Find a non-google alternative to reCAPTCHA #295
Comments
richvdh
added
the
feature
|
see also element-hq/element-web#3606, which has some discussion of alternatives |
|
There is no "alternative" in this discussion. It is just saying: it depends on matrix. Riot accepts different captcha providers because it will be just displayed as iframe. This has nothing to do with the UI, as far as i understood. |
|
I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha. I came across some solutions and here is a quick summary Captcha providers can widely be categorized in 2 categories :- Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :- RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads. MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities. Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site. Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:- BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed. KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation. |
|
I don't really know why it's being discussed there, since it's not specific to riot at all, but element-hq/element-web#3606 seems to be the authoritative issue on this. |
|
imo its a combination of both or: provide a simple documentation how to use matrix-synapse with any client AND another captcha provider. |
|
Since this is a spec issue, I have closed element-hq/element-web#3606 and redirected further discussion here. |
|
Good idea to move the discussion here since the root of the problem is the endorsement of recaptcha at the spec level. Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec? |
Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements. |
Ok then I would strongly propose hCaptcha as an alternative to be added or completely replacing reCaptcha. Cloudflare changed their captcha provide to hCaptcha recently, see here. I very much appreciate what Cloudflare does in general but especially regarding their privacy policy. An endorsement by Cloudflare in my eyes is good enought for hCaptcha to be at leased supported as an alternative to reCaptcha by Matrix. |
|
The element-web issue has gone into quite a bit of discussion about the various captcha mechanisms. Realistically at this point someone needs to write a proposal for further discussion. |
|
@turt2live ah ok thank you, well then I am going to write that proposal Edit: done, I created a WIP proposal which is currently a Draft PR. See matrix-org/matrix-spec-proposals#2745 |
|
I'm surprised all the best ones in terms of UX haven't been mentioned. Granted, many are outdated, but I'm also surprised that nothing like them has been implemented/maintained over the last few years. Here's a few I've found (none tested yet), ordered by how user-friendly their UX is. Honorable mentions:
I'll be testing the first 4, probably. |
|
SweetCaptcha seems to be abandoned (it says you need to sign up on a website that no longer seems to be associated with any sort of captcha). AreYouAHuman refers to a website that seems to be down. I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective, and they would be impossible for blind users to complete. Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want. |
|
Yes, like I said, the best ones are abandoned. But they're all open-source so they can be re-animated at any time. If you're not interested in doing that, I think those other 3 are effective enough. I would say the vast majority of Matrix users/operators will never implement their own captcha system, which is why everyone is upset that the default/built-in one is Google. Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients. |
From a spec perspective (i.e. the repo that this issue belongs to), we should allow any captcha. Choosing a default one would be up to the homeservers (not the client), and once the spec allows any captcha, then you can argue about about which one to use in the repos for the homeservers. |
|
I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy. Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question) What do you think about it? |
|
20sec on a non flagship smartphone is enough time for someone to uninstall the app, same as grecaptcha basically. |
|
why not leave that decision to the homeserver hoster. |
|
Having any specific captcha service in the specification is absurd, so I don't know why people here are trying to pick an alternative. It should be way more flexible. The homeserver should give the client a URL to a webpage that uses whatever it wants to use to see if the user is legitimate or not. The spec isn't even clear in how you're supposed to implement recaptcha. It only says you have to send a "captcha response" back. As a client implementor, how do I get that? |
|
Looks like we just got a PR at matrix-org/synapse#8797 to implement hcaptcha. (I'm a bit unclear on why hcaptcha is any better than recaptcha, given they're both proprietary centralised services, but yay for choice!) |
|
Sounds like
is going to be needed sooner than later :) |
|
Why is there excitement around hCaptcha over Google reCAPTCHA (matrix-org/matrix-spec-proposals#2745)? hcaptcha.com doesn't have anything about open source code or self-hosting. It might be a bit less invasive than reCAPTCHA, but in general it is replacing one service harvesting massive amounts of data with another. Doesn't seem to be aligned with decentralization/privacy/security Matrix is about. Cloudflare using it could be in fact a con and not a pro.
Yes! I think the spec change should support self-hosted solutions for there to be a meaningful improvement. Or better, make it generic to support both centralized and self-hosted captchas. Even better, make it generic to support arbitrary "registration filter" implementations, including cryptocurrency paywalls. The latter would give some server operators an ultimate combo: discourage bots, not send data to centralized services, not host/admin any captcha, all while collecting some tips. |
|
Do note that any CAPTCHA can be stepped through by simply piping through a CAPTCHA solver service a'la Amazon Mechanical Turk and thus paying a few cents for each registration. Not to you, to a third party and indirectly to your CAPTCHA provider in the form of completed free microwork. Let me not share link to these here. A few alternatives come to mind:
|
|
(we don't really have an interest in making the protocol invite only or pay-to-access at this point, ftr) |
|
Codeberg is looking into developing a captcha service, and are looking for contributors. https://codeberg.org/Codeberg-Infrastructure/CaptchaService |
|
Cloudflare Turnstile may be a good solution |
|
I really don't think it's a good idea to have the G* company log IP addresses and fingerprint new users devices when signing up for Matrix. https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea G* does support some open source development, but the most recent actions from the company seem to be targeting prominent FOSS projects like Invidious. https://torrentfreak.com/youtube-orders-invidious-privacy-software-to-shut-down-in-7-days-230609/ Legal and anti-consumer developments in 2023 have added even more clarity to why the reCAPTCHA service is incompatible with the Libre principals of openness and integrity. Like destroying evidence in a Federal court case; The US Department of Justice along with 10 States have brought a Federal case against G* for a long list of unethical and illegal behavior including tracking children in violation of Federal Law. https://www.theverge.com/2023/1/25/23570753/google-antitrust-lawsuit-doj-ad-business Let's please consider reengaging on the alternative Captcha service. hCaptcha seems like the most logical alternative, but there may be something else I'm unaware of. |
|
I'll keep this issue open as a placeholder, but note that the forthcoming work on OIDC (MSC2964) will move registration entirely under the control of the homeserver and out of the matrix spec - so HS admins will be free to use whichever captcha provider floats their boat. |
Woah, thank you @erlend-sh this is the most viable-looking reCAPTCHA replacement that is fully open source that I've seen! |
|
the thing is, matrix devs say "its the homeowners thing to implement any captcha they'd like", so one has to implement it because they probably wont implement anything else than the google one. |
|
We're actually planning on dropping reCAPTCHA entirely from the spec through the OIDC series of proposals, where all of this stuff becomes the problem of an auth provider rather than the spec. |
|
Thanks for the explanation @turt2live. Might be a discussion for another thread, but I strongly agree with @damnms that it would be extremely valuable to have a step-by-step guide for auth providers on how to use a Google reCAPTCHA replacement such as the fully open source mCAPTCHA suggested by @erlend-sh. |
|
Currently Matrix-the-spec doesn't support non-reCAPTCHA offerings, which is not something we're happy with. A guide for replacement would have to happen outside of this repo/issue. |
Is that the purpose of putting a captcha on a Matrix instance though ? |
|
An update on this would be great. |
|
https://areweoidcyet.com/ replaces the entire auth stack in Matrix, then you can do whatever Captcha you want. |
|
Cloudflare Turnstile is privacy-friendly, free for most uses and compatible with reCAPTCHA and hCAPTCHA. |
|
@Ra2-IFV It sounds like you didn't read the previous comments in the issue. |
Since this comment, many huge websites including Twitter, GitHub and even Chinese ones have implemented some version of all 3 of these lol. It's almost as if captcha requiring logic makes more sense to filter out machines than captcha requiring calculations, which machines are literally designed to do. You cannot convince me that PoW captchas are not crypto-miners, which is cool, but like be honest about it. Don't try to trick your users and say that a feature that's meant to protect them from spam is in fact you trying to make money off them without their knowledge or consent. I maintain my position that if left up to the homeservers, most of them will simply not change the defaults. Which is why a good default needs to be in place with the opportunity for homeservers to override it, replace it, or remove captcha entirely. That's how defaults work. I'm not sure why there's so many people shutting this idea down like someone is trying to force them to use an easy captcha method with a good UX. Chill bro lol you can always remove it or replace it. |
Nothing about Cloudflare is privacy-friendly. Their business is built upon being a MITM between users and the things they use, including HTTPS and (more recently) DNS. Unless Turnstile is fundamentally different by being completely self-hosted (which seems unlikely given that their front page refers to "plans"), using it would give them even more opportunity to track people than they already have. |
just did a quick scan so sorry |
and others
recaptcha is non-free and people would like to have non-google implementations.
The text was updated successfully, but these errors were encountered: