Closed goneall closed 2 years ago
goneall
commented
2 years ago I found this article from a Google search: https://stackoverflow.com/questions/57827914/google-recaptcha-in-china
It looks like were using the google.com url which can be replaced with the recaptcha.net to resolve this issue in the following:
shanecoughlan
commented
2 years ago Thanks Gary! Can we disable captchas for now? I saw in another thread the full fix might take three weeks, and we have quite a lot of movement in China right now. The risk of spam versus ensuring people can mainland can sign in seems worth it.
goneall
commented
2 years ago @shanecoughlan - It is the same amount of effort to disable as it is to fix. I just need someone from China to verify the test site shows the re-captcha shows up in the login and signup screens.
Once that is verified I can deploy the fix to production. I'm currently traveling and not sure what my internet connectivity will be like so it may be a few days if I can't connect.
shanecoughlan
commented
2 years ago Understood! I will ask our Chinese community to visit the test "sign up" page and provide feedback :)
shanecoughlan
commented
2 years ago Hi Gary, unfortunately the test reCaptcha throws up an illegal content error in China (or simply does not work). Our local community tested it. Suggest we proceed with removing reCaptcha and taking the risk of bots.
goneall
commented
2 years ago Hi Shane - I'm very uncomfortable removing the recaptcha since it is the only thing preventing the denial of service attack that cost me a full day on vacation a couple years ago. If I remove the recaptcha and there is a denial of service attack the entire site would go down and, since I'm currently traveling, it would be down for everyone until I'm able to fix it.
Are you sure they used the test instance and not the primary instance - the test instance URL is http://openchain-test-staging.m6rqmtrixp.us-west-1.elasticbeanstalk.com/
shanecoughlan
commented
2 years ago Understood!
update from China:
The test instance is what people are looking at, and it fails when accessed via WeChat with the following warning in Chinese (illegal or dangerous content). WeChat is how people mostly use links despite being a messenger. It is allowing people to access via web browser. Maybe our workaround is to ask people in China to only use a web browser for self-cert?
goneall
commented
2 years ago @shanecoughlan - this is probably due to the test instance not implementing ssl.
I'll deploy to production which uses SSL even though we couldn't test using the test instance. I'll update this issue once it is live. BTW - the site may be down for a few seconds during the update.
goneall
commented
2 years ago @shanecoughlan - have them try the main website - https://certification.openchainproject.org/
based on email exchanges with kakuri, it looks like the re-captcha for the sign-on is not showing up when signing up for a new user (and likely will not show up on sign-in as well).
This is based on the image when kakrui attempted to create a user and the image does not include the captcha:
Below is what the user should see on signup - note the missing Captcha: