Find an open source alternative to Google Recaptcha for our website #13905
Comments
mattab
added
the
c: Website matomo.org
|
There are a lot of Captcha-Libaries, but none of them provide such features as reCaptcha. |
|
@fdellwing The only feature we need is not getting overwhelmed with spam 🙂 Bonus points if it is accessibility-friendly. |
|
As I said, I know no captcha that is nearly as user friendly as reCaptcha. So best would be to take some random image captcha (where are MANY) and just hit an self made database on top that recognises returning users. |
I really have to disagree. I regularly spend multiple minutes getting angrier and angrier as I am clicking through page after page arguing whether something can be considered a storefront when the captcha switches into extra-slow mode where every image takes a 5-second transition to load. I think a captcha doesn't need to be complex to stop most bots (after all while Recaptcha is hard to circumvent, it only costs 0.2 cent to pay someone to solve it for you), it just needs to be different enough so it stops automated bots programmed to popular wordpress forms. I even think that a simple input field asking to |
|
As long as there is a wordpress plugin for it that should be fine. We wouldn't want to build anything ourselves. The plugin would ideally hook into random places where needed and support gravity forms etc. |
|
https://wordpress.org/plugins/humancaptcha/ seems to be pretty much what I described, but the plugin looks odd and only seems to integrate with comments. I have never used Gravity forms before, but it seems to have many features and maybe one can make a required input field with the quiz feature Not sure if it can be combined with the normal contact form. |
|
Did a quick search for "captcha gravity" maybe https://wordpress.org/plugins/nomorecaptchas/ or https://wordpress.org/plugins/cleantalk-spam-protect/ would help? cleantalk also seems to support woocommerce. not really sure how good they are though. I reckon something where people need to enter "Matomo" might be too complicated sometimes for some humans (it seems easy but may not always be clear what to enter) and at the same time someone wanting to spam us could easily achieve it. |
Both plugins work by sending the visitor behaviour data to the services' servers and analyzing it there. So I guess they are no better than ReCAPTCHA. It's odd that there isn't a well-maintained opensource plugin that just does basic local analysation.
Targeted attackers will probably always be able to afford the 0.2 cent it costs to reliably circuvent all types of captcha. |
|
I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha. I came across some solutions and here is a quick summary Captcha providers can widely be categorized in 2 categories :- Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :- RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads. MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities. Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site. Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:- BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed. KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation. |
|
I just came across https://www.phpcaptcha.org/ which seems to be the only local open source captcha solution that has a wordpress plugin: https://wordpress.org/plugins/securimage-wp/ But I don’t know how well it supports the forms used on matomo.org |
|
Hi there, We are also doing a rebrand shortly along with a potential partner to help bring web mining into the white light for the industry. Please feel free to let us know if you would like to work with us! |
|
Privacy concerns of this tool are real, see https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |
|
One non-google product you could use to better protect your login page (or any page of the site) would be using the free version of Cloudflare. I use "Page Rules", then configure only my login page with the form on it to be in "under attack" mode in Cloudflare. By doing so, it scans any/all users who try to access that page of the site. It's not a perfect solution but it should cut out most of the pure bots hitting that page. Hope that helps. |
|
@joekarns Using Cloudlare might be even worse as it
|
|
Yes, fair points.
|
We're still actively looking for an alternative to Google recaptcha!if you have any hint, we'd love to hear! |
|
we are too, over at element-hq/element-web#3606 (in the interests of sharing any discoveries). (Riot also uses matomo for its analytics, fwiw :) |
|
What about:
For the record:
It feels like the interest for light and effective captchas has dropped really a lot. Thank you for not surrendering on this. |
|
@raneq
For |
|
Btw we could also self-hosted the google recaptcha and proxy requests, this would help people from china at least, and may limit some of the privacy implications? using this: https://github.com/google/recaptcha
|
|
Does anyone actually have a clear definition of 'human' that can be used
to create a CAPTCHA? Is that definition inclusive of all humans?
So far most the CAPTCHAs here exclude humans that can only use assistive
technology to read the web. Maybe that's because testing for machines
excludes people who need machines.
|
|
@fadelkon You're right that the computation is useless (I would love to make it useful, but so far no proof of work has been invented with that property it seems) and that users of slower devices will have to wait longer. Two points that alleviate the problem:
I wish a perfect captcha existed, but there seems to be inherent downsides to every solution.. I believe trading seconds of useless computation against accessibility, inclusivity and privacy issues is a good idea (but of course I'm very biased as that is literally why I created FriendlyCaptcha). |
In response to this: honeypots are a good idea but are security through obscurity that screenreaders and other assistive technologies will have a hard time with. Have you tried the demo for my offering? In my experience it costs 0 extra time when you actually fill out the form (I personally can't fill a form in less than 5 seconds).. My solution is available as free open source software and can be self hosted so there needs not be dependence on another service if that is desired. I offer the SaaS offering to try to make it a sustainable project and to make it as easy to integrate as other 'unfriendly' captchas. I think 9KB (gzipped size for modern browsers, only to be included on pages with an actual form) is good value for what it provides.. |
|
@guido: I tried your demo on my Galaxy S2 and I can't say it's a good experience compared to other CAPTCHAs. It opens a page that shows a form (cut off at 'Any other thoughts or comments'). Completing the form causes it to say 'FriendlyCaptcha verification failure' and says I submitted before the CAPTCHA was finished- at no point did I see a CAPTCHA or agree for it to run. So going back and manually scroll I realize my phone's virtual keyboard was blocking the CAPTCHA and would submit, because the submit button lets you submit even if the CAPTCHA doesn't work or isn't visible.
A more fundamental issue is that the user has to wait for the CAPTCHA to solve. I used another newer phone to solve the CAPTCHA. With my phone on power saver it takes long enough that I switch over to another app since I want to use my phone to do things instead of solve CAPTCHAs. It was still solving so I just put my phone to sleep and checked it later. To its credit it did solve, but I really didn't know whether or not to press submit in case it gave me that error again.
|
Oh no :(, I imagine something went wrong when loading the script the first time. Thank you for the detailed report, I will definitely have to fix this. On the demo form I intentionally made submitting with an incomplete captcha possible so you can make it fail. Maybe that only adds confusion :/, that was probably a mistake. Could you tell me which browser you have installed on your Galaxy S2? If it's more than 8 years old I don't have a fallback for those browsers. (Well, it is possible to compile with support for them, but the polyfill makes it even slower). If it took longer than say 20-30 seconds then that definitely needs improvement on my end. It's a balancing game of puzzle difficulty vs time. >15 seconds is an awful experience, but if it is 0.1% of users with that speed who use an outdated browser and device then I suppose it is acceptable for now.. Maybe what the world needs is a captcha that is a labeling task, without tracking, with a fallback to proof-of-work for those who struggle with the task 🤔 EDIT: In conclusion, FriendlyCaptcha right now is not so friendly when it comes to old low power devices (>6 years old) with even older browsers. I am afraid that perhaps proof of work based CAPTCHAs will never work if the UX has to be good for those devices as well, maybe there should be a fallback for those users with a labeling challenge. |
|
In all honesty I'd be okay with this system. I gave it as an example to
my blind friend and she didn't mind it, though she didn't know it was
happening in the first place which isn't great.
I like the idea of it but since it doesn't do what CAPTCHAs do I'm not
sure if this would even solve the problem outside clientside throttling?
|
|
@gzuidhof I really don't want to talk bad about your solution, because after all I think it's a better solution than Google's. But... first I fill out all the fields and then I have to click "Press to Start" and wait until it is ready... not really optimal...
|
Thank you for letting me know, the captcha listens to a vanilla I appreciate the bug report here and it's good to be aware of limitations and bugs when considering which captcha to switch to, but I suppose we need to be careful not to take over this discussion. I will create an issue in the respective repo to track this issue. |
You're right that you need JS enabled, what I tend to do is add something like: With an open source captcha you can put the JS in your own bundle so at least those who block third party scripts won't run into this issue. Unrelated update: I've changed the default difficulty parameters of FriendlyCaptcha making it around 60% easier to alleviate the time it takes on older devices to get it under the 20s upper bound. Thank you all for the contributions :) |
|
Hi, @gzuidhof I like the idea of Friendly Captcha. Of course, it has some issues (the largest being that it does not actually detect bots, so I would not call it a CAPTCHA for the lack of the CHA part), but this also means that it doesn't have the huge privacy and accessibility issues most solutions proposed here would have. |
|
My organisation is also having a hard time finding alternatives to Google ReCaptcha. We are currently looking at Antispam Bee, which is a solution that runs entirely locally in Wordpress. Unfortunately, the plugin has very limited compatiblity with third-party forms, but we are getting desperate enough that we will probably build our own version that works specifically with our forms solution. There is work underway to make Antispam Bee more compatible, but progress is really slow. |
|
Has anyone tried using https://www.mtcaptcha.com ? (which was mentioned earlier this year) It has an invisible option, although this isn't included in the free plan :( At the veeeeeeery bottom of their FAQ page they say that they won't sell any of the usage data. I'm going to give the free plan a try. |
|
They seem bit difficult to solve re accessibility but maybe the invisible option is good (although would need to check what this means re privacy) Only had a 2sec look in the privacy policy where they mention GA and others but not sure if they embed this into the captcha or only in their website/backend. Be also great to know if you can choose where data is stored etc not sure if they allow this? |
|
My opinions on mtcaptcha:
Regarding Accessibility:
Technical Remarks:
Now to the important question of privacy:
Privacy policy for captcha users: https://www.mtcaptcha.com/legal-privacy-captcha To sum all of this up: They seem to have a good intention, but provide a CAPTCHA that is not really that different from the ones mentioned above here. And they are not transparent enough and contradict themselves too often, that I personally would trust them privacy-wise. |
|
+1 to @Findus23 for a great, detailed rundown. |
|
Thanks for your comprehensive reports and comments, @Findus23! I fully agree with you regarding MTCaptcha, that’s why I think a fresh & different approach to spam prevention than “normal” CAPTCHAs would make sense. What do you think about Friendly Captcha? This is what you said about it before:
While, as you said, a completely self hosted solution has its advantages, Matomo is currently using Google reCAPTCHA, which is A) closed source, B) entirely hosted by Google, and C) not user-friendly because of its annoying labeling tasks. That’s why it’s probably the worst solution regarding these benchmarks. Friendly Captcha has recently won some large customers like the European Union itself (see https://www.eea.europa.eu/contact-us —> Ask a question) In addition it is currently improving its service by adding dynamic puzzle difficulty (=when a bot is trying to submit a form multiple times the puzzle is automatically getting more difficult) across all sites where it’s used, which is an argument for using the Cloud solution for the back end part. The front end is completely open source and therefore I think it’s a good fit for Matomo. Looking forward to your reply! :) |
|
We're removed google recaptcha from Matomo.org websites. So far we're using a mix of simple catchas (a math question) and also https://www.hcaptcha.com/ |
Hi @mattab |
|
Try Smart.Captcha, it is opensource ... Currently is not quite a separate component, it is mainly written in javascript but rely also on some PHP backend libraries which are inside Smart.Framework. The smart.captcha have 3 steps:
Hint: To force step 2 click the space between the timer and the clock icon before timer gets to zero and will reveal the checkbox before timer ends. Click on that checkbox before timer ends and will get you to the 2nd hidden level (drawing shapes) ;-) |
There is now a simple Open Source server for FriendlyCaptcha. https://github.com/FriendlyCaptcha/friendly-lite-server (Disclaimer: I implemented this as a proof of concept a while ago and handed over the repo to FriendlyCaptcha today, while I am not affiliated otherwise with FriendlyCaptcha) Also I discovered mCaptcha today, which is another example of a ProofOfWork captcha solution. |
I mean, because the cost of a CPU that is able to solve ProofOfWork-puzzle is by far less than the cost of said services, Unless they make my device solve a puzzle worth 0.2 cent, they are solved too cheap, hence provide zero security benefits. |
|
Exactly two years ago, I had the same problem. I worked on a project where the customer wanted a form on the website's front page. We've discussed using reCAPTCHA, but because of data privacy concerns and the fact that it would be on the first page of a website, it was completely unacceptable. I started to investigate other options to protect the form and searched the internet for protection methods - as you did in this issue. My result was the same as you got here: there are solutions with puzzles, which are not solvable for some humans, uses only the CPU to decide, or the solution is a data privacy nightmare. On the internet, and in this issue, some people ask why we humans have to prove that we're real and why not the bot has to confirm that the form submission is good. So I took this fundamental question and thought about how we could solve this problem. I had some discussions with a friend, and then we started the project mosparo - modern spam protection. mosparo does not try to decide between humans and bots. mosparo does only decide if a submission contains spam or not. This decision is made on the data that the user entered into the form. If mosparo detects spam, the form cannot be submitted. The detection is based on rules. As an owner of the mosparo installation, you have to define these rules. After you've installed mosparo, it will not catch any spam. But by adding rules, you can tell mosparo which content you want and which you don't want. After that, mosparo can check the submission and block unwanted content. mosparo is open-source, free to use, and self-hosted. It is accessible since the visible checkbox is optimized for screen readers (it's a standard HTML checkbox with two additional status updates for screen readers). It stores the data only in your server's database and does not use external services. You can use the GeoIP2 database to localize IP addresses (for rules to block providers or countries), which is optional and the resolution would happen on your server (not remotely). mosparo uses only the data that the user has entered, the IP address, as well as the user agent of the user. But mosparo does not track the user to see if it's a valid user or not. There are more features in mosparo, but I think this comment is already too long. You can find all details on our website: https://mosparo.io/ We've developed a WordPress plugin for mosparo. It is compatible with the most used form plugins (also with Gravity Form). Please let me know if you want to know anything else about mosparo or if I can help you somehow. Thank you very much for your patience. |
|
I’ve switched all my website captchas to Cloudflare Turnstile. Its pretty great (and free).
From: Matthias Zobrist ***@***.***>
Sent: Monday, April 10, 2023 6:57 PM
To: matomo-org/matomo ***@***.***>
Cc: joekarns ***@***.***>; Mention ***@***.***>
Subject: Re: [matomo-org/matomo] Find an open source alternative to Google Recaptcha for our website (#13905)
Exactly two years ago, I had the same problem. I worked on a project where the customer wanted a form on the website's front page. We've discussed using reCAPTCHA, but because of data privacy concerns and the fact that it would be on the first page of a website, it was completely unacceptable. I started to investigate other options to protect the form and searched the internet for protection methods - as you did in this issue.
My result was the same as you got here: there are solutions with puzzles, which are not solvable for some humans, uses only the CPU to decide, or the solution is a data privacy nightmare.
On the internet, and in this issue, some people ask why we humans have to prove that we're real and why not the bot has to confirm that the form submission is good.
So I took this fundamental question and thought about how we could solve this problem. I had some discussions with a friend, and then we started the project mosparo - modern spam protection.
mosparo does not try to decide between humans and bots. mosparo does only decide if a submission contains spam or not. This decision is made on the data that the user entered into the form. If mosparo detects spam, the form cannot be submitted. The detection is based on rules. As an owner of the mosparo installation, you have to define these rules. After you've installed mosparo, it will not catch any spam. But by adding rules, you can tell mosparo which content you want and which you don't want. After that, mosparo can check the submission and block unwanted content.
mosparo is open-source, free to use, and self-hosted. It is accessible since the visible checkbox is optimized for screen readers (it's a standard HTML checkbox with two additional status updates for screen readers). It stores the data only in your server's database and does not use external services. You can use the GeoIP2 database to localize IP addresses (for rules to block providers or countries), which is optional and the resolution would happen on your server (not remotely). mosparo uses only the data that the user has entered, the IP address, as well as the user agent of the user. But mosparo does not track the user to see if it's a valid user or not.
There are more features in mosparo, but I think this comment is already too long. You can find all details on our website: https://mosparo.io/
We've developed a WordPress plugin for mosparo. It is compatible with the most used form plugins (also with Gravity Form).
Please let me know if you want to know anything else about mosparo or if I can help you somehow.
Thank you very much for your patience.
—
Reply to this email directly, view it on GitHub <#13905 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB6JB2RE6XTRHCBYZGI2P3DXASF3ZANCNFSM4GMABJAQ> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AB6JB2VJJO377MNOFLSGM4TXASF3ZA5CNFSM4GMABJA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOLGGWJAY.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Perhaps you could use Altcha |
and others
Currently we're using Google Recaptcha on pages with a form, which leaks lots of data to Google.
For example on this page: https://matomo.org/contact/
-> It would be fantastic to find & use an open source, decentralised alternative to Google recaptcha on our Matomo.org website.
If anyone knows an alternative to Recaptcha that works, please let us know
The text was updated successfully, but these errors were encountered: