to your problem would be a clock captcha. Almost every major service on the Tor network uses this type of captcha to block DDoS attacks.

I will do my best to implement it in php and then in c++ to improve performance.

Can it be delivered to a browser client? Yes. Does it require JavaScript? No, only css. Is it resource intensive to generate? No. Can't it be solved by a robot in a reasonable time? Yes. Would it take an impractically long time to crack the puzzle? Read below. Doesn't it interfere with the user's privacy? No.

The only drawback would be the UX, since many people can't read analog clocks, but neither can bots!

[LocalMonero]

@Vikalexea based on the fact that it's used on services that are typically under DDoS attack wouldn't it mean that there are people out there training neural networks specifically to deal with this captcha? A unique CAPTCHA would probably work better.

[ghost]

@LocalMonero It is very difficult to train a neural network on a clock captcha. Especially if you add random parameters like dots, lines or ripple effects.

BTW: I think we had a misunderstanding, the captcha I'm coding will be from scratch.

[LocalMonero]

@Vikalexea if you'll make it from scratch then please make it in C or Rust. We don't want to deal with PHP.

[recanman]

Some variations of clock captchas found on the darknet have been broken with low times and high accuracies. (https://www.researchgate.net/publication/360540906_Tick_Tock_Break_The_Clock_Breaking_CAPTCHAs_on_the_darkweb) If LocalMonero wants a captcha that is resistant (in the near future) to machine learning, someone will have to come up with an original idea for a captcha, JavaScript or not.

[LocalMonero]

@Vikalexea, @recanman is right. Please don't bother implementing the clock captcha. We also have another candidate that contacted us privately who may have a better solution.

[ghost]

@recanman do you think it is realistic to implement a captcha using VDF (https://eprint.iacr.org/2018/623.pdf)?

[recanman]

How would this be possible without JavaScript? From my brief understanding of the publication, computation is required on the client.

[ghost]

@recanman nevermind, using VDF as captcha is not possible without javascript.

Visual captchas are the only way to filter out bots without compromising users privacy. As far as I know, visual captchas are the most difficult captcha for a neural network.

Note: Adding a countdown (e.g. for 120 seconds) will definitely stop any malicious actor from spamming Agoradesk/Localmonero. Loading a large neural model takes about 1 minute on a high-end device. Solving the captcha probably takes even longer....

[recanman]

Yep, the only problem is coming up with one. I'm still thinking.

[recanman]

That captcha pictured seems reasonable to implement and seems ML-resistant. I can implement it in Node.js using the canvas package. I would probably add some distortion and more lines/shapes, but I believe that this captcha may do the trick. My experience with C and Rust is quite sparse, and I would not be able to implement it in that language.

[LocalMonero]

@recanman if you're talking about the captcha pictured by @Vikalexea then don't implement it. It's not intuitive at all and will cause confusion.

[recanman]

Oh, ok. Has your private candidate presented anything that works?

[ghost]

@LocalMonero does it really have to be intuitive? Just because service XY uses the same concept and gets hacked doesn't mean everyone using the same concept is affected by the security breach.

"... and will cause confusion.", the demonstration images look pretty confusing, but it can be simplified for a human eye by using other anti machine learning methods.

[recanman]

I would agree with that. For it to be ML-resistant, it should be confusing.

[LocalMonero]

@recanman it's highly desirable.

[LocalMonero]

@recanman thanks for the submission, but this is very difficult to see. We have a better solution submitted, please hold on making anything until further notice.

[ghost]

I am curious what kind of captcha it will be!