PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.
So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.
This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).
You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:
github.com/mastodon/mastodon/p…
The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.
But do note this comment on the PR:
“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”
#MastoAdmin #FediAdmin #fediblock
Add hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon
Add optional hCaptcha support. Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_KEY are set, the admin can enable hCaptcha: When enabled, users are shown a captcha when con...GitHub
Erion
in reply to Michael • • •Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).
#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.
There are much better alternatives, such as the no-hassle github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.
HCaptcha is NOT the future. #accessibility #a11y
GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component
GitHubreshared this
Talon, André Polykanine and Marco Zehe reshared this.
The Tardis🤞
in reply to Erion • • •Erion
in reply to The Tardis🤞 • • •As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.
Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.
The Tardis🤞
in reply to Erion • • •Erion
in reply to The Tardis🤞 • • •Nope, there's absolutely no guarantee that a text captcha for HCaptcha will pop up. I have checked on multiple devices, and many people I know have done the same. Only the regular image captcha is available. For some other people, the text captcha is available.
To my knowledge, mastodon.social does not have a captcha, at least it does not pop up here. When you create an account, the only checkbox that shows here is for indicating that you are agreeing to the privacy policy and terms of use.
Mastodon
Mastodon hosted on mastodon.socialThe Tardis🤞
in reply to Erion • • •Erion
in reply to The Tardis🤞 • • •Kat Moss
in reply to Erion • • •Erion
in reply to Kat Moss • • •Regezi
in reply to Erion • • •I don't understand enough about all this - but does anyone have any further experience with "Honeypots"?
(mentioned here in the comments section)
cyon.ch/blog/reCAPTCHA-Alterna…
clickstorm.de/blog/alternative…
Captchas: Es muss nicht immer reCAPTCHA sein
Philippe Krebs (cyon)Erion
in reply to Regezi • • •I do not speak German, but honeypots should work, as long as it is obvious to a screen reader user what does not need to be filled out or interacted with in general. For example, 'Check this if you are a spammer'. Simple solutions like entering commonly known information (like current year) are also effective.
Honeypots are great as long as the site hosting them is not targeted specifically.
Nemo_bis 🌈
in reply to Erion • • •Well said. I opened github.com/mastodon/mastodon/i… in the #Mastodon issue tracker. Looks like the plan is to *not* release #hCaptcha support. Better ideas needed!
#MastoDev #MastoMeta #FediMeta #accessibility #a11y
Replace hCaptcha with FLOSS and GDPR-compliant alternative · Issue #25023 · mastodon/mastodon
GitHubErion
in reply to Nemo_bis 🌈 • • •This is great, thank you. I don't get it though, they have implemented HCaptcha as an emergency feature, yet they state that they are aware of the accessibility implications. So basically they are saying that yes, we know that you won't be able to sign up or verify that you are a human, but still, have it because this is an emergency.
The correct way to handle this would be to say that yes, we are aware of the accessibility implications, so we do not implement this at all, but rather look for something else, because they exist. HCaptcha can be bipassed, see chrome.google.com/webstore/det…, so this is really not about finding an effective solution.
hCAPTCHA Solver: auto captcha bypass
chrome.google.comChristian Huitema
in reply to Nemo_bis 🌈 • • •Erion
in reply to Christian Huitema • • •Christian Huitema
in reply to Erion • • •Christian Huitema
in reply to Christian Huitema • • •Erion
in reply to Christian Huitema • • •Christian Huitema
in reply to Erion • • •Erion
in reply to Christian Huitema • • •I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.
None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.
So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.
Mx. Alba
in reply to Erion • • •Every time I see talk about captchas, I'm reminded of that time when I needed to take remote control of a blind friend's computer to solve a captcha for them so they could register their account for...
AUDIOBOOKS
Erion
in reply to Mx. Alba • • •Mx. Alba
in reply to Erion • • •Erion
in reply to Mx. Alba • • •Kat Moss
in reply to Erion • • •Kainoa
in reply to Kat Moss • • •Erion
in reply to Kainoa • • •Erion
in reply to Mx. Alba • • •grin
in reply to Erion • • •(And your second paragraph incidentally is not related to your first paragraph at all.)
Erion
in reply to grin • • •Experiences may vary. Please do share.
Relations are tricky aren't they? Someone sees a perfect relationship, while someone else can't imagine how the two things are related.
grin
in reply to Erion • • •Erion
in reply to grin • • •That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).
If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.
grin
in reply to Erion • • •Erion
in reply to grin • • •grin
in reply to Erion • • •Erion likes this.
Erion
in reply to grin • • •Yes.
Their V2 works, if you speak English, since they provide audio captchas. V3 works as well, since you don't need to do anything to verify. But they have their fair share of problems, for example your IP being flagged for abuse even though you did not do anything abusive at all. But that's a different story.
The Tardis🤞
in reply to Erion • • •Erion
in reply to The Tardis🤞 • • •grin
in reply to Erion • • •Turns out English call the rear fin of the shark as "tail". 🤷
The Tardis🤞
in reply to grin • • •Erion
in reply to The Tardis🤞 • • •modulux
in reply to Michael • • •reshared this
modulux and Talon reshared this.
Robin Kipp (old account)
in reply to modulux • • •Robert Kingett backup
in reply to Robin Kipp (old account) • • •modulux
in reply to Robert Kingett backup • • •Invite-only puts a pretty hard cap on growth. A couple potential random ideas, and I realise they're not going to be perfect, but humans can create spam too.
Do not allow links on the first toot.
Do not allow DMs for n hours after registration or until a DM has been received from another account.
And, of course, the easiest of all: allow people to limit DMs to followers.
Michael
in reply to modulux • • •The 2nd wouldn't really help: Many of these spam bots had registered weeks and months ago and lay dormant for that time.
The 3rd is already possible, though poorly implemented: senders - including good faith ones - receive no feedback, if the recipient has blocked DMs - they just think the recipient is ignoring them.
@weirdwriter @robin_kipp @talon
modulux
in reply to Michael • • •Mayana
in reply to Michael • • •Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie.
This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha.
Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.
The Tardis🤞
in reply to Mayana • • •Mayana
in reply to The Tardis🤞 • • •@talon @michael
Talon
in reply to Mayana • • •