Skip to main content

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

github.com/mastodon/mastodon/p…

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”


#MastoAdmin #FediAdmin #fediblock


Add hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support. Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_KEY are set, the admin can enable hCaptcha: When enabled, users are shown a captcha when con...
GitHub
#mastoadmin #FediBlock #fediadmin
This entry was edited (1 year ago)
in reply to Michael

Erion
Erion

Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y


GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component

A no-nonsense CAPTCHA system with seamless UX | Backend component - GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component
GitHub
#a11y #Accessibility #blind #captcha #hcaptcha

reshared this

in reply to Erion

The Tardis🤞
The Tardis🤞
They have made an improvement, at least discord wise. I know they use that one, and there's probably an upgrade that gives text questions. I had luck with it a few times, but no further sites that I found using it, so don't know where to test.
in reply to The Tardis🤞

Erion
Erion

As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.

Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.

in reply to Erion

The Tardis🤞
The Tardis🤞
I can help you with that. But mastodon social's captcha is just a tick box. My new account proofs it. Funny enough. And I tried, twice.
in reply to The Tardis🤞

Erion
Erion

Nope, there's absolutely no guarantee that a text captcha for HCaptcha will pop up. I have checked on multiple devices, and many people I know have done the same. Only the regular image captcha is available. For some other people, the text captcha is available.

To my knowledge, mastodon.social does not have a captcha, at least it does not pop up here. When you create an account, the only checkbox that shows here is for indicating that you are agreeing to the privacy policy and terms of use.


Mastodon

The original server operated by the Mastodon gGmbH non-profit
Mastodon hosted on mastodon.social
in reply to Erion

The Tardis🤞
The Tardis🤞
It does after email verification is clicked on. I have tried the text on multiple devices, works for me.
in reply to The Tardis🤞

Erion
Erion
Not here. No matter what I do here, it just does not pop up. I've cleared cookies, tried private browsing, desktop app, iOS app, email verification (which I have done years and years ago too), used multiple operating systems, multiple browsers, multiple Discord versions, even a VM, it just does not pop up.
in reply to Erion

Kat Moss
Kat Moss
I find that logging into Discord, as long as you're logged in on your phone, you can log into other devices using the QR code. You have to play with it at bit, but once you get it, it stays.
in reply to Kat Moss

Erion
Erion
Ah Nice to know, thanks. Sadly I need to get to this stage first, on any device.
in reply to Erion

Regezi
Regezi

I don't understand enough about all this - but does anyone have any further experience with "Honeypots"?

(mentioned here in the comments section)
cyon.ch/blog/reCAPTCHA-Alterna…

clickstorm.de/blog/alternative…


Captchas: Es muss nicht immer reCAPTCHA sein

Wer sich vor Kontaktformular- und Kommentar-Spam schützen will, findet viele gute Alternativen zum Platzhirsch reCAPTCHA von Google.
Philippe Krebs (cyon)
in reply to Regezi

Erion
Erion

I do not speak German, but honeypots should work, as long as it is obvious to a screen reader user what does not need to be filled out or interacted with in general. For example, 'Check this if you are a spammer'. Simple solutions like entering commonly known information (like current year) are also effective.

Honeypots are great as long as the site hosting them is not targeted specifically.

in reply to Erion

Nemo_bis 🌈
Nemo_bis 🌈

Well said. I opened github.com/mastodon/mastodon/i… in the #Mastodon issue tracker. Looks like the plan is to *not* release #hCaptcha support. Better ideas needed!

#MastoDev #MastoMeta #FediMeta #accessibility #a11y


Replace hCaptcha with FLOSS and GDPR-compliant alternative · Issue #25023 · mastodon/mastodon

Pitch bec6a1c has introduced hCaptcha support. This means that Mastodon transfers personal data to the USA (the user is forced to send a request and therefore their IP address to a USA-controlled d...
GitHub
in reply to Nemo_bis 🌈

Erion
Erion

This is great, thank you. I don't get it though, they have implemented HCaptcha as an emergency feature, yet they state that they are aware of the accessibility implications. So basically they are saying that yes, we know that you won't be able to sign up or verify that you are a human, but still, have it because this is an emergency.

The correct way to handle this would be to say that yes, we are aware of the accessibility implications, so we do not implement this at all, but rather look for something else, because they exist. HCaptcha can be bipassed, see chrome.google.com/webstore/det…, so this is really not about finding an effective solution.


hCAPTCHA Solver: auto captcha bypass

An extension to automatically solve any type hCAPTCHA
chrome.google.com
in reply to Nemo_bis 🌈

Christian Huitema
Christian Huitema
I would love to see an "open captcha" solution, that would be open source and privacy preserving. First step would be to collect requirements. For example, have solutions for people who cannot actually read the images (or hear sounds). Respect privacy by allowing servers to implement the test locally, without relying on third party. And of course be robust even if the code is public.
in reply to Christian Huitema

Erion
Erion
MCaptcha, which I mentioned in this thread is probably the closest you can get which meets your requirements.
in reply to Christian Huitema

Christian Huitema
Christian Huitema
mcaptcha uses proof-of-work, which has lots of advantages but has also known issues. Big-iron computers can solve the puzzle much more quickly than small devices like cellphones, without depleting their battery. But it is sure better than passing user tracking data to Google...
in reply to Christian Huitema

Erion
Erion
Oh absolutely, you are right it's not perfect, but far more accomodating than, say, using text questions.
in reply to Erion

Christian Huitema
Christian Huitema
I am a bit concerned that mcatcha solves a generic DDOS defense problem by imposing cost to the bots, which is different from "verify there is a living human behind the keyboard." Take the case in point, spammers creating bot accounts on "mastodon.social". Yes, they will have to spend a couple seconds of CPU time per account created. Is that going to deter them from creating a few thousand accounts?
in reply to Christian Huitema

Erion
Erion

I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.

None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.

So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.

in reply to Erion

Mx. Alba
Mx. Alba

Every time I see talk about captchas, I'm reminded of that time when I needed to take remote control of a blind friend's computer to solve a captcha for them so they could register their account for...

AUDIOBOOKS

in reply to Mx. Alba

Erion
Erion
So many blind people do this still, ask for remote help that is. Sadly it's not something that works long-term though.
in reply to Erion

Mx. Alba
Mx. Alba
Agreed. It's nothing more than a dirty work-around. I think it's kinda like when I run into the Nth form that requires to declare whether I'm a "Mr." or a "Mrs." without any other options and I think, fuck it, no spoons for this battle now, and just go for "Mrs."
in reply to Mx. Alba

Erion
Erion
Haha that's the spirit. Yes, this is really frustrating too.
in reply to Erion

Kat Moss
Kat Moss
MCAPTCHA is what servers like Calckey and Pleroma need to implement; Pleroma's even worse than Calckey; at least with Calckey, they use a solution that's workable, though a PIA. for Pleroma, the solution doesn't have any alternatives.
in reply to Kainoa

Erion
Erion
This is so awesome to hear. Calckey looks more appealing every day 😀
in reply to Mx. Alba

Erion
Erion
Needless to say, you are awesome for being a good sport ☺️
in reply to Erion

grin
grin
what you describe opposes to what I experienced.
(And your second paragraph incidentally is not related to your first paragraph at all.)
in reply to grin

Erion
Erion

Experiences may vary. Please do share.

Relations are tricky aren't they? Someone sees a perfect relationship, while someone else can't imagine how the two things are related.

in reply to Erion

grin
grin
I agree with the impaired vision comment but hcaptcha does not require email nor disabling protection for me. Maybe they simply love me so I'm the someoone cannot imagine they do the things you described. 😉
in reply to grin

Erion
Erion

That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).

If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.

in reply to grin

Erion
Erion
You are right, I did not specifically point out that this is only true if you are blind or visually impaired. But it follows from the fact that I recommend not using HCaptcha if you care about the blind and visually impaired, because of point a and point b. Sorry about the confusion.
in reply to Erion

grin
grin
Thanks for the clarification. Then I agree on both points. IIRC reCapctha (of Google) is blind-friendly?
in reply to grin

Erion
Erion

Yes.

Their V2 works, if you speak English, since they provide audio captchas. V3 works as well, since you don't need to do anything to verify. But they have their fair share of problems, for example your IP being flagged for abuse even though you did not do anything abusive at all. But that's a different story.

in reply to Erion

The Tardis🤞
The Tardis🤞
It's not only blind and visually impaired, though, what about blind deaf people? Them too. Or all the captcha companies who actually forget about the existence of those folks. I see only audios audios audios. Okay, they help us, the blind, but about those who're blind deaf, or blind and hard of hearing? That's not going to help them. Very little captchas actually have text options.
in reply to The Tardis🤞

Erion
Erion
Of course. Text captchas are likely the most accommodating, if you don't count people who might find answering text challenges difficult. This is why I prefer captchas that need no, or very little interaction at all. Mcaptcha is one of these, which is why I recommended it.
in reply to Erion

grin
grin
I tried to register the other day on a web forum and they required me to move attributes of a shark to the right and others to the left. I have failed three times and were firewalled.
Turns out English call the rear fin of the shark as "tail". 🤷
in reply to The Tardis🤞

Erion
Erion
Ah yeah, that's the new craze now, dragging things around. I haven't seen a captcha that provided an alternate solution, which is really sad.
in reply to Michael

modulux
modulux
The accessibility of hCaptcha is very, very bad, requiring registration, a permanent cookie, and lowering browser security settings. This is an awful solution. Yes, I understand it's necessary to combat spam; but please don't do this at the expense of disabled users.

reshared this

in reply to modulux

Robin Kipp (old account)
Robin Kipp (old account)
@talon Absolutely shocked to see this, very poor decision by Mastodon maintainers to merge this in and recommend admins use this to combat spam. Totally understand that something needs to be done to prevent spam bots from registering, but doing so at the expense of severely reducing accessibility is deeply concerning.
@Talon
in reply to Robin Kipp (old account)

Robert Kingett backup
Robert Kingett backup
Especially when this whole thing could be solved by making the instance invite only. There are enough users to generate invitation codes that will keep the sign-up flow moving if that’s what they want. It also allows for easier growing of networks because you can set the invitation link to automatically follow you. I saw this coming a mile away and this is why I constantly bang the drum of closed small instances and teach others how to use their invite codes. This will become far worse
in reply to Robert Kingett backup

modulux
modulux

Invite-only puts a pretty hard cap on growth. A couple potential random ideas, and I realise they're not going to be perfect, but humans can create spam too.

Do not allow links on the first toot.
Do not allow DMs for n hours after registration or until a DM has been received from another account.

And, of course, the easiest of all: allow people to limit DMs to followers.

in reply to modulux

Michael
Michael

The 2nd wouldn't really help: Many of these spam bots had registered weeks and months ago and lay dormant for that time.

The 3rd is already possible, though poorly implemented: senders - including good faith ones - receive no feedback, if the recipient has blocked DMs - they just think the recipient is ignoring them.

@weirdwriter @robin_kipp @talon

@Talon @Robin Kipp (old account) @Robert Kingett backup
in reply to Michael

modulux
modulux
Right, I was referring to that issue, blocking DMs but not silently. Of course that might just move the spam to the timelines, but it'd be easier to detect there.
in reply to Michael

Mayana
Mayana
"You may wish to consider implementing hCAPTCHA yourself to protect your own instance,"
Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie.
This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha.
Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.
in reply to Mayana

The Tardis🤞
The Tardis🤞
@talon The captcha now has a simple text challenge option, at least on discord, and I was able to successfully complete it a couple times.
@Talon
in reply to The Tardis🤞

Mayana
Mayana
That's news to me! Haven't seen it anywhere else yet. A case of different versions perhaps, or Discord doing something special?
@talon @michael
@Talon @Michael
in reply to Mayana

Talon
Talon
I assume this is some setting that the person embedding the captcha can set or not.