PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

github.com/mastodon/mastodon/p…

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”


#MastoAdmin #FediAdmin #fediblock

This entry was edited (1 year ago)
in reply to Michael

Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y

reshared this

in reply to The Tardis🤞

As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.

Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.

in reply to The Tardis🤞

Nope, there's absolutely no guarantee that a text captcha for HCaptcha will pop up. I have checked on multiple devices, and many people I know have done the same. Only the regular image captcha is available. For some other people, the text captcha is available.

To my knowledge, mastodon.social does not have a captcha, at least it does not pop up here. When you create an account, the only checkbox that shows here is for indicating that you are agreeing to the privacy policy and terms of use.

in reply to Erion

I don't understand enough about all this - but does anyone have any further experience with "Honeypots"?

(mentioned here in the comments section)
cyon.ch/blog/reCAPTCHA-Alterna…

clickstorm.de/blog/alternative…

in reply to Regezi

I do not speak German, but honeypots should work, as long as it is obvious to a screen reader user what does not need to be filled out or interacted with in general. For example, 'Check this if you are a spammer'. Simple solutions like entering commonly known information (like current year) are also effective.

Honeypots are great as long as the site hosting them is not targeted specifically.

in reply to Erion

Well said. I opened github.com/mastodon/mastodon/i… in the #Mastodon issue tracker. Looks like the plan is to *not* release #hCaptcha support. Better ideas needed!

#MastoDev #MastoMeta #FediMeta #accessibility #a11y

in reply to Nemo_bis 🌈

This is great, thank you. I don't get it though, they have implemented HCaptcha as an emergency feature, yet they state that they are aware of the accessibility implications. So basically they are saying that yes, we know that you won't be able to sign up or verify that you are a human, but still, have it because this is an emergency.

The correct way to handle this would be to say that yes, we are aware of the accessibility implications, so we do not implement this at all, but rather look for something else, because they exist. HCaptcha can be bipassed, see chrome.google.com/webstore/det…, so this is really not about finding an effective solution.

in reply to Nemo_bis 🌈

I would love to see an "open captcha" solution, that would be open source and privacy preserving. First step would be to collect requirements. For example, have solutions for people who cannot actually read the images (or hear sounds). Respect privacy by allowing servers to implement the test locally, without relying on third party. And of course be robust even if the code is public.
in reply to Erion

I am a bit concerned that mcatcha solves a generic DDOS defense problem by imposing cost to the bots, which is different from "verify there is a living human behind the keyboard." Take the case in point, spammers creating bot accounts on "mastodon.social". Yes, they will have to spend a couple seconds of CPU time per account created. Is that going to deter them from creating a few thousand accounts?
in reply to Christian Huitema

I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.

None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.

So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.

in reply to grin

That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).

If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.

in reply to Erion

It's not only blind and visually impaired, though, what about blind deaf people? Them too. Or all the captcha companies who actually forget about the existence of those folks. I see only audios audios audios. Okay, they help us, the blind, but about those who're blind deaf, or blind and hard of hearing? That's not going to help them. Very little captchas actually have text options.
in reply to Robin Kipp (old account)

Especially when this whole thing could be solved by making the instance invite only. There are enough users to generate invitation codes that will keep the sign-up flow moving if that’s what they want. It also allows for easier growing of networks because you can set the invitation link to automatically follow you. I saw this coming a mile away and this is why I constantly bang the drum of closed small instances and teach others how to use their invite codes. This will become far worse
in reply to Robert Kingett backup

Invite-only puts a pretty hard cap on growth. A couple potential random ideas, and I realise they're not going to be perfect, but humans can create spam too.

Do not allow links on the first toot.
Do not allow DMs for n hours after registration or until a DM has been received from another account.

And, of course, the easiest of all: allow people to limit DMs to followers.

in reply to modulux

The 2nd wouldn't really help: Many of these spam bots had registered weeks and months ago and lay dormant for that time.

The 3rd is already possible, though poorly implemented: senders - including good faith ones - receive no feedback, if the recipient has blocked DMs - they just think the recipient is ignoring them.

@weirdwriter @robin_kipp @talon

in reply to Michael

"You may wish to consider implementing hCAPTCHA yourself to protect your own instance,"
Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie.
This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha.
Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.