uhoreg
commented
6 years ago see also https://github.com/vector-im/riot-web/issues/3606, which has some discussion of alternatives
Open richvdh opened 6 years ago
uhoreg
commented
6 years ago see also https://github.com/vector-im/riot-web/issues/3606, which has some discussion of alternatives
damnms
commented
5 years ago There is no "alternative" in this discussion. It is just saying: it depends on matrix. Riot accepts different captcha providers because it will be just displayed as iframe. This has nothing to do with the UI, as far as i understood. It is up to matrix to use another captcha service.
mt-dave
commented
5 years ago I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.
I came across some solutions and here is a quick summary
Captcha providers can widely be categorized in 2 categories :-
Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-
RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.
MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.
Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.
Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-
BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.
KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.
richvdh
commented
4 years ago I don't really know why it's being discussed there, since it's not specific to riot at all, but https://github.com/vector-im/riot-web/issues/3606 seems to be the authoritative issue on this.
damnms
commented
4 years ago imo its a combination of both matrix-synapse by default supports google recaptcha, but nothing else, even tho it provides interfaces to implement any other captcha provider. unfortunately, not every admin is programmer, so not any admin can implement his own captcha provider. therefore it would make sense to drop the support for google recaptcha in matrix and provide another default(!) captcha.
or: provide a simple documentation how to use matrix-synapse with any client AND another captcha provider.
jryans
commented
4 years ago Since this is a spec issue, I have closed https://github.com/vector-im/element-web/issues/3606 and redirected further discussion here.
xaur
commented
4 years ago Good idea to move the discussion here since the root of the problem is the endorsement of recaptcha at the spec level.
Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?
turt2live
commented
4 years ago Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?
Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.
Morpheus0x
commented
4 years ago Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?
Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.
Ok then I would strongly propose hCaptcha as an alternative to be added or completely replacing reCaptcha. Cloudflare changed their captcha provide to hCaptcha recently, see here. I very much appreciate what Cloudflare does in general but especially regarding their privacy policy. An endorsement by Cloudflare in my eyes is good enought for hCaptcha to be at leased supported as an alternative to reCaptcha by Matrix.
turt2live
commented
4 years ago The element-web issue has gone into quite a bit of discussion about the various captcha mechanisms. Realistically at this point someone needs to write a proposal for further discussion.
Morpheus0x
commented
4 years ago @turt2live ah ok thank you, well then I am going to write that proposal
Edit: done, I created a WIP proposal which is currently a Draft PR. See matrix-org/matrix-spec-proposals#2745
CarlSinclair
commented
4 years ago I'm surprised all the best ones in terms of UX haven't been mentioned. Granted, many are outdated, but I'm also surprised that nothing like them has been implemented/maintained over the last few years.
Here's a few I've found (none tested yet), ordered by how user-friendly their UX is.
Honorable mentions:
I'll be testing the first 4, probably.
uhoreg
commented
4 years ago SweetCaptcha seems to be abandoned (it says you need to sign up on a website that no longer seems to be associated with any sort of captcha). AreYouAHuman refers to a website that seems to be down. I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective, and they would be impossible for blind users to complete.
Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.
CarlSinclair
commented
4 years ago Yes, like I said, the best ones are abandoned. But they're all open-source so they can be re-animated at any time.
If you're not interested in doing that, I think those other 3 are effective enough.
I would say the vast majority of Matrix users/operators will never implement their own captcha system, which is why everyone is upset that the default/built-in one is Google. Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.
uhoreg
commented
4 years ago Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.
From a spec perspective (i.e. the repo that this issue belongs to), we should allow any captcha. Choosing a default one would be up to the homeservers (not the client), and once the spec allows any captcha, then you can argue about about which one to use in the repos for the homeservers.
dev-love
commented
3 years ago I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy.
Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question)
What do you think about it?
t3chguy
commented
3 years ago 20sec on a non flagship smartphone is enough time for someone to uninstall the app, same as grecaptcha basically.
damnms
commented
3 years ago why not leave that decision to the homeserver hoster. if he'd like to use a slow but privacy-friendly alternative, he can decide whats best for him. i would instantly switch to that, use it and see what goes on. registration is a one-time-thing. if a user is pissed because waiting for 20 seconds, he will be much more pissed because "no one is in matrix". at least imo and from my experience
nicolas17
commented
3 years ago Having any specific captcha service in the specification is absurd, so I don't know why people here are trying to pick an alternative. It should be way more flexible. The homeserver should give the client a URL to a webpage that uses whatever it wants to use to see if the user is legitimate or not.
The spec isn't even clear in how you're supposed to implement recaptcha. It only says you have to send a "captcha response" back. As a client implementor, how do I get that?
ara4n
commented
3 years ago Looks like we just got a PR at https://github.com/matrix-org/synapse/pull/8797 to implement hcaptcha. (I'm a bit unclear on why hcaptcha is any better than recaptcha, given they're both proprietary centralised services, but yay for choice!)
ara4n
commented
3 years ago Sounds like
Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.
is going to be needed sooner than later :)
kegsay
commented
3 years ago Dendrite will need to support a captcha system at some point and personally I'm leaning towards hcaptcha because:
It's more work to use a decentralised service but isn't something I'm opposed to.
dev-love
commented
3 years ago @Kegsay: I agree with your arguments and would be very happy if you considered our solution, Friendly Captcha, as well 👍 I think that point 1 and 3 are valid for it as well. Looking forward to your feedback! 😃
I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy.
Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question)
kegsay
commented
3 years ago Friendly Captcha seems to have a 1k/monthly free tier limit which isn't ideal. Having it take 20s (!) on older mobiles is also not ideal, especially given we target mobiles of various ages. Twiddling thumbs for 20s feels a lot longer than solving a small labelling problem for 20s.
nicolas17
commented
3 years ago Sheesh, don't tie the spec to any specific 3rd party service :man_facepalming:
turt2live
commented
3 years ago The goal is to find a way to support arbitrary captcha, not to pick a specific provider (as mentioned already on this issue). The point of looking at providers anyways to figure out whether or not people would be likely to use them so they can be accommodated as best as possible in the spec, as it's just not feasible to support every provider. We can however try to support most or popular captcha providers.
foresto
commented
3 years ago Something worth keeping in mind while pondering designs:
It would be nice if the signup process allowed for running a homeserver without a captcha. There are less intrusive ways to deal with automated signups, such as flagging them (based on behavior or inactivity) and deleting them later, and some admins might prefer to avoid things as user-hostile as captchas.
turt2live
commented
3 years ago @foresto that's already possible, and designers should be aware of that.
grinapo
commented
3 years ago Take your time, that's okay. In the meantime go over to google search and type "recaptcha solver python", and enjoy the view.
The general problem seems to be that popular captchas soon have their solvers so the ideal fix for this specific problem is to provide some generic framework to use external captchas, be that one of the large ones (hcaptcha, recaptcha,... ), some more unusual ones (3d capctha, sketcha, ...) or housebrewn ones (like natural language questions/answers).
xaur
commented
2 years ago Why is there excitement around hCaptcha over Google reCAPTCHA (https://github.com/matrix-org/matrix-doc/pull/2745)?
hcaptcha.com doesn't have anything about open source code or self-hosting. It might be a bit less invasive than reCAPTCHA, but in general it is replacing one service harvesting massive amounts of data with another. Doesn't seem to be aligned with decentralization/privacy/security Matrix is about. Cloudflare using it could be in fact a con and not a pro.
ideal fix for this specific problem is to provide some generic framework
Yes! I think the spec change should support self-hosted solutions for there to be a meaningful improvement.
Or better, make it generic to support both centralized and self-hosted captchas.
Even better, make it generic to support arbitrary "registration filter" implementations, including cryptocurrency paywalls. The latter would give some server operators an ultimate combo: discourage bots, not send data to centralized services, not host/admin any captcha, all while collecting some tips.
bkil
commented
2 years ago Do note that any CAPTCHA can be stepped through by simply piping through a CAPTCHA solver service a'la Amazon Mechanical Turk and thus paying a few cents for each registration. Not to you, to a third party and indirectly to your CAPTCHA provider in the form of completed free microwork. Let me not share link to these here.
A few alternatives come to mind:
turt2live
commented
2 years ago (we don't really have an interest in making the protocol invite only or pay-to-access at this point, ftr)
uhoreg
commented
2 years ago Codeberg is looking into developing a captcha service, and are looking for contributors. https://codeberg.org/Codeberg-Infrastructure/CaptchaService
MomentQYC
commented
1 year ago Cloudflare Turnstile may be a good solution
harvestdusr
commented
1 year ago I really don't think it's a good idea to have the G* company log IP addresses and fingerprint new users devices when signing up for Matrix.
https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
G* does support some open source development, but the most recent actions from the company seem to be targeting prominent FOSS projects like Invidious.
https://torrentfreak.com/youtube-orders-invidious-privacy-software-to-shut-down-in-7-days-230609/
Legal and anti-consumer developments in 2023 have added even more clarity to why the reCAPTCHA service is incompatible with the Libre principals of openness and integrity.
Like destroying evidence in a Federal court case;
The US Department of Justice along with 10 States have brought a Federal case against G* for a long list of unethical and illegal behavior including tracking children in violation of Federal Law.
https://www.theverge.com/2023/1/25/23570753/google-antitrust-lawsuit-doj-ad-business
Let's please consider reengaging on the alternative Captcha service. hCaptcha seems like the most logical alternative, but there may be something else I'm unaware of.
richvdh
commented
1 year ago I'll keep this issue open as a placeholder, but note that the forthcoming work on OIDC (MSC2964) will move registration entirely under the control of the homeserver and out of the matrix spec - so HS admins will be free to use whichever captcha provider floats their boat.
erlend-sh
commented
1 year ago 
penyuan
commented
1 year ago Check out https://mcaptcha.org/
Woah, thank you @erlend-sh this is the most viable-looking reCAPTCHA replacement that is fully open source that I've seen!
damnms
commented
1 year ago the thing is, matrix devs say "its the homeowners thing to implement any captcha they'd like", so one has to implement it because they probably wont implement anything else than the google one. write a tutorial how to do that and then others can follow. i would at least give it a try
turt2live
commented
1 year ago We're actually planning on dropping reCAPTCHA entirely from the spec through the OIDC series of proposals, where all of this stuff becomes the problem of an auth provider rather than the spec.
penyuan
commented
1 year ago Thanks for the explanation @turt2live.
Might be a discussion for another thread, but I strongly agree with @damnms that it would be extremely valuable to have a step-by-step guide for auth providers on how to use a Google reCAPTCHA replacement such as the fully open source mCAPTCHA suggested by @erlend-sh.
turt2live
commented
1 year ago Currently Matrix-the-spec doesn't support non-reCAPTCHA offerings, which is not something we're happy with. A guide for replacement would have to happen outside of this repo/issue.
KaKi87
commented
1 year ago if someone wants to hammer your site, they will have to do more work to send requests than your server will have to do to respond to their request
Is that the purpose of putting a captcha on a Matrix instance though ?
elch01
commented
11 months ago An update on this would be great.
t3chguy
commented
11 months ago https://areweoidcyet.com/ replaces the entire auth stack in Matrix, then you can do whatever Captcha you want.
Ra2-IFV
commented
3 weeks ago Cloudflare Turnstile is privacy-friendly, free for most uses and compatible with reCAPTCHA and hCAPTCHA.
nicolas17
commented
3 weeks ago @Ra2-IFV It sounds like you didn't read the previous comments in the issue.
CarlSinclair
commented
3 weeks ago I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective
Since this comment, many huge websites including Twitter, GitHub and even Chinese ones have implemented some version of all 3 of these lol. It's almost as if captcha requiring logic makes more sense to filter out machines than captcha requiring calculations, which machines are literally designed to do. You cannot convince me that PoW captchas are not crypto-miners, which is cool, but like be honest about it. Don't try to trick your users and say that a feature that's meant to protect them from spam is in fact you trying to make money off them without their knowledge or consent.
I maintain my position that if left up to the homeservers, most of them will simply not change the defaults. Which is why a good default needs to be in place with the opportunity for homeservers to override it, replace it, or remove captcha entirely. That's how defaults work. I'm not sure why there's so many people shutting this idea down like someone is trying to force them to use an easy captcha method with a good UX. Chill bro lol you can always remove it or replace it.
foresto
commented
3 weeks ago Cloudflare Turnstile is privacy-friendly,
Nothing about Cloudflare is privacy-friendly. Their business is built upon being a MITM between users and the things they use, including HTTPS and (more recently) DNS.
Unless Turnstile is fundamentally different by being completely self-hosted (which seems unlikely given that their front page refers to "plans"), using it would give them even more opportunity to track people than they already have.
Ra2-IFV
commented
3 weeks ago @Ra2-IFV It sounds like you didn't read the previous comments in the issue.
just did a quick scan so sorry
recaptcha is non-free and people would like to have non-google implementations.