Mastodawn

Michael May 17, 2023

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”

#MastoAdmin #FediAdmin #fediblock

Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.

Please have a look at this excellent reply for more details:

https://dragonscave.space/@Mayana/110383119877022255

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

GitHub

ticho May 17, 2023

@michael Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y

Akkoma

The Tardis🤞May 17, 2023

@erion @michael They have made an improvement, at least discord wise. I know they use that one, and there's probably an upgrade that gives text questions. I had luck with it a few times, but no further sites that I found using it, so don't know where to test.

Erion May 17, 2023

@spacedragon @michael As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.

Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.

The Tardis🤞May 17, 2023

@erion @michael I can help you with that. But mastodon social's captcha is just a tick box. My new account proofs it. Funny enough. And I tried, twice.

Erion May 17, 2023

@spacedragon @michael Nope, there's absolutely no guarantee that a text captcha for HCaptcha will pop up. I have checked on multiple devices, and many people I know have done the same. Only the regular image captcha is available. For some other people, the text captcha is available.

To my knowledge, mastodon.social does not have a captcha, at least it does not pop up here. When you create an account, the only checkbox that shows here is for indicating that you are agreeing to the privacy policy and terms of use.

The Tardis🤞May 17, 2023

@erion @michael It does after email verification is clicked on. I have tried the text on multiple devices, works for me.

Erion May 17, 2023

@spacedragon @michael Not here. No matter what I do here, it just does not pop up. I've cleared cookies, tried private browsing, desktop app, iOS app, email verification (which I have done years and years ago too), used multiple operating systems, multiple browsers, multiple Discord versions, even a VM, it just does not pop up.

The Tardis🤞May 17, 2023

@erion @michael Discord worked for me.

Kat Ravenwolf May 17, 2023

@erion @spacedragon @michael I find that logging into Discord, as long as you're logged in on your phone, you can log into other devices using the QR code. You have to play with it at bit, but once you get it, it stays.

Erion May 17, 2023

@cambridgeport90 @spacedragon @michael Ah Nice to know, thanks. Sadly I need to get to this stage first, on any device.

Nemo_bis 🌈May 17, 2023

@erion @michael Well said. I opened https://github.com/mastodon/mastodon/issues/25023 in the #Mastodon issue tracker. Looks like the plan is to *not* release #hCaptcha support. Better ideas needed!

#MastoDev #MastoMeta #FediMeta #accessibility #a11y

Replace hCaptcha with FLOSS and GDPR-compliant alternative · Issue #25023 · mastodon/mastodon

Pitch bec6a1c has introduced hCaptcha support. This means that Mastodon transfers personal data to the USA (the user is forced to send a request and therefore their IP address to a USA-controlled d...

GitHub

Erion May 17, 2023

@nemobis @michael This is great, thank you. I don't get it though, they have implemented HCaptcha as an emergency feature, yet they state that they are aware of the accessibility implications. So basically they are saying that yes, we know that you won't be able to sign up or verify that you are a human, but still, have it because this is an emergency.

The correct way to handle this would be to say that yes, we are aware of the accessibility implications, so we do not implement this at all, but rather look for something else, because they exist. HCaptcha can be bipassed, see https://chrome.google.com/webstore/detail/hcaptcha-solver-auto-capt/imgmoeegfjhhmljmphfkjeibkiffcdgl, so this is really not about finding an effective solution.

hCAPTCHA Solver: auto captcha bypass

An extension to automatically solve any type hCAPTCHA

Christian Huitema May 17, 2023

@nemobis @erion @michael I would love to see an "open captcha" solution, that would be open source and privacy preserving. First step would be to collect requirements. For example, have solutions for people who cannot actually read the images (or hear sounds). Respect privacy by allowing servers to implement the test locally, without relying on third party. And of course be robust even if the code is public.

Erion May 17, 2023

@huitema @nemobis @michael MCaptcha, which I mentioned in this thread is probably the closest you can get which meets your requirements.

Christian Huitema May 17, 2023

@erion @nemobis @michael Thanks! Looking at mcaptcha now.

Christian Huitema May 17, 2023

@erion @nemobis @michael mcaptcha uses proof-of-work, which has lots of advantages but has also known issues. Big-iron computers can solve the puzzle much more quickly than small devices like cellphones, without depleting their battery. But it is sure better than passing user tracking data to Google...

Erion May 17, 2023

@huitema @nemobis @michael Oh absolutely, you are right it's not perfect, but far more accomodating than, say, using text questions.

Christian Huitema May 17, 2023

@erion @nemobis @michael I am a bit concerned that mcatcha solves a generic DDOS defense problem by imposing cost to the bots, which is different from "verify there is a living human behind the keyboard." Take the case in point, spammers creating bot accounts on "mastodon.social". Yes, they will have to spend a couple seconds of CPU time per account created. Is that going to deter them from creating a few thousand accounts?

Nemo_bis 🌈May 18, 2023

@huitema That would depend on how these accounts are being created and what their ROI is. Realistically, the only way to find out is to try.

Typical modern captchas are rarely used to verify that users are human, as they're often easier for bots than for humans to pass. Mastodon.social added hCaptcha to reduce spam (which may or may not have been automated), not to reduce automated usage.

Erion May 18, 2023

@huitema @nemobis @michael I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.

None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.

So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.

@erion @michael Every time I see talk about captchas, I'm reminded of that time when I needed to take remote control of a blind friend's computer to solve a captcha for them so they could register their account for...

AUDIOBOOKS

Erion May 17, 2023

@MxAlba @michael So many blind people do this still, ask for remote help that is. Sadly it's not something that works long-term though.

@erion @michael Agreed. It's nothing more than a dirty work-around. I think it's kinda like when I run into the Nth form that requires to declare whether I'm a "Mr." or a "Mrs." without any other options and I think, fuck it, no spoons for this battle now, and just go for "Mrs."

Erion May 17, 2023

@MxAlba @michael Haha that's the spirit. Yes, this is really frustrating too.

Kat Ravenwolf May 17, 2023

@erion @michael @MxAlba MCAPTCHA is what servers like Calckey and Pleroma need to implement; Pleroma's even worse than Calckey; at least with Calckey, they use a solution that's workable, though a PIA. for Pleroma, the solution doesn't have any alternatives.

Kainoa May 17, 2023

@cambridgeport90 @[email protected] @michael @MxAlba FriendlyCaptcha and mCaptcha are on the roadmap.

Kat Ravenwolf May 17, 2023

@kainoa @michael @erion @MxAlba Awesome!

Erion May 17, 2023

@kainoa @michael @cambridgeport90 @MxAlba This is so awesome to hear. Calckey looks more appealing every day 😀

Erion May 17, 2023

@MxAlba @michael Needless to say, you are awesome for being a good sport ☺️

tyil May 18, 2023

@[email protected] @michael Or just don't have captchas at all and encourage smaller and more tight-nit communities through a large number of invite-only instances. This desire to become a super instance is retarded and only harms the open and federated nature of the #Fediverse.

grin May 18, 2023

@erion @michael what you describe opposes to what I experienced.
(And your second paragraph incidentally is not related to your first paragraph at all.)

Erion May 18, 2023

@grin @michael Experiences may vary. Please do share.

Relations are tricky aren't they? Someone sees a perfect relationship, while someone else can't imagine how the two things are related.

grin May 18, 2023

@erion @michael I agree with the impaired vision comment but hcaptcha does not require email nor disabling protection for me. Maybe they simply love me so I'm the someoone cannot imagine they do the things you described. 😉

Erion May 18, 2023

@grin @michael That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).

If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.

grin May 18, 2023

@erion @michael You have been missing both points. It's fine.

Erion May 18, 2023

@grin @michael You are right, I did not specifically point out that this is only true if you are blind or visually impaired. But it follows from the fact that I recommend not using HCaptcha if you care about the blind and visually impaired, because of point a and point b. Sorry about the confusion.

grin May 18, 2023

@erion @michael Thanks for the clarification. Then I agree on both points. IIRC reCapctha (of Google) is blind-friendly?

Erion May 18, 2023

@grin @michael Yes.

Their V2 works, if you speak English, since they provide audio captchas. V3 works as well, since you don't need to do anything to verify. But they have their fair share of problems, for example your IP being flagged for abuse even though you did not do anything abusive at all. But that's a different story.

The Tardis🤞May 18, 2023

@erion @grin @michael It's not only blind and visually impaired, though, what about blind deaf people? Them too. Or all the captcha companies who actually forget about the existence of those folks. I see only audios audios audios. Okay, they help us, the blind, but about those who're blind deaf, or blind and hard of hearing? That's not going to help them. Very little captchas actually have text options.

Erion May 18, 2023

@spacedragon @grin @michael Of course. Text captchas are likely the most accommodating, if you don't count people who might find answering text challenges difficult. This is why I prefer captchas that need no, or very little interaction at all. Mcaptcha is one of these, which is why I recommended it.

grin May 18, 2023

@erion @spacedragon @michael I tried to register the other day on a web forum and they required me to move attributes of a shark to the right and others to the left. I have failed three times and were firewalled.
Turns out English call the rear fin of the shark as "tail". 🤷

The Tardis🤞May 18, 2023

@grin @erion @michael Ugh. that's. Meh seriously.

Erion May 18, 2023

@spacedragon @grin @michael Ah yeah, that's the new craze now, dragging things around. I haven't seen a captcha that provided an alternate solution, which is really sad.