NamelessMC / Nameless

NamelessMC is a free, easy to use & powerful website software for your Minecraft server, which includes a large range of features.
https://namelessmc.com/
MIT License
618 stars 308 forks source link

Update from reCAPTCHA v2 to v3 #2080

Closed Derkades closed 3 years ago

StormyIceLeopard commented 3 years ago

Instead of flat out updating to v3. Just add support for it but allow individual hosts to decide which version to use. For myself, I prefer v2 over v3. Like to believe I am not the only one.

PikaMug commented 3 years ago

Disagree with continuing to support v2. It's going to be phased out eventually just like v1 was, and v3 can still be configured to invoke a challenge for a suspected bot. Besides, if you plan to always present a challenge then you really ought to be using hCaptcha for its privacy benefits.

BaxAndrei commented 3 years ago

Disagree with continuing to support v2. It's going to be phased out eventually just like v1 was, and v3 can still be configured to invoke a challenge for a suspected bot. Besides, if you plan to always present a challenge then you really ought to be using hCaptcha for its privacy benefits.

Also you can get few bucks from hCaptcha

StormyIceLeopard commented 3 years ago

I disagree. hCaptcha is a pain for both the host and the visitors. Forcing any particular version of anti-spam is not fair to those who do not want to use it but still want (and need) an anti-spam mechanic.

PikaMug commented 3 years ago

Using default hCaptcha is no more difficult than Google's product, and I would love to hear your argument otherwise. Either way, v3 is a replacement for v2, not an alternative. Keeping up with security measures at the expense of a lazy administrator is entirely fair.

Derkades commented 3 years ago

What would be a reason to want v2 over v3?

StormyIceLeopard commented 3 years ago

hCaptcha is a guarantee to have to solve a picture puzzle, reCAPTCHA v2 only shows that if it suspects you are a bot. That is an inconvenience right there. You are welcome to say that is not true, but with my experience and the experience of 4 others that is the case. Never once have we clicked the box that we are not a robot and were just given a checkmark, we were ALWAYS given a picture puzzle, that is pickier than reCAPTCHA is.

ReCAPTCHA v2 has an actual test, v3 does nothing. Absolutely nothing. Plus my understanding is that v3 sends more data to google than v2 does. So there is a privacy concern there as well.

Derkades commented 3 years ago

ReCAPTCHA v2 has an actual test, v3 does nothing.

v3 sits in the background and a captcha will pop up if it suspects the request is coming from a bot. It may look like it's doing nothing if it determines the user is not a bot.

PikaMug commented 3 years ago

hCaptcha is a guarantee to have to solve a picture puzzle, reCAPTCHA v2 only shows that if it suspects you are a bot. That is an inconvenience right there.

Use v3 then.

ReCAPTCHA v2 has an actual test, v3 does nothing.

Simply untrue, see Derkades comment.

Plus my understanding is that v3 sends more data to google than v2 does. So there is a privacy concern there as well.

The only information I could find on this is that it reports on presence of other Google cookies to boost your risk score, but I'm pretty sure v2 does this as well (for example, it's long been a trick among Supreme-brand buyers to log into Gmail first to avoid getting a captcha at checkout). So if you're really concerned about privacy, you should make the tradeoff to hCaptcha anyway.

samerton commented 3 years ago

Captchas in Nameless need a rework to make it easier to add new options - if this is done, I don't see any harm in keeping v2 along with v3 and hCaptcha for now. It will also help to maintain backwards compatibility with sites already using v2, without having to forcibly disable it during the upgrade process.