Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Find a non-google alternative to reCAPTCHA #295

Open
richvdh opened this issue Jun 7, 2018 · 51 comments
Open

Find a non-google alternative to reCAPTCHA #295

richvdh opened this issue Jun 7, 2018 · 51 comments
Labels
A-Client-Server Issues affecting the CS API feature Suggestion for a significant extension which needs considerable consideration

Comments

@richvdh
Copy link
Member

richvdh commented Jun 7, 2018

recaptcha is non-free and people would like to have non-google implementations.

@richvdh richvdh added the feature Suggestion for a significant extension which needs considerable consideration label Jun 7, 2018
@uhoreg
Copy link
Member

uhoreg commented Jun 7, 2018

see also element-hq/element-web#3606, which has some discussion of alternatives

@damnms
Copy link

damnms commented Dec 31, 2018

There is no "alternative" in this discussion. It is just saying: it depends on matrix. Riot accepts different captcha providers because it will be just displayed as iframe. This has nothing to do with the UI, as far as i understood.
It is up to matrix to use another captcha service.

@turt2live turt2live added the A-Client-Server Issues affecting the CS API label Feb 6, 2019
@mt-dave
Copy link

mt-dave commented May 7, 2019

I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.

I came across some solutions and here is a quick summary

Captcha providers can widely be categorized in 2 categories :-

Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-

RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.

MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.

Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.

Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-

BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.

KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.

@richvdh
Copy link
Member Author

richvdh commented Apr 10, 2020

I don't really know why it's being discussed there, since it's not specific to riot at all, but element-hq/element-web#3606 seems to be the authoritative issue on this.

@damnms
Copy link

damnms commented Apr 10, 2020

imo its a combination of both
matrix-synapse by default supports google recaptcha, but nothing else, even tho it provides interfaces to implement any other captcha provider.
unfortunately, not every admin is programmer, so not any admin can implement his own captcha provider. therefore it would make sense to drop the support for google recaptcha in matrix and provide another default(!) captcha.

or: provide a simple documentation how to use matrix-synapse with any client AND another captcha provider.

@jryans
Copy link
Contributor

jryans commented Aug 15, 2020

Since this is a spec issue, I have closed element-hq/element-web#3606 and redirected further discussion here.

@xaur
Copy link

xaur commented Aug 18, 2020

Good idea to move the discussion here since the root of the problem is the endorsement of recaptcha at the spec level.

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

@turt2live
Copy link
Member

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.

@Morpheus0x
Copy link

Morpheus0x commented Aug 20, 2020

Would it be a too crazy request to remove Google recaptcha (and any proprietary anti-privacy fingerprinting service) from the spec?

Not crazy, though without a proposed alternative it's unlikely to be accepted as an MSC. Having a captcha helps reduce a lot of spam accounts, particularly when paired with other registration requirements.

Ok then I would strongly propose hCaptcha as an alternative to be added or completely replacing reCaptcha. Cloudflare changed their captcha provide to hCaptcha recently, see here. I very much appreciate what Cloudflare does in general but especially regarding their privacy policy. An endorsement by Cloudflare in my eyes is good enought for hCaptcha to be at leased supported as an alternative to reCaptcha by Matrix.

@turt2live
Copy link
Member

The element-web issue has gone into quite a bit of discussion about the various captcha mechanisms. Realistically at this point someone needs to write a proposal for further discussion.

@Morpheus0x
Copy link

Morpheus0x commented Aug 20, 2020

@turt2live ah ok thank you, well then I am going to write that proposal

Edit: done, I created a WIP proposal which is currently a Draft PR. See matrix-org/matrix-spec-proposals#2745

@CarlSinclair
Copy link

I'm surprised all the best ones in terms of UX haven't been mentioned. Granted, many are outdated, but I'm also surprised that nothing like them has been implemented/maintained over the last few years.

Here's a few I've found (none tested yet), ordered by how user-friendly their UX is.

  1. @sweetcaptcha. Demo
  2. AreYouAHuman. Demo. Docs
  3. Slider Captcha. Demo
  4. Image Rotation. Demo
  5. Icon Click

Honorable mentions:

  1. FunCaptcha. Demo
  2. 3D Captcha. Demo
  3. CaptCheck. Demo [Icon Click alternative]
  4. VisualCaptcha
  5. Minimal Math. Demo

I'll be testing the first 4, probably.

@uhoreg
Copy link
Member

uhoreg commented Aug 21, 2020

SweetCaptcha seems to be abandoned (it says you need to sign up on a website that no longer seems to be associated with any sort of captcha). AreYouAHuman refers to a website that seems to be down. I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective, and they would be impossible for blind users to complete.

Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.

@CarlSinclair
Copy link

Yes, like I said, the best ones are abandoned. But they're all open-source so they can be re-animated at any time.

If you're not interested in doing that, I think those other 3 are effective enough.

I would say the vast majority of Matrix users/operators will never implement their own captcha system, which is why everyone is upset that the default/built-in one is Google. Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.

@uhoreg
Copy link
Member

uhoreg commented Aug 23, 2020

Besides, clearly there aren't very many options out there for one to implement anyway, which is why a decent one should be chosen and bundled with the clients.

From a spec perspective (i.e. the repo that this issue belongs to), we should allow any captcha. Choosing a default one would be up to the homeservers (not the client), and once the spec allows any captcha, then you can argue about about which one to use in the repos for the homeservers.

@dev-love
Copy link

I think that FriendlyCaptcha might be the right solution. It's a proof-of-work based CAPTCHA alternative that respects the user's privacy.

Their website address is https://friendlycaptcha.com and the front-end part is open source and available at https://github.com/friendlycaptcha/friendly-challenge. The European Union is using it on their official website (see https://www.eea.europa.eu/contact-us --> Ask your question)

What do you think about it?

@t3chguy
Copy link
Member

t3chguy commented Oct 28, 2020

20sec on a non flagship smartphone is enough time for someone to uninstall the app, same as grecaptcha basically.

@damnms
Copy link

damnms commented Oct 28, 2020

why not leave that decision to the homeserver hoster.
if he'd like to use a slow but privacy-friendly alternative, he can decide whats best for him.
i would instantly switch to that, use it and see what goes on.
registration is a one-time-thing. if a user is pissed because waiting for 20 seconds, he will be much more pissed because "no one is in matrix". at least imo and from my experience

@nicolas17
Copy link

Having any specific captcha service in the specification is absurd, so I don't know why people here are trying to pick an alternative. It should be way more flexible. The homeserver should give the client a URL to a webpage that uses whatever it wants to use to see if the user is legitimate or not.

The spec isn't even clear in how you're supposed to implement recaptcha. It only says you have to send a "captcha response" back. As a client implementor, how do I get that?

@ara4n
Copy link
Member

ara4n commented Nov 23, 2020

Looks like we just got a PR at matrix-org/synapse#8797 to implement hcaptcha. (I'm a bit unclear on why hcaptcha is any better than recaptcha, given they're both proprietary centralised services, but yay for choice!)

@ara4n
Copy link
Member

ara4n commented Nov 23, 2020

Sounds like

Anyways, I'm pretty sure the right way to solve this issue is not to pick a new captcha system, but to fix the spec so that servers can use whatever captcha they want.

is going to be needed sooner than later :)

@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 1, 2022
@uhoreg
Copy link
Member

uhoreg commented Mar 9, 2022

Codeberg is looking into developing a captcha service, and are looking for contributors. https://codeberg.org/Codeberg-Infrastructure/CaptchaService

@MomentQYC
Copy link

Cloudflare Turnstile may be a good solution

@harvestdusr
Copy link

harvestdusr commented Jun 12, 2023

I really don't think it's a good idea to have the G* company log IP addresses and fingerprint new users devices when signing up for Matrix.

https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

G* does support some open source development, but the most recent actions from the company seem to be targeting prominent FOSS projects like Invidious.

https://torrentfreak.com/youtube-orders-invidious-privacy-software-to-shut-down-in-7-days-230609/

Legal and anti-consumer developments in 2023 have added even more clarity to why the reCAPTCHA service is incompatible with the Libre principals of openness and integrity.

Like destroying evidence in a Federal court case;

https://www.reuters.com/legal/us-court-sanctions-google-deleting-evidence-antitrust-cases-2023-03-29/

The US Department of Justice along with 10 States have brought a Federal case against G* for a long list of unethical and illegal behavior including tracking children in violation of Federal Law.

https://www.theverge.com/2023/1/25/23570753/google-antitrust-lawsuit-doj-ad-business

Let's please consider reengaging on the alternative Captcha service. hCaptcha seems like the most logical alternative, but there may be something else I'm unaware of.

@richvdh
Copy link
Member Author

richvdh commented Jun 12, 2023

I'll keep this issue open as a placeholder, but note that the forthcoming work on OIDC (MSC2964) will move registration entirely under the control of the homeserver and out of the matrix spec - so HS admins will be free to use whichever captcha provider floats their boat.

@erlend-sh
Copy link

Check out https://mcaptcha.org/

https://github.com/mCaptcha/mCaptcha

@penyuan
Copy link

penyuan commented Jun 30, 2023

Check out https://mcaptcha.org/

https://github.com/mCaptcha/mCaptcha

Woah, thank you @erlend-sh this is the most viable-looking reCAPTCHA replacement that is fully open source that I've seen!

@damnms
Copy link

damnms commented Jun 30, 2023

the thing is, matrix devs say "its the homeowners thing to implement any captcha they'd like", so one has to implement it because they probably wont implement anything else than the google one.
write a tutorial how to do that and then others can follow. i would at least give it a try

@turt2live
Copy link
Member

We're actually planning on dropping reCAPTCHA entirely from the spec through the OIDC series of proposals, where all of this stuff becomes the problem of an auth provider rather than the spec.

@penyuan
Copy link

penyuan commented Jun 30, 2023

Thanks for the explanation @turt2live.

Might be a discussion for another thread, but I strongly agree with @damnms that it would be extremely valuable to have a step-by-step guide for auth providers on how to use a Google reCAPTCHA replacement such as the fully open source mCAPTCHA suggested by @erlend-sh.

@turt2live
Copy link
Member

Currently Matrix-the-spec doesn't support non-reCAPTCHA offerings, which is not something we're happy with. A guide for replacement would have to happen outside of this repo/issue.

@KaKi87
Copy link

KaKi87 commented Jun 30, 2023

if someone wants to hammer your site, they will have to do more work to send requests than your server will have to do to respond to their request

Is that the purpose of putting a captcha on a Matrix instance though ?

@elch01
Copy link

elch01 commented Oct 2, 2023

An update on this would be great.

@t3chguy
Copy link
Member

t3chguy commented Oct 2, 2023

https://areweoidcyet.com/ replaces the entire auth stack in Matrix, then you can do whatever Captcha you want.

@Ra2-IFV
Copy link

Ra2-IFV commented Aug 11, 2024

Cloudflare Turnstile is privacy-friendly, free for most uses and compatible with reCAPTCHA and hCAPTCHA.

@nicolas17
Copy link

@Ra2-IFV It sounds like you didn't read the previous comments in the issue.

@CarlSinclair
Copy link

CarlSinclair commented Aug 11, 2024

I have doubts that Slider Captcha, Image Rotation, and Icon Click are actually effective

Since this comment, many huge websites including Twitter, GitHub and even Chinese ones have implemented some version of all 3 of these lol. It's almost as if captcha requiring logic makes more sense to filter out machines than captcha requiring calculations, which machines are literally designed to do. You cannot convince me that PoW captchas are not crypto-miners, which is cool, but like be honest about it. Don't try to trick your users and say that a feature that's meant to protect them from spam is in fact you trying to make money off them without their knowledge or consent.

I maintain my position that if left up to the homeservers, most of them will simply not change the defaults. Which is why a good default needs to be in place with the opportunity for homeservers to override it, replace it, or remove captcha entirely. That's how defaults work. I'm not sure why there's so many people shutting this idea down like someone is trying to force them to use an easy captcha method with a good UX. Chill bro lol you can always remove it or replace it.

@foresto
Copy link

foresto commented Aug 11, 2024

Cloudflare Turnstile is privacy-friendly,

Nothing about Cloudflare is privacy-friendly. Their business is built upon being a MITM between users and the things they use, including HTTPS and (more recently) DNS.

Unless Turnstile is fundamentally different by being completely self-hosted (which seems unlikely given that their front page refers to "plans"), using it would give them even more opportunity to track people than they already have.

@Ra2-IFV
Copy link

Ra2-IFV commented Aug 12, 2024

@Ra2-IFV It sounds like you didn't read the previous comments in the issue.

just did a quick scan so sorry

@TristanWasTaken
Copy link

TristanWasTaken commented Oct 23, 2024

We're actually planning on dropping reCAPTCHA entirely from the spec through the OIDC series of proposals, where all of this stuff becomes the problem of an auth provider rather than the spec.

That's great.
I just started reading the client-server spec and would have suggested a vendor-neutral approach, as some have already said 😅
For example, the homeserver provides a "type" field to help clients identify if they support the flow/that specific provider, and if they don't, as a fallback it should provide a link field so the client can direct the user to some captcha webpage with webview or the browser of choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Client-Server Issues affecting the CS API feature Suggestion for a significant extension which needs considerable consideration
Projects
None yet
Development

No branches or pull requests