MichaelMay 17, 2023

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”

#MastoAdmin #FediAdmin #fediblock

Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.

Please have a look at this excellent reply for more details:

https://dragonscave.space/@Mayana/110383119877022255

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

GitHub
Show threadErionMay 17, 2023
@michael Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y
Akkoma

Show threadThe Tardis🤞May 17, 2023
@erion @michael They have made an improvement, at least discord wise. I know they use that one, and there's probably an upgrade that gives text questions. I had luck with it a few times, but no further sites that I found using it, so don't know where to test.
Show threadErionMay 17, 2023
@spacedragon @michael As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.

Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.
Show threadThe Tardis🤞
@erion @michael Discord worked for me.
May 17, 2023 at 11:39amWeb