Mastodawn

People of the #fediverse, especially those creating various services, there are alternatives to HCAPTCHA when you ask people to create accounts or login. Despite HCAPTCHA's propaganda, HCAPTCHA is not truly accessible to #blind people. It requires us to give up our privacy if we choose the cookie option. The text alternative doesn't work most times. I just tried to sign up for a /kbin server at https://redit.buzz and wasted 30 mins on HCAPTCHA.

Please be #inclusive!

Casey Reeves (it/its)Jun 14, 2023

@ppatel Ugh. Yeah, I always found that captcha in general sucks. Come on, seriously. Surely just making an invisible, unfocussable text field would be enough? If it's filled, it's a bot. If it's empty, then it's clearly an human being. Throw in a checkbox for good measures, afaik bots still can't manipulate those.

Pratik Patel Jun 14, 2023

@xogium For some people though, the more complex a solution, the better it is.

Casey Reeves (it/its)Jun 14, 2023

@ppatel People, I swear, sometimes...

bgt lover Jun 14, 2023

@xogium @ppatel people can use selenium and other browser automation platforms to simply launch an actual browser, then manipulate the DOM, so anything like that could be scripted in a per-site profile for a bot, done. What we need are text or choice based questions, which only, or *mostly*, humans know the answer of, then that should make most bots go away. Of course, if the inaccessible captcha trend continues, it's very possible I might use a form of gpt or something, coupled with selenium as a browser automation framework, to solve the image based ones. And so, we've come full circle, now bots fix what should be hard for them, but is now hard for us. Good job, scum captcha designers.

Casey Reeves (it/its)Jun 14, 2023

@bgtlover @ppatel @xogium Wouldn't text-based captcha be also very, very easy for AI and bots to solve though?

bgt lover Jun 14, 2023

@xogium @ppatel for AI, yes, probably. For bots, usual bots, even with selenium, no. I think text captchas are the best middleground between almost nothing at all, and opaque image captchas one has to see to complete, full stop.

Pratik Patel Jun 14, 2023

@bgtlover @xogium Except that text CAPTCHAs aren't accessible for learning disabled people.

Casey Reeves (it/its)Jun 14, 2023

@ppatel @xogium @bgtlover Huh, that's a very, very good point right there.

bgt lover Jun 14, 2023

@ppatel @xogium I mean, it's nothing complicated, it's mostly something absolutely everyone should know, it's just randomised a lot and the entire question set is rotated from time to time. So like, I dk what else could be done, since the problem of spam is very real. If we require phone numbers, proof of owning a credit card and more, that's a privacy problem worse than google has. So like, there's no real solution for this problem, is there?

Casey Reeves (it/its)Jun 14, 2023

@bgtlover @ppatel @xogium I see. Yeah, you're probably right. At least until AI powered bots can crack these with ease... And become the norm.

bgt lover Jun 14, 2023

@xogium @ppatel when that happens, we have way bigger problems than o no, someone is registering too many accounts on my pizza site or whatever, more like O no, the military AI just bombed new york, again? and stuff like that. Also, even if this is slightly possible now, it's far two expensive to be ran at scale, unless you're open AI or someone equally big, in which case, we again have a big problem, why are these companies creating spambots in the first place?

Pratik Patel Jun 14, 2023

@bgtlover @xogium @Verso You might want to consider issues presented here when thinking about options.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

Casey Reeves (it/its)Jun 14, 2023

@ppatel @xogium @bgtlover I never thought I'd say that but I found the equivalent of an impossible captcha to solve for us. MS decided to ask us to figure out how many people were talking at once. In random conversation. Fail just one of them and you fail the test.

bgt lover Jun 14, 2023

@xogium @ppatel wo, where was that? damn, that's complicate indeed. If they accept error margins and approximate numbers, it's not that hard. Otherwise, yeah, ai will solve that one faster than we would probably.

Casey Reeves (it/its)Jun 14, 2023

@bgtlover @ppatel @xogium If I remember right, this was done when creating an xbox account. They do accept errors but the margin is small compared to the ratio of people talking. You could have 3, then the next sample has over a hundred.

Pratik Patel Jun 14, 2023

@xogium @bgtlover @xogium The recent audio thing from HCAPTCHA is to identify distinguish animal sounds from the other sounds presented. You'd have to listen to three different options. They're using this to train AI models. And the whole thing is timed.

Pratik Patel Jun 14, 2023

@xogium @xogium @bgtlover Wow. Who ever thought that was a good idea?

Casey Reeves (it/its)Jun 14, 2023

@ppatel @bgtlover @xogium Haha, absolutely no idea who that was, but I'd sure love to see them trying their stupid thing! I bet the expression on their face would be priceless.

@xogium yeah, because a bot couldn't just do `document.getElementById("checkbox").checked = true;`

utsuho Jun 14, 2023

@ppatel hCaptcha has made estimations for audio challenges, they expected to have them done by Q3 2022 but around then they started working AI generated images and dropped all other plans, it's quite a shame because i have also wasted a lot of time trying to sign up to things

Pratik Patel Jun 14, 2023

@utsuho Not everyone can use audio. I'd rather people not use any CAPTCHAs at all since there are perfectly good alternatives.

ArneBab Jun 14, 2023

@utsuho that’s strange, because FMS in Freenet actually has audio-challenges, all in FOSS and without tracking: https://freenetproject.org/pages/download.html (but decentralized, so you need to run it yourself, and it has too few users, so you cannot do with it what you want with <arbitrary thirdparty site>).

So if they wanted audio-captchas, they could just skim the FMS sourcecode.

(and I’m sure there are many others, but that’s the one I use now and then and which I found works)
@ppatel

Freenet Project

Freenet is a peer-to-peer platform for censorship-resistant communication and publishing.

Pratik Patel Jun 14, 2023

@ArneBab @utsuho The trouble with audio alternatives is that deaf-blind users can't access those. Text alternatives are troublesome for learning disabled users. In general, CAPTCHAs are bad.

Here is a page that discusses CAPTCHA and its alternatives. It's a great resource for people thinking about this issue.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

simon.old Jun 14, 2023

@ppatel FWIW, a fresh install of Chrome will typically bypass HCaptcha if you set the cookie in it. It certainly has issues, especially in imbedded app browser views where you just can't set a mookie, but that's usually done it for me. Given the increased usage I'd like to try and reach out to them, but so far that hasn't happened. I think an audio option would be pretty easy and would at least make them equal with ReCaptcha so I'm going to push for that as a temporary solution if nothing else, even though it is not truly accessible.

Pratik Patel Jun 14, 2023

@simon I have no desire to use the HCAPTCHA cookie to let them track me as as blind user or break my Firefox security model.

simon.old Jun 14, 2023

@ppatel You really think Google doesn't keep track of who clicks the "get an audio challenge" button and whether that person is logged into a Google account or not?

Pratik Patel Jun 14, 2023

@simon I never said I was in favor of Google's Recaptcha solution either.

simon.old Jun 14, 2023

@ppatel That's true. i'm used to people arguing against switching from Google to HCaptcha. My bad.

Rye Jun 14, 2023

@ppatel what are those more accessible alternatives you mentioned?

Pratik Patel Jun 14, 2023

@rye Here is a page that discusses CAPTCHA and its alternatives. It's a great resource for people thinking about this issue.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

Rye Jun 14, 2023

@ppatel thanks for the good read. Looks like interactive tests in general are all pretty trash for some or all groups. Interested in the proof-of-work and heuristic options

Kelly Guimont Jun 14, 2023

@ppatel @MarkOnArt thank you for sharing this! Sometimes in my day job (I'm in IT) I have to make recommendations for software/tech and now I know NOT to have this one on the list. Do you have a favorite alternative? (If not that's ok I just thought I'd ask in case one is really good)

Pratik Patel Jun 14, 2023

@Verso Here is a page that discusses CAPTCHA and its alternatives. It's a great resource for people thinking about this issue.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

Kelly Guimont Jun 14, 2023

@ppatel thank you very much!

everything enthusiast Jun 14, 2023

@ppatel What are the alternatives?

Pratik Patel Jun 14, 2023

@chainedtomax Here is a page that discusses CAPTCHA and its alternatives. It's a great resource for people thinking about this issue.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

everything enthusiast Jun 14, 2023

@ppatel Thank you, I will check it out

Major Denis Bloodnok Jun 15, 2023

@chainedtomax @ppatel A lot of the time a simple question about domain-specific knowledge will do (eg Mended Drum could ask a question about Terry Pratchett). It's no good if you're huge enough for the bad guys to take human effort to work out the answer, but often enough, you're not.

Marcus Bointon Jun 14, 2023

@ppatel HCAPTCHA is very keen to tout their privacy credentials, but then they serve everything from the US, which isn't currently legal. A properly private system would have client-side components, but only talking to the host, which could then perhaps talk to an API from the server side, avoiding exposing clients to unknown third parties. Unfortunately you can't even self-host their loader scripts.

Pratik Patel Jun 14, 2023

@Synchro It's deliberate. They're using ML for all the data they gather from solving CAPTCHAs.

Marcus Bointon Jun 14, 2023

@ppatel That's fine – and there's nothing about doing that requires sacrificing privacy; it's quite independent.

Joe Jun 14, 2023

@ppatel Are there any decent captcha-like solutions that are easily acceptable for blind and limited vision folks? They could be offered as an alternative, perhaps.

Pratik Patel Jun 14, 2023

@not2b Here is a page that discusses CAPTCHA and its alternatives. It's a great resource for people thinking about this issue.

https://www.w3.org/TR/turingtest/

Inaccessibility of CAPTCHA

Various approaches have been employed over many years to distinguish human users of web sites from robots. The traditional CAPTCHA approach asking users to identify obscured text in an image remains common, but other approaches have emerged. All interactive approaches require users to perform a task believed to be relatively easy for humans but difficult for robots. Unfortunately the very nature of the interactive task inherently excludes many people with disabilities, resulting in a denial of service to these users. Research findings also indicate that many popular CAPTCHA techniques are no longer particularly effective or secure, further complicating the challenge of providing services secured from robotic intrusion yet accessible to people with disabilities. This document examines a number of approaches that allow systems to test for human users and the extent to which these approaches adequately accommodate people with disabilities, including recent non-interactive and tokenized approaches. We have grouped these approaches by two category classifications: Stand-Alone Approaches that can be deployed on a web host without engaging the services of unrelated third parties and Multi-Party Approaches that engage the services of an unrelated third party.

Trenton Matthews Jun 15, 2023

@ppatel You can sign up with #KBin using either #Google or #Facebook, but ya have to scroll past said captcha box to find said options.

With that being said, I also signed up on Lemmy via the #FediaIO instance. To be perfectly fair though, that interface they both use is quite confusing if on #Mac with #VoiceOver at least…

I haven’t tried said platform with Windows yet.

Dale Reardon Jun 15, 2023

@ppatel Now using Cloudflare Turnstile on my sites & no problems on other sites using that either - Also perfectly blocking bots for me

@ppatel #Captchas in general should be outlawed as #antiAccessibility features!

AFAIK, @stux combats #botting via verification eMail and rate-limiting registrations...

Pratik Patel Jun 15, 2023

@kkarhan @stux Absolutely. I don't disagree with you.

Frost, wolf of winter 🐺🎄

@ppatel Also even in the visual department, they're using really creepy AI-generated images now. Yikes.