MichaelMay 17, 2023

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”

#MastoAdmin #FediAdmin #fediblock

Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.

Please have a look at this excellent reply for more details:

https://dragonscave.space/@Mayana/110383119877022255

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

GitHub
Show threadErionMay 17, 2023
@michael Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y
Akkoma

Show threadNemo_bis 🌈May 17, 2023

@erion @michael Well said. I opened https://github.com/mastodon/mastodon/issues/25023 in the #Mastodon issue tracker. Looks like the plan is to *not* release #hCaptcha support. Better ideas needed!

#MastoDev #MastoMeta #FediMeta #accessibility #a11y

Replace hCaptcha with FLOSS and GDPR-compliant alternative · Issue #25023 · mastodon/mastodon

Pitch bec6a1c has introduced hCaptcha support. This means that Mastodon transfers personal data to the USA (the user is forced to send a request and therefore their IP address to a USA-controlled d...

GitHub
Show threadChristian Huitema
@nemobis @erion @michael I would love to see an "open captcha" solution, that would be open source and privacy preserving. First step would be to collect requirements. For example, have solutions for people who cannot actually read the images (or hear sounds). Respect privacy by allowing servers to implement the test locally, without relying on third party. And of course be robust even if the code is public.
May 17, 2023 at 5:44pmWeb
Show threadErionMay 17, 2023
@huitema @nemobis @michael MCaptcha, which I mentioned in this thread is probably the closest you can get which meets your requirements.
Show threadChristian HuitemaMay 17, 2023
@erion @nemobis @michael Thanks! Looking at mcaptcha now.
Show threadChristian HuitemaMay 17, 2023
@erion @nemobis @michael mcaptcha uses proof-of-work, which has lots of advantages but has also known issues. Big-iron computers can solve the puzzle much more quickly than small devices like cellphones, without depleting their battery. But it is sure better than passing user tracking data to Google...
Show threadErionMay 17, 2023
@huitema @nemobis @michael Oh absolutely, you are right it's not perfect, but far more accomodating than, say, using text questions.
Show threadChristian HuitemaMay 17, 2023
@erion @nemobis @michael I am a bit concerned that mcatcha solves a generic DDOS defense problem by imposing cost to the bots, which is different from "verify there is a living human behind the keyboard." Take the case in point, spammers creating bot accounts on "mastodon.social". Yes, they will have to spend a couple seconds of CPU time per account created. Is that going to deter them from creating a few thousand accounts?
Show threadNemo_bis 🌈May 18, 2023

@huitema That would depend on how these accounts are being created and what their ROI is. Realistically, the only way to find out is to try.

Typical modern captchas are rarely used to verify that users are human, as they're often easier for bots than for humans to pass. Mastodon.social added hCaptcha to reduce spam (which may or may not have been automated), not to reduce automated usage.

Show threadErionMay 18, 2023
@huitema @nemobis @michael I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.

None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.

So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.