Preventing bot accounts (captchas)

[jameslzhu]

Preventing bot accounts is a concern for the site.

Bot accounts take up username and storage space, and slow down account creation by requiring human intervention (compserv account approval). If access permissions are not done correctly, they may have access to private data.

There are various options we have for this:

• Do nothing: Simplest for users, allows all bots. Requires extensive manual intervention.
• Email filtering: Allow only emails with *.berkeley.edu domains (in particular, cs.berkeley.edu, ee.berkeley.edu and hkn.eecs.berkeley.edu must also be allowed). This would require email verification (also desirable, perhaps) to avoid being defeated by simply generating a random email.
• Google reCAPTCHA v2, currently used: Offers state-of-the-art bot detection and ease-of-use, but has concerns about privacy (user tracking). That said, we also use Google Analytics anyways, so if we're already making a deal with the devil this will offer significant benefits. Seems to allow some bots through on our current site, though, so it may depend on our settings.
• Honeypot: have an invisible form that robots will try to fill out (i.e. CSS display:none or visibility:hidden), or a form with an obvious human answer (but no obvious robot answer). Can be brute forced if obvious human answer, sometimes bypassed if robots detect invisible form.
• Google OAuth signin (aka OpenID Connect). Useful for existing members with @hkn.eecs.berkeley.edu accounts. Enabling this for @berkeley.edu will require interfacing with CalNet, which is quite complex.
• Custom / open-source CAPTCHA: tend to be difficult to use.
• Time-based detection: detecting bots by form population speed (time from load to submit). May be fooled by intelligent bots (false negative) or flag legitimate users with auto-form-fill (false positive).
• Symbolic math: generating a random math problem, ideally symbolic to frustrate simple bots, but may require numbers. idk pull some cs70 or cs61a for this, but not everyone's taken cs70.

At the end of it all, there are three major priorities which must be balanced:

1. Preventing bot account creation. This saves compserv time, and keeps data more secure.
2. Keeping human account creation simple. We don't want to frustrate users who can't get past our captcha, which may include those with visual disabilities.
3. Implementation complexity. A solution which is too complex will not be maintainable, problematic given the rate of bot and AI evolution.

The best solution may involve a combination (allowing Google OAuth signin + Google reCAPTCHA for new accounts + email filtering, in my opinion).

[jameslzhu]

Some recap from what we talked about today:

1. Minimize bot accounts a. This would be largely a signup page protection: some captcha code snippet to prevent account creation.
2. Make sure they can't access anything: require human (compserv / vp) approval for any site access. a. Make finding bad accounts easy (bots) b. Make finding good accounts easy (professors, candidates, TAs) c. Make cleanup / deleting accounts easy (but not too easy: want some confirmation) d. This would go under a separate /accounts/manage page.

Since the signup page is still pending in #51, you can put off the actual implementation of 1) for now; part 2 should probably be implemented as part of the root hknweb accounts urls / views / models.

[jvperrin]

I think doing Google OAuth (for HKN emails only) + CalNet auth would be great because it then prevents the need for handling passwords along with preventing bots entirely.

That being said, I haven't worked with CalNet auth much, but ocfweb already uses it and I've worked with Google OAuth before and it's not terrible (although it is complicated), so I think that might be doable.

The captcha we are using on hkn.eecs.berkeley.edu currently doesn't seem very effective (we still get lots of bots signing up), maybe we aren't validating it correctly?

[jameslzhu]

After the merge, we should drop the recaptcha key into the secrets file from the Recaptcha admin console, with the hkn-ops account. I've made a separate key for the hknweb site. https://www.google.com/recaptcha/admin

[bri25yu]

Closed as per the previously linked PR