Open tomreyn opened 9 years ago
@hiker, @auriamg I think this should be a priority. Maybe mark this with an appropriate label :).
You are unable to set labels? Not sure if this is something we can configure
If we include captcha, we need to send the captcha as graphical image from the server (or a link to a captcha somewhere). It's not trivial to implement this (without locking up the gui).
Suggestion : the proper solution to this is IMO to add limitations, for instance maximum of 10 new accounts by IP by hour
@auriamg I do not think that is such a great solution. Someone with a large number of computers could just create a huge amount of users, or either use a proxy server or a VPN to further register users, in that time frame.
@hiker What you described is the desired idea. Server sends an image/or a link to the image location, client takes that image, embeds it in the register form, user fills the form, sends it back to server, server validates that it is correct. Why would an image inside the register form would lock up the GUI?
I personally hate CAPTCHA. Though I see sometimes that you must for example add two digits and write proper value. I think that it's much better for user than classic image with almost unreadable text... And it's faster to send two digits than a bitmap.
Or ideally something like "Win a race to prove that you are a human" ;)
@deveee I do not think sending 2 digits as plain text will stop a bot thought.
Bots are now very good at solving captchas through OCRs (better than humans), so you're not stopping a determined hacker anyway using a captcha
I agree with hating captchas - I've been declared non-human way too often ;)
Disadvantages: more work on the server: We need to send the image from our server (otherwise we need to make the server address for captcha's configureable if we even are able to use an external server, ...), which adds load to our server, since it has to either download or create the captchas. Then we need to store the expected answer - so in case of a spammer we are then storing 1000's of expected answers.
Then the gui needs to be threaded: a thread to download the captcha (so the user can exit the gui), error handling, displaying the image, getting the answer - yes, of course it can be done (we already doing this in other places), but it's not that trivial that I would suggest adding this for this release.
I like the idea about doing a race ... though I can't see an easy way to do it. Perhaps 'security through obfuscation': server sends random token to client, which applies a certain operation during the race. At the end of race client sends this processes token and #frames, from which the server can determine if a token is correct?
I'll leave this assigned for 0.8.2 for now (together with ticket 46 on the addons repo), to keep track of adjusting the server side to do some throtteling, anything else is a mid-term issue imho (i.e. not trivial to fix for next release).
The LinkHelper::OpenURL
function from https://github.com/supertuxkart/stk-code/pull/2855 may be helpful here:
Sound workable?
When registering a new user account on Addons using the graphical web interface, the application requires the user to solve a CAPTCHA. Registrations using the API (such as used by the game client) do, however, not require a CAPTCHA to be solved. This may indicate that the anti-abuse functionality the CAPTCHA is supposed to provide on the web interface can be bypassed by using the API.
Edited on 2017-07-25: fixing typos