TalonAt this point I am literally just begging you to stop putting hCaptcha in your apps. Please. I don't know what else to do. Please. Please don't do it. If it's on a website we at least have a chance. As bad a chance it might be. But if it's in your app anyone who can't do a captcha is completely locked out. So please. Do not do it.
I'm not even mad anymore it's just turned into straight up sadness and despair at this point. Genuinely.
And no it's not discord this time either. Why yes, more apps started doing it. Why? Who knows.
Finally gives me an excuse to completely trash all my proton mail accounts. If you are using them, please don't.
Or send them a strongly worded email or something. Because mine didn't work. I got told off and apparently it's necessary. Even in the app. Should have done this months ago.
Can we please collectively start calling it hateCaptcha?
simon.old@talon To be clear, I agree that HCaptcha is problematic. Having to set your third-party cookie policy to allow HCaptcha is a bit of a privacy concern (though I consider it the lesser evil to Google's nonsense), and more importantly, when you don't have the ability to use cookies, such as in the Signal app, you're just 100% screwed. We're lucky that Signal and Discord enabled the text captcha option. HCaptcha gave 0 fucks about solving that problem.
Kevin Karhan 
@simon @talon imho #hCaptcha - like #CloudFlare - should not exist in specific and their busoness model in general!
Kara Goldfinch@talon yes.
I saw a blog the other month that popped one up before I could even read it. I closed it right away.
I saw a blog the other month that popped one up before I could even read it. I closed it right away.
@talon I remember when #CloudFlare constantly cockblocked @torproject #TorBrowser users with tgeir shitty #Captchas that no matter how many one solved successfully, they never stopped asking for yet another one.
Also every shitty Freemailer in Germany has better support does less bullshit...
Hubert Figuière@talon Captcha are anti-user. I fail them often.
Casey Reeves (it/its)@talon Count me in.
@talon Yes we can.
Shay@talon Strongly worded reply.
x0@talon Goddamnit, proton are supposed to be really good too and this fucking ruins it!
@x0 Heh. Sorry. We can't have nice things.
Drew Mochak@talon Unfortunate. I went with Proton for the e2E encrypted email, but they are total assholes who give 0 fucks about accessibility so I've been inclined to switch for a while. What are you using instead?
@objectinspace For main email I use Namecheap because that's where my domain is and it was simple to set up. But for other emails I dunno yet.
@talon Gotcha, I do not have my own domain unfortunately... thought about it a few times but it doesn't seem worth the effort. I was thinking about fastmail but I dunno if I trust them. Not that I do much with email as it is...
Lunaphied@objectinspace @talon we've been using Fastmail for awhile and they seem reasonable; just know that truly separate accounts can get kind of pricey so we recommend just using aliases that get automatically labeled instead
@talon @objectinspace their prices are high enough to pay for their service, so they should be more trustworthy than most
@Lunaphied @objectinspace I've been wondering about mailbox.org for a while now.
@talon @objectinspace Personally I like poBox Aka Fastmail
lj·rk@talon @objectinspace I'm happy at migadu, they're not themselves doing much crypto because they consider e2e mail a myth (same actually), but you can roll it your own of course. I'm not sure how well they're accessibility wise though, but they adhere to best practices of mail configuration so I only use them with my preferred mail client.
@ljrk @talon Thanks for this.
That is okay TBH, I generally use thunderbird anyway. I probably should just admit that E2E email isn't really a thing since you need to set up a key exchange with people and all that nonsense... I just don't like the idea that some random company can read my emails if they wanted... but that is paranoya, though.
That is okay TBH, I generally use thunderbird anyway. I probably should just admit that E2E email isn't really a thing since you need to set up a key exchange with people and all that nonsense... I just don't like the idea that some random company can read my emails if they wanted... but that is paranoya, though.
Remco.py@objectinspace @ljrk @talon
Isn't that the sole purpose of pgp and gpg? Use any email provider you want, send email (always with the security of a postcard) while being assured only your intended recipient can decode your message.
Isn't that the sole purpose of pgp and gpg? Use any email provider you want, send email (always with the security of a postcard) while being assured only your intended recipient can decode your message.
@remcoboerma @objectinspace @talon Well, the "problem" with PGP is its "swiss army knife" nature. You can use it for virtually any purpose relating to cryptography, but we've learned in the last decades that humans suck at using generic tools. Especially in a field like crypto, where different usages really have a lot different requirements which reflect the algorithms and their configurations used in the end. We found that while e.g., sha256 is quite a good cryptographic hash, it's suboptimal for password hashing, and argon2 while a great KDF, is not ideal for password hashing for verification.
Leaving that choice to the user (like PGP does) is fraught with peril, and even professionals do get that wrong.
So the general recommendation™ is to use a different, secure, channel. Besides, using GPG won't stop any three-letter-agency from taking over your mail account to reset your PWs on $site, access TOTPs or whatever. We need to get away from mail for registration/reset, it's really a big problem.
You are so right about that. I'd rather be done with email yesterday that tomorrow. (misinterpreted e2e as b2b instead of end to end, my bad)
About the general tool: I like indieauth, but it's not a solution for the masses today. Otoh it could be a stepping stone to using signal or keybase for registration/reset instead of email. Keybase is doing a great job of making public key encryption really easy to use (right).
What are your thoughts on that?
@remcoboerma @objectinspace @talon I do think Keybase is/was a nice project, but I've become hesitant since the takeover. In the end, long-lived keys that are managed manually are always a danger. Especially for messaging and encryption things should be ephemeral (PFS etc.), which is what Signal's double ratchet protocol does nicely.
For authentication my hope is on passkeys: Transferable FIDO2 tokens (pub/sec keypairs) managed by a password manager. When you first register, the token is generated and stored in your keychain (together with the pub key of the service IIRC). On next login, you do a mutual handshake for authentication. That way your identity isn't tied to a domain (which is risky due to takeovers and also cross-linking of accounts/deanonimization), while still incredibly secure and easy to use (also, phishing and brute force resistant, and there's no password hash stored on the server, it's awesome really!).
For manual encryption I mostly use age, for file transfers wormhole, for messaging Signal, for signing minisign or signify.
@objectinspace @talon Yup, it's really tricky to get right and most just recommend using a more secure and easier to setup channel.
@objectinspace @talon their eMail ain't more #E2EE than any other provider's #SSL / #TLS...
Use #GnuPG / #OpenPGP for actual E2EE...
Remember: #NotYourKeys = #YouAreNotInControl!
Bastet 魔王様 😈@objectinspace @kkarhan @talon
Not Kevin but sure, but know that someone elses knowledge and time always comes with a price tag if they aren't doing it on their own terms and time.
Pratik Patel@talon Proton Mail's app was a disaster for accessibility when I tried it awhile ago. I was lucky that my CC provider wouldn't let me charge for a premium account. They pretty much ignored me when I asked for accessibility on their web interface.
Craig Mcgee@talon agreed. because the accessibility cookie won't move over into the app. NASTY!
@talon I think #Captcha|s are ableist bs. as they fail to stop #bots and only act as wall against #disabled people...
Also which assholes put a #hCaptcha in their #Apps?
Pretty shure that might be actionable discrimination in some juristictions...
#NotLegalAdvice but #NameThemBlameThem usually helps!
@kkarhan I did further down the thread. In this case it's protonmail
@talon Yeah, #ProtonMail is a #Snitch at best if not yet another #Honeypot in the Style of #ANØM or rather #CryptoAG...
I mean they literally got caught #snitching on teens planning #truancy - which AFAIK is just a misdemeanour.
https://www.youtube.com/watch?v=QCx_G_R0UmQ
ProtonMail Sends User IP and Device Info to Swiss Authorities.
@talon seriously, they have glowie vibes and I'd stay away from any business like them that makes obviously false promises!
https://www.youtube.com/watch?v=IeXaYR4ed9c
https://www.youtube.com/watch?v=IeXaYR4ed9c
Is Proton Mail Really Private, Secure, and Anonymous?
In this video I tackle the topic of whether or not Proton mail is Really Private, Secure, and AnonymousPrivacy Watchdogs article about Proton mail being a ho...
Purple 
@Purple @kkarhan On a more serious note, I've been fighting with them specifically for years. They initially approached me, and many others, about how to make their captcha more accessible. When we provide feedback we get shut down. So basically they contact us just to tell us that they won't help. They recently introduced a text captcha which most people disable, but even when it's enabled I've never gotten it to work once. I believe that if your entire business is in providing captcha it's on you to make sure you exclude as few actual users as possible. Even Google has a better system.
@Purple @kkarhan Their main way of dealing with it is by setting a third party cookie which most browsers disable for security reasons. The way they set this cookie is by asking for my email. Which means I'm providing personally identifiable data just to use an unrelated site. And even after setting this cookie, I still regularly get told that it's not enough and I still have to do their captcha anyway. Not to mention that I have to switch browsers for this to work, and I've never gotten it to work once on mobile. And even if you have to put captcha on your website, don't put it in your actual app. Seriously.
It they've got issues with #Clickfarming they should not weaponize it against users!
There are other, less obtrusive and more accessible options.
Like a math captch like (2+2)-1)=? or some basic logic (un)tick this box if you are a homo sapiens sapiens.
Not to mention most bots can be detected because they gill out said forms faster than any person woth a password manager can, so it takes less than 1 second between query and reply...
@talon @Purple And finally Captchas do not work as #ITsec because for that one needs to DROP a bunch of networks...
I mean these are just the Blocklists I deploy regularly...
https://github.com/greyhat-academy/lists.d/blob/main/blocklists.list.tsv
@talon @Purple so no, don't trust snitches eve if they waive a Swiss flag.
See Operations #MINERVA / #RUBIKON:
https://mstdn.social/@kkarhan/110523395468184213
Kevin Karhan :verified: (@[email protected])
@[email protected] Yeah, #ProtonMail is a #Snitch at best if not yet another #Honeypot in the Style of #ANØM or rather #CryptoAG... I mean they literally got caught #snitching on teens planning #truancy - which AFAIK is just a misdemeanour. https://www.youtube.com/watch?v=QCx_G_R0UmQ
LisPi
Charlotte 
/Cinny 
@charlotte @talon @kkarhan Putting a financial investment towards automating certain actions is still a very effective method of reducing spam though!
If it wasn't, no one would be using captcha services at all. There is a reason and often a necessity as to why websites implement it
@Purple @charlotte @kkarhan Everyone does it so it must be good. I do feel happy being excluded from lots of websites because I can't solve a captcha. Also keep in mind I'm mostly talking about hCaptcha in particular. There are better options.
@Purple @talon @kkarhan At the same time captchas by design makes it more difficult for legitimate user to access a site, including to the point where a service which was previously usable becomes unusable for them. hcaptcha is especially bad in this regard, with noisy images and no audio fallback (but an “accessibility cookie” which is likely going to no longer be supported in the future, and also does not work in apps). And then you have devs vehemently defend their use directly in the comments of a user that directly expressed his issues with captchas 🤷
@charlotte @Purple @kkarhan Yup I was basically just told that me not being able to access a website or app is a necessity. That's not so great to hear.
Which IMHO is just them being ableist discriminators and thus will be a reason I'll not only never support them but consider blocking their domain.
The issue is that most administrators are at a bit of a loss.
Either wake up in the middle of the night to see your instance be fediblocked by half the network because you weren't looking 24/7 at the registrations and someone decided to use your instance for spam.
Or introduce a captcha, but reduce accessibility for those who need it (although this only has to be done once at registration).
Computers have become increasingly better at solving complex issues, and we're getting to the point where it's complexity needs to be exceptionally high to provide reasonable protection.
This is also why audio captchas have been slowing disappearing, they are quite easily machine solvable nowadays and they've kinda reached the maximum complexity they can have before people can't solve them anymore either. (The computers have won)
The same is what you're seeing with image captchas right now, you've probably noticed they're almost getting surreal at times, this is the only method that still has a strong enough complexity.
Keep in mind administrators aren't implementing captchas out of spite, it's purely because there aren't that many other options left as a first line of defence against spam! If a better solution presents, I'm sure everyone moves as soon as they're able.
(If you have issues with the captcha on a small scale website, you may try mailing the admin! Many are more then happy to manually approve your action)
@Purple @charlotte @kkarhan that is a defeatist and ableist viewpoint. I have provided alternatives, which also include getting hCaptcha to actually fix their "accessibility". Plus, just a bit of googling not only provides me with alternatives for captchas, but also provides me with abot which is specifically designed for solving hCaptcha's which I might have to start using. This, to me, basically already renders captcha useless and as literally nothing but an actual barrier to legitimate users, and not everyone has the technical knowledge to use those bots either. And if we can use them, then everyone else, including spammers, can use them too. How would you feel if you had to email every site to be let in and possibly get no response? Or, even worse, get a response that is actively hostile? Should I just stop using the internet?
To me seems clear that the #TechBros that run said sites are #ableist assholes and literally want #disabled people to literally stop existing.
Their quest to erase isn't dissiminar from christfacists wanting to genocide trans people by accident but on purpose.
There's a reason why I use @torproject #TorBrowser and refuse to use any site or service I can't use without bricking it's anonymity...
Elias@kkarhan @talon @Purple @charlotte @torproject
> renders captcha useless and as literally
> nothing but an actual barrier to legitimate users
Like so many other cases where something is changed making life worse for everyone, with the stated goal of hindering some kind of "bad guys".
What happens is usually that things indeed get worse for ordinary people, while the "bad guys" will probably find ways around the obstacles.
High price, low gain.
@Purple @talon @kkarhan I have hosted services with open registration for years at this point, including before the time where i realized that captcha isn’t that great. I don’t think captcha has ever protected me from spambots? like someone would register the spam account and pass captcha and then they set up a spambot to spam. and that was just a simple unknown phpbb instance. More recently spambots targeting my services didn’t even click the email verification link. total harm caused? one private gitea repository that tried to access my ci system (but failed since i only have it enabled for myself) and like a dozend users in my akkoma database that i deleted. You can actually try it right now, my instance doesn’t have a captcha but it still doesn’t let you spam instantly 🤷.
With the fediverse in particular there’s a much easier way to spam too.
get defederated? repeat step 1
I mean there's a reason why some Sites flat-out ban those "#freeDomains" if not all #NewGTLDs and #Freemailers...
Case in point: Most spammers that don't get automagically blocked use big sites and servers. Basically all #Spam I encoutered was either from #GMail, #Outlook.com / Hosted #Exchange on #Azure and #YahooMail...
Luna Dragofelis ΘΔ moved to @@Purple @charlotte @talon @kkarhan For fedi instances specifically, manual approval of users is a very good alternative to "unfiltered open access" and "captcha".