MichaelMay 17, 2023

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”

#MastoAdmin #FediAdmin #fediblock

Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.

Please have a look at this excellent reply for more details:

https://dragonscave.space/@Mayana/110383119877022255

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

GitHub
Show threadErionMay 17, 2023
@michael Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y
Akkoma

Show threadMx. Alba May 17, 2023

@erion @michael Every time I see talk about captchas, I'm reminded of that time when I needed to take remote control of a blind friend's computer to solve a captcha for them so they could register their account for...

AUDIOBOOKS

Show threadErionMay 17, 2023
@MxAlba @michael So many blind people do this still, ask for remote help that is. Sadly it's not something that works long-term though.
Show threadMx. Alba May 17, 2023
@erion @michael Agreed. It's nothing more than a dirty work-around. I think it's kinda like when I run into the Nth form that requires to declare whether I'm a "Mr." or a "Mrs." without any other options and I think, fuck it, no spoons for this battle now, and just go for "Mrs."
Show threadErion
@MxAlba @michael Haha that's the spirit. Yes, this is really frustrating too.
May 17, 2023 at 12:48pmWeb
Show threadKat RavenwolfMay 17, 2023
@erion @michael @MxAlba MCAPTCHA is what servers like Calckey and Pleroma need to implement; Pleroma's even worse than Calckey; at least with Calckey, they use a solution that's workable, though a PIA. for Pleroma, the solution doesn't have any alternatives.
Show threadKainoa May 17, 2023
@cambridgeport90 @[email protected] @michael @MxAlba FriendlyCaptcha and mCaptcha are on the roadmap.
Show threadKat RavenwolfMay 17, 2023
@kainoa @michael @erion @MxAlba Awesome!
Show threadErionMay 17, 2023
@kainoa @michael @cambridgeport90 @MxAlba This is so awesome to hear. Calckey looks more appealing every day 😀