maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
268 stars 13 forks source link

[FEATURE] GDPR-compliant, data protection-friendly captcha implementation #154

Open schenklklopfer opened 7 months ago

schenklklopfer commented 7 months ago

Is your feature request related to a problem? Please describe. 🐛 For “CaptchaProvider” only providers based in the USA are possible. This is a problem with the legal situation in the EU. (GDRP) In general, the user's permission must first be obtained before using such a service, which will not be easily possible in the case of a Crowdsec decision.

Describe the solution you'd like ✨ A solution that does not require an external service and is therefore privacy-friendly.
Like the “quiz” implementation used by the WordPress plugin ContactForm7, would be a useful solution. A manually configurable list of questions and matching answers, such as: “What is 1 + 1?|2” “What is 1 + 2?|3” “What is 1 + 3?|4” “What is 1 + 4?|5” or “What is the capital of Germany?|Berlin” “What is the capital of Italy?|Rome” ...

Additional context none

mathieuHa commented 7 months ago

Hi @schenklklopfer,

The first captcha provider we integrated are based in USA and may not be GDPR compliant.
You can however customized the webpage served and add necessary consents banners but I understand it had some complexity.

We are open to add more providers. I've looked a bit for instance at european-alternatives.eu/category/captcha-services

There are 4 exemples of services hosted in EU we could try to add and one which can even be self hosted.

I'm not 100% confident on whether using a EU hosted, or self hosted service would respect GDPR or if some sort of consent gathering would still be needed. I'd appreciate a feedback on this @schenklklopfer.

After discussing with @maxlerebourg, we believe adding our own implementation of captcha challenge directly in the plugin would be a last resort solution. We try to keep the plugin simple for now, but we may reconsider in the futur.
Also, I'm wondering about the security about a solution like ContactForm7, connecting even the most basics IA model to an automation tool would solve the captcha with "no difficulty".

schenklklopfer commented 7 months ago

Hi @mathieuHa,

I think a self-hosted solution like mCaptcha would be the best way. EU-based Services are better, but as long as a website triggers the browser to access a service, that is not hosted in the scope of the page (f.e. the same company), you need to ask the user. With a self-hosted solution one can use something like captcha.yourdomain.tld or yourdomain.tld/captcha to stay in the scope of the page and therefore is no need for asking. (Same as hosting your pictures on you own CDN and not on the page itself, like cdn.yourdomain.tld) I am not a lawyer, so this is not legally binding. But in practice, such cases occur from time to time.

The mCaptcha site says: "It uses proof-of-work and is compatible with reCAPTCHA and hCaptcha." So we can possibly just try it? Maybe it needs no or just a little changes on the Plugin.

Things like the quiz from ContactForm7 work better than you might think.
The bulk of bots/attackers outside only do scanning for vulnerabilities, and therefore matches typical pattern, those scripts usually are very dump. At the moment we have very good experience with this kind of protection. Furthermore the captcha thing in crowdsec is not the only way to protect a site. If the attack keeps going on after solving the captcha, and the patterns do match again, the following action can or will be a ban and not just the captcha.

Besides that I know browser-plugins for solving captchas, so the are also not that 100% secure as we hope they are...

avidflyer17 commented 7 months ago

@schenklklopfer

I think a self-hosted solution like mCaptcha would be the best way.

Totally aligned. I'll be happy to beta test this ! :)

mathieuHa commented 6 months ago

Hi,

we'll move forward and try to provide an integration with at least one service hosted in EU and mcaptcha for a self hosted alternative.