Closed lampholder closed 4 years ago
i'll close https://github.com/vector-im/riot-web/issues/2759 as a dup of this one
phpcaptcha looks cosmetically rather terrible, but visualcaptcha looks promising?
I would definitely vote for option matrix-org/matrix-spec-proposals#2, visualcaptcha.net. Typical wiggly word CAPTCHAs have been crackable for almost a decade; but image based CAPTCHAs are considered safer.
http://gracelandtower.com/2014/05/10/is-captcha-obsolete/
Also, I agree -- it looks better.
VisualCaptcha certainly looks a whole lot better, and you're right is probably less vulnerable to off-the-shelf CAPTCHA crackers. I'd like to see a much larger image set (though that is something we can supply ourselves).
We could implement something along the lines of this (immediately after the user's having chosen their desired mxid):
@lampholder let's keep this discussion limited to the capcha itself.
https://github.com/emotionLoop/visualCaptcha
Please note visualCaptcha is no longer actively developed :(
This may not necessarily be a showstopper if it works, but means we'd probably have to either maintain it ourselves or hope "the community" (ie. someone else) does
What is the point of adding captchas to Riot though? If they are not enforced by the Matrix protocol, it won't prevent spam and be an annoyance for the users.
I believe the point is they would be enforced by the homeserver, so you can protect your homeserver against becoming a bot-dominated spam/abuse machine.
Apparently https://github.com/isislovecruft/gimp-captcha is quite nice, according to Tor folks, but looks like it depends on gimp(!) :(
apparently "whatever diaspora does" is good
It seems to just use a "dumb" old squiggly text Captcha
Since google is blocked from my entire network, I cannot even complete the sign up for Riot due to the reliance on google. I vote for anything other than google.
It's not really a riot thing, it's the server you're choosing to attempt to sign up on requiring it as part of sign up. Most public servers do
@t3chguy This may be the case, but the matrix.org server is using Google Captcha. And people on Matrix HQ chat directed me to this ticket to voice my objection. In my view. google is using captcha to train their image AI.
This ticket isn't for voicing objections to recaptcha. We already know that people don't like recaptcha. This ticket is for proposing alternatives and evaluating them.
As per Matrix HQ: I think this ticket is at the status of gathering options to replace the captcha offered by matrix.org. This is a priority 1 issue and is therefore on the hot path for being dealt with.
Edit: It would be really great if github showed replies before I posted my comment
I see I don't have to argue my case against google recaptcha. All Google services are a no-go and the present implementation on riot.im is buggy when JS is managed per-site. Please use any of the discussed alternatives interim but stop using google recaptcha now. I tried to get matrix a top spot on privacy-conscious recommendation lists but that's not possible as long as google services are used.
Google recaptcha is a huge privacy hole that deserves more attention imo.
Back in 2014, a reverse engineering attempt showed what it is capable of:
Google servers will receive and process, at least, the following information: Plug-ins; User-agent; Screen resolution; Execution time, timezone; Number of click/keyboard/touch actions (in the
This was 4 years ago, imagine where the tech is now.
For cryptocurrency communities that begin to appreciate Matrix and are apparently endorsed by it, this means all Riot users (potentially asset holders) are fingerprinted by Google.
Perhaps this issue deserves a 'privacy' label.
this means all Riot users (potentially asset holders) are fingerprinted by Google.
Not all homeservers employ recaptcha so this is not true, its up to the server if it wants to use it or not, they can technically provide other captcha solutions via fallback auth and it'll work just fine with riot.
they can technically provide other captcha solutions via fallback auth
Can you please go more in detail about this? I would like to use matrix/riot. But i do not want to become a spam machine.
Google is also blocked on my network and i would never force someone to use reCaptcha, just to be able to register. More bad, when i think on GDPR, this would highly hit my private server (in terms of privacy) as i then have to follow a lot of rules (adding an imprint, etc.)
@damnms https://matrix.org/docs/spec/client_server/r0.4.0.html#fallback A server can provide an unknown auth method and then fallback will be used where the client just shows a HTML iframe which could contain any other captcha you so wish for.
So i have to code it myself in matrix that another captcha provider is used? Means, this ticket should go to matrix instead of riot? Then, why not close this ticket and redirect it to matrix? :)
I see I don't have to argue my case against google recaptcha. All Google services are a no-go and the present implementation on riot.im is buggy when JS is managed per-site. Please use any of the discussed alternatives interim but stop using google recaptcha now. I tried to get matrix a top spot on privacy-conscious recommendation lists but that's not possible as long as google services are used.
If you make any progress, please let me know. I would love to use matrix/riot, but reCAPTCHA is a absolute no go (which would result in legal problems regarding GDPR, an imprint on my private homepage which i do not want, etc.)
When the project will drop the non-free recaptcha?, it uses non-free java script, and it track users
People seem to have overlooked a single click captcha that looks and works similar to recaptcha, yet is self hosted.
Is it possible to consider the use of alternative captcha systems equal in design to Google Recaptcha, such as Coinhive? It would allow such JavaScript to be self hosted, uses proof of work to make spam expensive, and causes attackers to earn the website some money. This would at least be acceptable in the case of cryptocurrency communities already. If coinhive is blocked by adblock systems (sometimes people get even more angry about mining than ads), then users could get to use google recaptcha as a fallback. :^)
https://coinhive.com/documentation/captcha
EDIT: I mean you can just run your own matrix identity server in lieu of using matrix.org that uses any different captcha in an iframe as stated by this issue comment. Identities are federated so you can connect to matrix.org without ever encountering their recaptcha ever.
FYI to any new readers: For those with privacy concerns regarding ReCaptcha (it is designed explicitly to make captchas faster by using AI browser profiling that carries over in their proprietary database and algorithms, so it is a legitimate concern),
You could self host your own homeserver and identity provider that uses your own captcha solution (such as Coinhive in an iframe) as stated in this issue), and then federate to matrix.org or other homeserver channels without ever using Google Recaptcha. After you have some matrix identity you can then use riot.im web client without encountering any fonts.google.com library imports or google javascript, or just use any other matrix client, as stated in my basic independent audit.
that uses your own captcha solution
I am no developer. I can configure some applications, but i am not going to develop something, as this would lack my skill. And i guess that is the main reason why some people complain. If i would be able to simply hack that myself in a couple of days, and to exactly know what i do (especially in security), then i would do it. But i can't. So as long as there is no "simple" guide which leads through that process, this does not help me. Simple for me means: i do not have to code. I have a homeserver, but i do not want to host also an identity provider. Is a self hosted identity provider required to be able to use another captcha provider?
Is a self hosted identity provider required to be able to use another captcha provider?
Technically, what I meant that you need to use an identity provider other than matrix.org to avoid it's current configuration with Google ReCaptcha.
You know if you managed to make your own home server it is a system configuration matter to enable the identity provider, not a code developer matter, so read over the docs and try again? I did not even know it was possible to configure it without an identity provider from past experience. And yes if you are looking out for privacy by self hosting you should go to the trouble. Why trust others to know, host, and attest to your identity when your homeserver can do it by itself?
But yes, for the general public you could just find any other matrix identity provider online that uses some other captcha or verification system, and still chat to matrix.org channels and use any matrix or riot.im client just fine with federation (just specify the different identity provider URL). I haven't been able to test all the different identity servers for this but there must be one that doesn't. (Though it probably may be getting quite a bit of spam accounts if they aren't having some effective captcha mechanism)
https://www.hello-matrix.net/public_servers.php
Maybe as a future feature request matrix.org could switch to allowing users to make a choice between the type of captcha, such as coinhive. But that's an implementation thing up to them and will take time to figure out. I would say you shouldn't swear off the entire matrix ecosystem when you can either join a non-recaptcha identity provider or run your own.
Are you sure that the IDENTITY server is responsible for this? I highly doubt so. As far as i know, it is the matrix server itself who is responsible for the fallback. The identity server only handles the mapping (3PIDs) which is optional if you do not want to federate with matrix.org servers.
I am not interested in federation (at the moment). I just want a "secure" platform for me and some friends to chat.
@damnms is correct: In Matrix terminology, the "identity server" is not involved here. (A Matrix identity server is basically just a mapping of things like emails to Matrix IDs.)
The Matrix homeserver is the one that defines the available registration flows for creating an account, and therefore the homeserver is also what determines if you see a captcha or not.
@damnms: well I may be corrected there but you already have the answer you just disable your captcha and set a whitelist of users and then you have all that you need to chat internally or federate with the rest of the matrix ecosystem. So you successfully avoided Google Recaptcha at matrix.org by self hosting.
If you want to spam, then please do this somewhere else. The topic is: evaluate captcha options. Not: evaluate workarounds for some people.
For me, it is NO option to turn off protection. Period. It is NO option for me, to whitelist people, do the registration for them on my server, etc. - this would be a very very ugly workaround. But far away from a solution. Also: if anyone of them has the need to use riot.im or any other matrix client to talk to other federated networks, i am back at the beginning. Even worse, then they maybe drop matrix completly because of lacking features, which i do not want to use because of privacy/law concerns.
ReCAPTCHA is broken: https://github.com/ecthros/uncaptcha2
ReCAPTCHA can lock people out when it's down: https://twitter.com/joepie91/status/1025105028485472256
We are all d'accord that recapta is the worst possible solution. The original topic @lampholder posted was "evaluate the CAPTCHA options and recommend the most appropriate technical solution", so back to topic. Sadly I couldn't read his preliminary research since he hosted it with google :-(
I'd vote for a simple text or math captcha and honeypot. The diaspora solution posted above (probably phpcaptcha?) and 2 checkboxes "I'm a human" (client-side JavaScript) and "I'm not a human" (last one hidden by css as a honeypot) should be enough. Screen readers won't have a problem and Google would be out. I don't expect the servers to be flooded by bots but if this happened, a time-check could additionally be used (fill the form too quickly and you are out).
Visualcaptcha as a last resort but the less invasive method should be tested first.
The Diaspora* solution might not be that good either.
Due to invasion of spam accounts attacking for last weeks, we have decided to temporarily close registration on diaspora. We will use this time to cleanup the user base from all spam accounts and work on performance improvement so needed on diaspora.
I hope the captcha selected won't be Google's as privacy.resistfingerprinting
appears to increase amount of captchas and difficulty and there was another interesting comment on how they punish Chrome users less at https://github.com/ghacksuserjs/ghacks-user.js/issues/7#issuecomment-466074390.
Edit 2019-04-07 09:13 UTC: the privacy.resistfingerprinting
thing is known on Firefox Bugzilla reCAPTCHA v3 fails with Resist Fingerprinting Enabled
Sadly I couldn't read his preliminary research since he hosted it with google :-(
I have added a screenshot of the Google sheet in the original comment. Hopefully that helps!
OT: i have a static ip. Wherever there is a reCaptcha, i have to feed the google AI as this shit pops up. Either related to my IP or to Chromium (ungoogled, of course).
I'd consider a proof of work based captcha the most reasonable, they can be self-hosted. Ask to start the captcha before the user enters reg info, making it faster to do reg.
I'd actually direct the attention to what happens, when a person creates their own homeserver and spams the matrix? Can it be banned? What if the spam-homeservers are created once every 5 minutes?
https://wehatecaptchas.com/ and https://www.hcaptcha.com/ have also been suggested in some discussions on the issue
Are we discussing this for web and mobile? Seems like it's best to have a unified UX from flow perspective.
The captcha used is not up to the client but the homeserver. Homeservers can already use any html based captcha they want using the fallback auth mechanism written into matrix.
why is this ticket not closed if the client just prints out what the homeserver sends? this is a problem with matrix-synapse, not with riot/riot-web imo here is some PITA listed (people which dont want google stuff), but it ends up here, which is wrong. this should go directly to the matrix devs so they can add other, simple to configure, captcha providers. and to see how many people woud love to have such a feature
Because google captcha is tighter integrated, it has explicit support rather than just an iframe, so the final replacement should be also. This repository is quite often also simply a dumping ground of user-facing issues, and here it'll get the most visibility for people to give their opinions.
is this also recognized by the matrix devs? i have my doubts, but maybe i am wrong. if googles recaptcha is integrated in matrix-synapse, it makes sense to show the matrix-synapse guys that there is something the people are not happy with. i guess, riot supports google captcha because matrix-synapse supported that from the beginning. so if matrix-synapse adds another captcha provider, then it would make sense to add this to riot too. but before this, it makes no sense (imo) to discuss what to add to the ui. because no one (without coding skills) can add another provider. maybe i misunderstood the ticket at all.
does this ticket mean: we are looking for something to replace reCAPTCHA in a central way (like, one company hosts the captcha provider and this is added to the ui) or is it going to be hosted on the server where the homeserver also runs at?
my english is not the best, maybe i just understood everything wrong ;)
So this isn't a Synapse vs Riot thing, this is a thing which should get 1st class support in the Matrix specification, this issue is just where all the conversation lives but the developers of riot and matrix have HUGE overlap so it is globally understood. Here is the existing spec for captcha: https://matrix.org/docs/spec/client_server/r0.5.0#google-recaptcha
Google recaptcha is a brilliant fingerprinting machine.
While you solve the puzzles, it gets all it can get to fingerprint you, using obfuscated and advanced tech https://github.com/neuroradiology/InsideReCaptcha - this report is from 2014. Imagine where it is now.
It is a smart strategy to provide a useful "free" service that everybody begin to depend on, and use it to collect precious user data.
I'm very surprised that Matrix spec explicitly endorses this. What next, Cloudflare?
the matrix.org homeserver and website are actually behind CloudFlare due to previously having many issues with DDoS. I believe CloudFlare is used as the CDN for the Riot desktop downloads too.
Doesn't CF have their own captcha? (though only for accessing pages)
New user, going through the sign up and I'm instantly turned off by the familiar Google tracker captcha. I came to Riot for free software that won't spy on me and I'm already being tracked before I've logged in.
The details of the new guest experience for Riot are on the project plan: vector-im/riot-meta#59
To make starting to use Riot as painless and as rewarding as possible, we want people to be able to experience full access after only having chosen their username.
This risks exposing the platform to abuse - to avoid this, we (reluctantly) want to deploy a CAPTCHA. The right CAPTCHA is a balance between accessibility, privacy, effectiveness, UX, reliability, aesthetics and price.
The scope of this task is to evaluate the CAPTCHA options and recommend the most appropriate technical solution.
I've reviewed some of the options already here: https://docs.google.com/spreadsheets/d/1wD_8TF_k3BYMGhN6YQtPvfC8gxVi0RNOx1fF24RJb20 (screenshot below)
The two frontrunners so far are: