New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Evaluate CAPTCHA options #3606

Open
lampholder opened this Issue Apr 11, 2017 · 33 comments

Comments

Projects
None yet
@lampholder
Copy link
Member

lampholder commented Apr 11, 2017

The details of the new guest experience for Riot are on the project plan: vector-im/riot-meta#59

To make starting to use Riot as painless and as rewarding as possible, we want people to be able to experience full access after only having chosen their username.

This risks exposing the platform to abuse - to avoid this, we (reluctantly) want to deploy a CAPTCHA. The right CAPTCHA is a balance between accessibility, privacy, effectiveness, UX, reliability, aesthetics and price.

The scope of this task is to evaluate the CAPTCHA options and recommend the most appropriate technical solution.

I've reviewed some of the options already here: https://docs.google.com/spreadsheets/d/1wD_8TF_k3BYMGhN6YQtPvfC8gxVi0RNOx1fF24RJb20

The two frontrunners so far are:

@ara4n

This comment has been minimized.

Copy link
Member

ara4n commented Apr 11, 2017

i'll close #2759 as a dup of this one

@ara4n ara4n added security p1 labels Apr 11, 2017

@ara4n ara4n referenced this issue Apr 11, 2017

Closed

Better captchas #2759

@ara4n

This comment has been minimized.

Copy link
Member

ara4n commented Apr 11, 2017

phpcaptcha looks cosmetically rather terrible, but visualcaptcha looks promising?

@tessgadwa

This comment has been minimized.

Copy link

tessgadwa commented Apr 11, 2017

@lampholder

This comment has been minimized.

Copy link
Member Author

lampholder commented Apr 11, 2017

VisualCaptcha certainly looks a whole lot better, and you're right is probably less vulnerable to off-the-shelf CAPTCHA crackers. I'd like to see a much larger image set (though that is something we can supply ourselves).

@lampholder lampholder added this to the RW003 milestone Apr 24, 2017

@lampholder

This comment has been minimized.

Copy link
Member Author

lampholder commented Apr 25, 2017

We could implement something along the lines of this (immediately after the user's having chosen their desired mxid):
captcha

@lukebarnard1

This comment has been minimized.

Copy link
Contributor

lukebarnard1 commented Apr 25, 2017

@lampholder let's keep this discussion limited to the capcha itself.

@lukebarnard1 lukebarnard1 changed the title Improve Landing as Guest: Evaluate CAPTCHA options Evaluate CAPTCHA options Apr 25, 2017

@lampholder lampholder moved this from Needs Spec to Ready to Start in Improve Landing as Guest Apr 25, 2017

@dbkr

This comment has been minimized.

Copy link
Member

dbkr commented Apr 27, 2017

https://github.com/emotionLoop/visualCaptcha

Please note visualCaptcha is no longer actively developed :(

This may not necessarily be a showstopper if it works, but means we'd probably have to either maintain it ourselves or hope "the community" (ie. someone else) does

@lampholder lampholder added the ui/ux label May 12, 2017

@lampholder lampholder modified the milestones: RW003, RW004 - candidates, RW005 - candidates May 18, 2017

@lampholder lampholder removed this from Ready to Start in Improve Landing as Guest May 24, 2017

@devnoname120

This comment has been minimized.

Copy link

devnoname120 commented Jun 25, 2017

What is the point of adding captchas to Riot though? If they are not enforced by the Matrix protocol, it won't prevent spam and be an annoyance for the users.

@lampholder

This comment has been minimized.

Copy link
Member Author

lampholder commented Jul 21, 2017

I believe the point is they would be enforced by the homeserver, so you can protect your homeserver against becoming a bot-dominated spam/abuse machine.

@ara4n

This comment has been minimized.

Copy link
Member

ara4n commented Oct 17, 2017

Apparently https://github.com/isislovecruft/gimp-captcha is quite nice, according to Tor folks, but looks like it depends on gimp(!) :(

@ara4n

This comment has been minimized.

Copy link
Member

ara4n commented Jul 7, 2018

apparently "whatever diaspora does" is good

@t3chguy

This comment has been minimized.

Copy link
Collaborator

t3chguy commented Jul 7, 2018

It seems to just use a "dumb" old squiggly text Captcha
image

@ilintault

This comment has been minimized.

Copy link

ilintault commented Jul 20, 2018

Since google is blocked from my entire network, I cannot even complete the sign up for Riot due to the reliance on google. I vote for anything other than google.

@t3chguy

This comment has been minimized.

Copy link
Collaborator

t3chguy commented Jul 20, 2018

It's not really a riot thing, it's the server you're choosing to attempt to sign up on requiring it as part of sign up. Most public servers do

@ilintault

This comment has been minimized.

Copy link

ilintault commented Jul 24, 2018

@t3chguy This may be the case, but the matrix.org server is using Google Captcha. And people on Matrix HQ chat directed me to this ticket to voice my objection. In my view. google is using captcha to train their image AI.

@uhoreg

This comment has been minimized.

Copy link
Member

uhoreg commented Jul 24, 2018

This ticket isn't for voicing objections to recaptcha. We already know that people don't like recaptcha. This ticket is for proposing alternatives and evaluating them.

@turt2live

This comment has been minimized.

Copy link
Member

turt2live commented Jul 24, 2018

As per Matrix HQ: I think this ticket is at the status of gathering options to replace the captcha offered by matrix.org. This is a priority 1 issue and is therefore on the hot path for being dealt with.

Edit: It would be really great if github showed replies before I posted my comment

@ilu33

This comment has been minimized.

Copy link

ilu33 commented Jul 29, 2018

I see I don't have to argue my case against google recaptcha. All Google services are a no-go and the present implementation on riot.im is buggy when JS is managed per-site.
Please use any of the discussed alternatives interim but stop using google recaptcha now. I tried to get matrix a top spot on privacy-conscious recommendation lists but that's not possible as long as google services are used.

@xaur

This comment has been minimized.

Copy link

xaur commented Nov 27, 2018

Google recaptcha is a huge privacy hole that deserves more attention imo.

Back in 2014, a reverse engineering attempt showed what it is capable of:

Google servers will receive and process, at least, the following information: Plug-ins; User-agent; Screen resolution; Execution time, timezone; Number of click/keyboard/touch actions (in the <iframe> of the captcha); It tests the behavior of many browser-specific functions and CSS rules; It checks the rendering of canvas elements; Likely cookies server-side (it's executed on the www.google.com domain); And likely other stuff...

This was 4 years ago, imagine where the tech is now.

For cryptocurrency communities that begin to appreciate Matrix and are apparently endorsed by it, this means all Riot users (potentially asset holders) are fingerprinted by Google.

Perhaps this issue deserves a 'privacy' label.

@t3chguy

This comment has been minimized.

Copy link
Collaborator

t3chguy commented Nov 27, 2018

this means all Riot users (potentially asset holders) are fingerprinted by Google.

Not all homeservers employ recaptcha so this is not true, its up to the server if it wants to use it or not, they can technically provide other captcha solutions via fallback auth and it'll work just fine with riot.

@damnms

This comment has been minimized.

Copy link

damnms commented Dec 22, 2018

they can technically provide other captcha solutions via fallback auth

Can you please go more in detail about this?
I would like to use matrix/riot.
But i do not want to become a spam machine.

Google is also blocked on my network and i would never force someone to use reCaptcha, just to be able to register. More bad, when i think on GDPR, this would highly hit my private server (in terms of privacy) as i then have to follow a lot of rules (adding an imprint, etc.)

@t3chguy

This comment has been minimized.

Copy link
Collaborator

t3chguy commented Dec 22, 2018

@damnms https://matrix.org/docs/spec/client_server/r0.4.0.html#fallback
A server can provide an unknown auth method and then fallback will be used where the client just shows a HTML iframe which could contain any other captcha you so wish for.

@damnms

This comment has been minimized.

Copy link

damnms commented Dec 31, 2018

So i have to code it myself in matrix that another captcha provider is used? Means, this ticket should go to matrix instead of riot?
Then, why not close this ticket and redirect it to matrix? :)

@damnms

This comment has been minimized.

Copy link

damnms commented Jan 11, 2019

I see I don't have to argue my case against google recaptcha. All Google services are a no-go and the present implementation on riot.im is buggy when JS is managed per-site.
Please use any of the discussed alternatives interim but stop using google recaptcha now. I tried to get matrix a top spot on privacy-conscious recommendation lists but that's not possible as long as google services are used.

If you make any progress, please let me know. I would love to use matrix/riot, but reCAPTCHA is a absolute no go (which would result in legal problems regarding GDPR, an imprint on my private homepage which i do not want, etc.)

@joinlaw

This comment has been minimized.

Copy link

joinlaw commented Feb 3, 2019

When the project will drop the non-free recaptcha?, it uses non-free java script, and it track users

@antonizoon

This comment has been minimized.

Copy link

antonizoon commented Feb 20, 2019

People seem to have overlooked a single click captcha that looks and works similar to recaptcha, yet is self hosted.

Is it possible to consider the use of alternative captcha systems equal in design to Google Recaptcha, such as Coinhive? It would allow such JavaScript to be self hosted, uses proof of work to make spam expensive, and causes attackers to earn the website some money. This would at least be acceptable in the case of cryptocurrency communities already. If coinhive is blocked by adblock systems (sometimes people get even more angry about mining than ads), then users could get to use google recaptcha as a fallback. :^)

https://coinhive.com/documentation/captcha

EDIT: I mean you can just run your own matrix identity server in lieu of using matrix.org that uses any different captcha in an iframe as stated by this issue comment. Identities are federated so you can connect to matrix.org without ever encountering their recaptcha ever.

@antonizoon

This comment has been minimized.

Copy link

antonizoon commented Feb 20, 2019

FYI to any new readers: For those with privacy concerns regarding ReCaptcha (it is designed explicitly to make captchas faster by using AI browser profiling that carries over in their proprietary database and algorithms, so it is a legitimate concern),

You could self host your own homeserver and identity provider that uses your own captcha solution (such as Coinhive in an iframe) as stated in this issue), and then federate to matrix.org or other homeserver channels without ever using Google Recaptcha. After you have some matrix identity you can then use riot.im web client without encountering any fonts.google.com library imports or google javascript, or just use any other matrix client, as stated in my basic independent audit.

@damnms

This comment has been minimized.

Copy link

damnms commented Feb 20, 2019

that uses your own captcha solution

I am no developer. I can configure some applications, but i am not going to develop something, as this would lack my skill. And i guess that is the main reason why some people complain.
If i would be able to simply hack that myself in a couple of days, and to exactly know what i do (especially in security), then i would do it. But i can't.
So as long as there is no "simple" guide which leads through that process, this does not help me. Simple for me means: i do not have to code.
I have a homeserver, but i do not want to host also an identity provider.
Is a self hosted identity provider required to be able to use another captcha provider?

@antonizoon

This comment has been minimized.

Copy link

antonizoon commented Feb 20, 2019

Is a self hosted identity provider required to be able to use another captcha provider?

Technically, what I meant that you need to use an identity provider other than matrix.org to avoid it's current configuration with Google ReCaptcha.

You know if you managed to make your own home server it is a system configuration matter to enable the identity provider, not a code developer matter, so read over the docs and try again? I did not even know it was possible to configure it without an identity provider from past experience. And yes if you are looking out for privacy by self hosting you should go to the trouble. Why trust others to know, host, and attest to your identity when your homeserver can do it by itself?

But yes, for the general public you could just find any other matrix identity provider online that uses some other captcha or verification system, and still chat to matrix.org channels and use any matrix or riot.im client just fine with federation (just specify the different identity provider URL). I haven't been able to test all the different identity servers for this but there must be one that doesn't. (Though it probably may be getting quite a bit of spam accounts if they aren't having some effective captcha mechanism)

https://www.hello-matrix.net/public_servers.php

Maybe as a future feature request matrix.org could switch to allowing users to make a choice between the type of captcha, such as coinhive. But that's an implementation thing up to them and will take time to figure out. I would say you shouldn't swear off the entire matrix ecosystem when you can either join a non-recaptcha identity provider or run your own.

@damnms

This comment has been minimized.

Copy link

damnms commented Feb 20, 2019

Are you sure that the IDENTITY server is responsible for this? I highly doubt so. As far as i know, it is the matrix server itself who is responsible for the fallback. The identity server only handles the mapping (3PIDs) which is optional if you do not want to federate with matrix.org servers.

I am not interested in federation (at the moment). I just want a "secure" platform for me and some friends to chat.

@jryans

This comment has been minimized.

Copy link
Member

jryans commented Feb 20, 2019

@damnms is correct: In Matrix terminology, the "identity server" is not involved here. (A Matrix identity server is basically just a mapping of things like emails to Matrix IDs.)

The Matrix homeserver is the one that defines the available registration flows for creating an account, and therefore the homeserver is also what determines if you see a captcha or not.

@antonizoon

This comment has been minimized.

Copy link

antonizoon commented Feb 20, 2019

@damnms: well I may be corrected there but you already have the answer you just disable your captcha and set a whitelist of users and then you have all that you need to chat internally or federate with the rest of the matrix ecosystem. So you successfully avoided Google Recaptcha at matrix.org by self hosting.

@damnms

This comment has been minimized.

Copy link

damnms commented Feb 20, 2019

If you want to spam, then please do this somewhere else. The topic is: evaluate captcha options.
Not: evaluate workarounds for some people.

For me, it is NO option to turn off protection. Period.
It is NO option for me, to whitelist people, do the registration for them on my server, etc. - this would be a very very ugly workaround. But far away from a solution.
Also: if anyone of them has the need to use riot.im or any other matrix client to talk to other federated networks, i am back at the beginning. Even worse, then they maybe drop matrix completly because of lacking features, which i do not want to use because of privacy/law concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment