@mattab opened this Issue on December 23rd 2018 Member

Currently we're using Google Recaptcha on pages with a form, which leaks lots of data to Google.

For example on this page: https://matomo.org/contact/

-> It would be fantastic to find & use an open source, decentralised alternative to Google recaptcha on our Matomo.org website.

If anyone knows an alternative to Recaptcha that works, please let us know

@fdellwing commented on December 24th 2018 Contributor

There are a lot of Captcha-Libaries, but none of them provide such features as reCaptcha.

@Findus23 commented on December 24th 2018 Member

@fdellwing The only feature we need is not getting overwhelmed with spam :slightly_smiling_face:

Bonus points if it is accessibility-friendly.

@fdellwing commented on December 24th 2018 Contributor

As I said, I know no captcha that is nearly as user friendly as reCaptcha. So best would be to take some random image captcha (where are MANY) and just hit an self made database on top that recognises returning users.

@Findus23 commented on December 27th 2018 Member

As I said, I know no captcha that is nearly as user friendly as reCaptcha

I really have to disagree. I regularly spend multiple minutes getting angrier and angrier as I am clicking through page after page arguing whether something can be considered a storefront when the captcha switches into extra-slow mode where every image takes a 5-second transition to load.
(I am not using a VPN or anything similar, just a regular internet connection)

I think a captcha doesn't need to be complex to stop most bots (after all while Recaptcha is hard to circumvent, it only costs 0.2 cent to pay someone to solve it for you), it just needs to be different enough so it stops automated bots programmed to popular wordpress forms.

I even think that a simple input field asking to enter the name of the open source project you are trying to contact (that maybe also allows common variants) would stop nearly all automated spam.
And the remaining ones I think (from what I see on the forum) are actual people pasting spam texts into the forms and those are not blockable via captchas.
@tsteur, would it be possible to add something like this to the forms without too much work?

@tsteur commented on December 27th 2018 Member

As long as there is a wordpress plugin for it that should be fine. We wouldn't want to build anything ourselves. The plugin would ideally hook into random places where needed and support gravity forms etc.

@Findus23 commented on December 27th 2018 Member

https://wordpress.org/plugins/humancaptcha/ seems to be pretty much what I described, but the plugin looks odd and only seems to integrate with comments.
Apart from that I could only find https://wordpress.org/plugins/humancaptcha/ which seamlessly integrates into login, registration, lost password, comments, bbPress and Contact Form 7.

I have never used Gravity forms before, but it seems to have many features and maybe one can make a required input field with the quiz feature Not sure if it can be combined with the normal contact form.

@tsteur commented on December 27th 2018 Member

Did a quick search for "captcha gravity" maybe https://wordpress.org/plugins/nomorecaptchas/ or https://wordpress.org/plugins/cleantalk-spam-protect/ would help? cleantalk also seems to support woocommerce. not really sure how good they are though.

I reckon something where people need to enter "Matomo" might be too complicated sometimes for some humans (it seems easy but may not always be clear what to enter) and at the same time someone wanting to spam us could easily achieve it.

@Findus23 commented on December 27th 2018 Member

https://wordpress.org/plugins/nomorecaptchas/ or https://wordpress.org/plugins/cleantalk-spam-protect/

Both plugins work by sending the visitor behaviour data to the services' servers and analyzing it there. So I guess they are no better than ReCAPTCHA.

It's odd that there isn't a well-maintained opensource plugin that just does basic local analysation.

someone wanting to spam us could easily achieve it.

Targeted attackers will probably always be able to afford the 0.2 cent it costs to reliably circuvent all types of captcha.

@mt-dave commented on May 7th 2019

I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.

I came across some solutions and here is a quick summary

Captcha providers can widely be categorized in 2 categories :-

Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-

RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.

MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.

Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.

Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-

BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.

KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.

@Findus23 commented on May 9th 2019 Member

I just came across https://www.phpcaptcha.org/ which seems to be the only local open source captcha solution that has a wordpress plugin: https://wordpress.org/plugins/securimage-wp/

But I donโ€™t know how well it supports the forms used on matomo.org

@Crypto-Loot commented on June 10th 2019

Hi there,
We offer a PoW (proof-of-work) based captcha system where a user must verify a captcha via mining a cryptocurrency for several seconds before proceeding to confirm the token. You may find more at our website: https://crypto-loot.org (will have to login to see the demo/code)

We are also doing a rebrand shortly along with a potential partner to help bring web mining into the white light for the industry.

Please feel free to let us know if you would like to work with us!
support@crypto-loot.org

@mattab commented on June 29th 2019 Member
@joekarns commented on September 19th 2019

One non-google product you could use to better protect your login page (or any page of the site) would be using the free version of Cloudflare. I use "Page Rules", then configure only my login page with the form on it to be in "under attack" mode in Cloudflare. By doing so, it scans any/all users who try to access that page of the site. It's not a perfect solution but it should cut out most of the pure bots hitting that page. Hope that helps.

@Findus23 commented on September 19th 2019 Member

@joekarns Using Cloudlare might be even worse as it

  • allows one entitiy to intercept a huge fraction of the internets traffic
  • cuts of a large fraction of internet users (e.g. tor users)
  • still uses ReCaptcha (I think) to detect bots
@joekarns commented on September 19th 2019

Yes, fair points.

@mattab commented on January 30th 2020 Member

We're still actively looking for an alternative to Google recaptcha!

if you have any hint, we'd love to hear!

@ara4n commented on February 9th 2020

we are too, over at https://github.com/vector-im/riot-web/issues/3606 (in the interests of sharing any discoveries). (Riot also uses matomo for its analytics, fwiw :)

@raneq commented on February 13th 2020

What about:

  • Captcha code ?? It's up to date and looks clean to me. I don't know if it's effective though.

For the record:

  • Visual Captcha? It's not maintained, but it may just work. Wrong, the wordpress plugin is not up to date.
  • Secure Image It's not the cutest, but it's just a matter of CSS. But it's also not up to date
  • Lepture Captcha: For python projects, it looks a good resource, even thought last commit is from Nov 2018.

It feels like the interest for light and effective captchas has dropped really a lot. Thank you for not surrendering on this.

@Findus23 commented on February 13th 2020 Member

@raneq
I am really not sure if those Captchas that just use GD to print a random string to an image and sprinkle a few dots or lines above it are really helpful.

  • They are all completely inaccessible, so a lot of people are completely prevented from submitting a form.
  • I really doubt any but the most trivial bot is unable to detect those images via OCR (especially as they use known font-files)
  • most of them seem to have the latest commit many years ago

For captcha-code-authentication specifically there seem to be multiple reviews mentioning that removing the captcha from the form circumvents it.

@mattab commented on March 4th 2020 Member

Btw we could also self-hosted the google recaptcha and proxy requests, this would help people from china at least, and may limit some of the privacy implications? using this: https://github.com/google/recaptcha

PHP client library for reCAPTCHA, a free service to protect your website from spam and abuse. http://www.google.com/recaptcha/

@Findus23 commented on March 4th 2020 Member

self-hosted the google recaptcha and proxy requests

That would solve the issue for chinese users, but it might make privacy even worse as it would be harder to block and might open new privacy law issues as users can't opt out anymore.

@Reechik8760 commented on March 23rd 2020

I'm also looking for a good captcha to use that protects a users privacy. One solution that doesn't work for me but might be ok for you is: https://www.hcaptcha.com/

users are labeling data for free with hcaptcha and we don't know what is being done with the labeled data. As a result I'm not using it.

@tsteur commented on March 29th 2020 Member

I just came across https://www.hcaptcha.com/ as well. It looks quite interesting and there is a WordPress plugin https://wordpress.org/plugins/hcaptcha-for-forms-and-more/

I suppose it's at least better than Google but didn't look into any terms or privacy policy.

@Findus23 commented on March 29th 2020 Member

Things I noticed with hcaptcha:

  • The captcha itself varies from obvious to impossible (three blurry, distorted images and nine equally incomprehensible images and somehow one has to find a connection between them)
  • The tasks are looping in a very small set. If none of the few tasks available at the moment is doable, one can't submit.
  • Their solution for users who can't do visual tests is forcing them to create a account and share their personal data, which doesn't really feel appropriate (https://www.hcaptcha.com/accessibility)
  • The JS mentions that its license can be found at https://hcaptcha.com/license which is a 404
  • They have a privacy policy, but I think it is not linked anywhere (https://www.hcaptcha.com/privacy)
  • Update: It is linked in the captcha itself, but using a 9px font and using #cccccc text on #fafafa background (which is the lowest color contrast I have seen in a long time)
  • Children under 13 are banned from using the service which isn't really an issue but is a bit weird.

Weird quotes from the privacy policy:

Some of the information you provide us may constitute sensitive data as defined in the GDPR (also referred to as special categories of personal data), including identification of your race or ethnicity on government-issued identification documents.

please be aware that your personal data will be transferred to, processed, and stored in the United States. Data protection laws in the U.S. may be different from those in your country of residence. You consent to the transfer of your information, including personal information, to the U.S. as set forth in this Privacy Policy by visiting our site or using our service.

(I don't think that's how consent works)

So I think the major benefits to reCAPTCHA are:

  • it is not Google
  • you get a (potentially very tiny) fraction of the etherum tokens earned
  • it might not do any actual tracking to detect humans
@Reechik8760 commented on March 29th 2020

@Findus23 -- thank you very much for this great analysis. If I find any good open source solutions that protect people's privacy (or end up creating my own Captcha) I will be sure to post it.

@HawkLiking commented on April 3rd 2020

It's funny to read @Findus23 (good) analysis knowing that Cloudflare just started using hCaptcha...

but hCaptcha is as easily resolvable as reCaptcha by services like anti-captcha.com (human automated solving) which support both of them (and many others). It takes less than 30 seconds to solve a hCaptcha/reCaptcha with there lib/api, for 0,0022โ‚ฌ per captcha... Do not even try picture-based captchas, it is even easier.
The fact is Google is doing NOTHING to block these services, so I asked to hCaptcha and here is there answer:

Short answer is Google has never bothered to try and stop those users, but we break the captcha services on a regular basis.
We have a variety of strategies, but fundamentally if a human being is answering the question through anti-captcha then we'll detect that they're human. You end up in an arms race to detect that it's specifically a captcha service user, and they end up in an arms race trying to defeat your detection. This also means you can't just publish your detection results to everyone, otherwise their time-to-defeat will be much lower.

But hey, anti-captcha manage to bypass them successfully (last check: today) ๐Ÿคทโ€โ™‚

So far I did not find any captcha which could not be solved by services like anti-captcha, or by public libraries, but I am very interested in finding one, so I will watch this topic !

@Jookia commented on April 4th 2020

Please don't use hCAPTCHA or other inaccessible CAPTCHAs.

@Findus23 commented on April 4th 2020 Member

@HawkLiking
Honestly, as much as I am here complaining about most solutions, solvable with human automated solving methods isn't really an issue for me. The point of a CAPTCHA is to tell computers and humans apart (the CHA part) and a person paid to solve a CAPTCHA for someone else is definitely a human.
Solving this issue is even more complex, maybe impossible and out of scope of finding a ReCAPTCHA alternative.

@HawkLiking commented on April 6th 2020

@Jookia why hCaptcha is "inaccessible" ?

@Jookia commented on April 6th 2020

Blind people can't use it without signing up to the service.
Deafblind people can't use it either.

On Mon, Apr 06, 2020 at 04:54:33AM -0700, HawkLiking wrote:

[1]@Jookia why hCaptcha is "inaccessible" ?

โ€”
You are receiving this because you were mentioned.
Reply to this email directly, [2]view it on GitHub, or [3]unsubscribe.

References

  1. https://github.com/Jookia
  2. https://github.com/matomo-org/matomo/issues/13905#issuecomment-609748085
  3. https://github.com/notifications/unsubscribe-auth/AABNHO6RQ4QNHYUWKNRDVZLRLG7HTANCNFSM4GMABJAQ
@Tirion77 commented on April 13th 2020

I've got a solution that respects user privacy and removes bots like no other. Nobody owns the data at the end, unless the user decides to manually capture their data and then use it. It is a little experimental and will require some configuration and effort to implement.

@HawkLiking commented on April 14th 2020

I've got a solution that respects user privacy and removes bots like no other. Nobody owns the data at the end, unless the user decides to manually capture their data and then use it. It is a little experimental and will require some configuration and effort to implement.

@Tirion77 Ok, and what is this solution ? I am very curious!

@yolknet commented on April 21st 2020
* [Captcha code](https://github.com/wp-plugins/captcha-code-authentication) ?? It's up to date and looks clean to me. I don't know if it's effective though.

The contact form at the bottom of the page has a Google reCAPTCHA (v2). They don't trust their own work anymore I guess :-)

@jcalfee commented on May 6th 2020

So far, BotDetect CAPTCHA seems like the way to go for me. We have node as a back-end though. I'm asking them if they are working on something for that. I don't trust the government, so really like how they document the reCaptcha concerns. I wish it were an image slide captcha but I can't be too picky at this point.

@Tirion77 commented on May 7th 2020

Apologies for the late reply, everyone. I wasn't sure if I should share it because the solution is highly experimental as I said, and only recently came out with something that made me confident enough to start sharing it.
Please look into the Idena network -- https://idena.io/. It is a decentralized blockchain solution that is able to derive digital identities that are valid for approx. 2 weeks based on a captcha puzzle that the whole network executes at the same time (those approx. every 2 weeks). Users of that network can then use that identity to log in to websites by connecting their account to a wallet.
It is still very early in development, but the identity and the sign-in is there already as of this week. This is definitely not a solution for the general population at this point, but your regulars might be interested in this over doing captcha every time they want to post/buy/etc.
Note that this involves 0 investment into its token, and the solution could be used solely based on the digital identity without having to worry about insane cryptocurrency value swings.

I'd like to reiterate again that this is super new and early, and it could really change over the next year -- or completely disappear. That said, the network has been growing 15% every 2 weeks or so, and it seems the devs are comptetent.

All code etc. is open source and on their github. As a privacy geek, this peaked my interest.

@Jookia commented on May 7th 2020

It only works for people with eyes.

@Tirion77 commented on May 7th 2020

You are absolutely right. For now it is like that, although the developers are aware and are hoping to address this too. From their site:

  • How can people whose disabilities prevent them from completing a traditional flip validation session be validated?

  • For now, they can't. But Idena is designed as an open-source project, and we hope that there will be teams with specific expertise in this area who will be motivated to develop means for people with disabilities to get validated in the network, such as audio flips, for example.

Again, this is super early stage so research and look into at your own expense.

@Jookia commented on May 7th 2020

I don't want to be a downer but is it really worth bringing it up if
it's unstable experimental technology that you can't even use now
without an invite and dedicated computer with the app?

@HawkLiking commented on May 7th 2020

Interesting
I tested your flip challenge here https://flips.idena.io/?pass=idena.io but I gave up (bored) after 3 challenges, these "stories" are maybe to complicated..

@Jookia commented on May 7th 2020

Wow, I tried one of those flip challenges and got one that implied a
person shot a home intruder and the intruder was dead in a body bag. :\

Edit: I later got one that straight up showed actual dead people? It had a
watermark for a russian website

@Findus23 commented on May 7th 2020 Member

We are getting a bit off-topic, but for completionโ€™s sake I again want to give an extensive feedback about this solution:

  • Wow, that were the 5 most stressful minutes I had in quite a long time. I constantly felt like I was randomly guessing between two completely random image collections. The fact that the buttons start blinking after a while makes this quite an experience.
  • This is completely inaccessible to a huge fraction of the population due to being image-only. And even those images are very small with lots of details, so even I had to guess quite often what they should show.
  • Even worse they are inaccessible to people from different cultures. So many of these "stories" depend on subtle cultural context clues that might be completely misunderstood by people not sharing the same culture as the creator.
  • What's wrong with the topics of these "stories"?!? I don't want to think about the implications of people dying or even living their live in general just to submit a comment on a website.
  • You seem to plan on allowing anyone to create "stories", which I can guess can only go wrong.
  • WTF?!?! I got 75.9% correct by applying the complex algorithm of always clicking on the "left" button. Where can I send my invoice over $5000 for developing this AI? (https://idena.io/?view=flip_challenge) Preferably in a real currency.
  • And I have not even reached the point of idena.io itself, which seems to be replacing a concept that I can explain to a time traveler who has never seen a PC before (there is a question, you type in an answer to it below) with something that even after reading for 10 minutes is only roughly understandable (what this has to do with a local client and Global universal basic income I can only guess)

So I honestly can't take this seriously as even an attempt of something that can be considered a CAPTCHA.

@ghost commented on May 25th 2020

@Findus23 -- thank you very much for this great analysis. If I find any good open source solutions that protect people's privacy (or end up creating my own Captcha) I will be sure to post it.

https://github.com/produck/svg-captcha

@supervisitor commented on June 23rd 2020

Why annoy the user? Why not keep the bot busy? Well, I have often used the principles of "negative captchas" and am much more satisfied with them than with the integration of captchas.
(read this: https://github.com/subwindow/negative-captcha))

@tsteur commented on June 23rd 2020 Member

Interesting

@Findus23 commented on June 24th 2020 Member

@supervisitor
The main issue I see with the idea of honeypots is that there are times when people act like bots. E.g. a browser extension that auto-fills forms (e.g. a password manager), a user with a screen reader who has no awareness of "this input is 2000px left of the screen and therefore not the one I should write my comment in".
Nevertheless, I think this is better than most suggestions here in this issue as there is no privacy issue, no third party involved, but there are still accessibility and usability issues.

@supervisitor commented on June 24th 2020

@Findus23
I have solved the problem of autofill by tools or password managers by using unique dull field names. This works quite well, for example: "pike_soup" or "LatschariSquare_Chief", no tool fills some like this with data. For the screen readers (no experience with) you can try "please_do_not_enter_anything"... there is a human behind it! ;o)

@supervisitor commented on June 25th 2020

... sorry, "LatschariSquare_Chief" was exactly the negative example, because sometimes a street name was entered at the field with this name. But with some test and the known like this, you can do it with a few lines of code instead of one more script and use of external resources.

@gzuidhof commented on July 16th 2020

Hey all, I hope it's ok to post my own alternative here, I created FriendlyCaptcha to fill this gap. There is a demo here. The client side code and algorithms are fully open source (MIT), the SaaS wrapper around it is not (yet). If Matomo is keen on self-hosting I'm happy to discuss that.

As far as I know it doesn't have any accessibility or inclusivity issues that any cognitive skill based captcha will have.

Happy to answer any questions about it!

@Robin-Wils commented on July 18th 2020

My device somehow always gets through that captcha. I don't even have to solve a puzzle, weird, but cool.

@gzuidhof commented on July 18th 2020

@Robin-Wils Thanks :) It is kind of the point though! Normal captchas should have a task that is easy for all humans, but difficult for machines. Those tasks probably don't really exist anymore because of improvements in machine learning, a task is either very tricky (especially for those with less than perfect vision or technical skills), or also trivial for a machine. Google started adding noise to images to try to beat ML models, but it makes the task even more tricky.. It's an arms race in which the user loses, here's an example I got yesterday:

reCAPTCHA example

Google's reCAPTCHA can be consistently solved in under a second by a machine (or you can even pay a service <$0.001 dollar to do it), FriendlyCaptcha takes a few seconds to solve on a powerful machine. The cost for an attacker is similar or higher, but real users don't get punished as much (in terms of privacy, accessibility, effort).

Maybe what the world wants is a captcha with an image labeling task that is not run by Google even though it doesn't add more guarantees that the user is actually human.. I suppose that is not that hard to add, but for now I'm trying the proof-of-work approach!

@supervisitor commented on July 19th 2020

@gzuidhof ... it looks like a little better solution than Google reCaptcha... but it is still something which is annoying the user. And it looks like you want to sell something which is annoying Matomo user... ๐Ÿ˜‰
From my side you will give you a ๐Ÿ‘Ž! I still prefer the principles of "negative captchas", it costs nothing, and is no-one annoying. Humans should never have to prove themselves to machines as humans! Your solution is another script with 24k, another dependence on another online service... nothing really new, but what has to be paid.

@fadelkon commented on July 19th 2020

What about the negative captcha, then? Has anyone apart from @supervisitor proven it to work while taking care of accessibility? Is there some kind of general solution documented?

Also @gzuidhof approach of a crypto puzzle has not been discussed enough I guess. I can think about carbon footprint of wasted CPU, and punishing the already punished: users of older, slower devices. Isn't the intended effect equivalent to a simple timer?

I can only see downvotes for all the other alternatives, while matomo website is still sticking to arguably the worst of them.

From the equivalent riot/element issue I found the equivalent gitlab issue. They already merged an "invisible captcha" option, that says, quoting:

The invisible captcha uses 2 ways to fight spam:

  • A honeypot (invisible input field) in the registration form: either firstname or lastname (randomly picked)
  • A time-sensitive registration, set to 4 seconds, being the idea that humans take longer than this time to fill in and submit the registration form.

However, in gitlab.com (the central instance) they are still using google recaptcha.

EDIT: I am suspicious of the accessibility issues raising from using meaningful names for hidden fields, for the case of screen readers.

@Jookia commented on July 19th 2020

Does anyone actually have a clear definition of 'human' that can be used
to create a CAPTCHA? Is that definition inclusive of all humans?

So far most the CAPTCHAs here exclude humans that can only use assistive
technology to read the web. Maybe that's because testing for machines
excludes people who need machines.

@gzuidhof commented on July 19th 2020

@fadelkon You're right that the computation is useless (I would love to make it useful, but so far no proof of work has been invented with that property it seems) and that users of slower devices will have to wait longer. Two points that alleviate the problem:

  • The computation can happen in the background as soon as the user loads the page (or when the user first clicks a form element, which is the default). My intuition tells me that users on slower devices (e.g. smartphones) will take longer to fill the form anyhow so hopefully still have a high probability of the captcha already completed by the time they are done filling the form.
  • So far the worst case time spent I've seen is 15 seconds on a a fairly old phone (it only uses 1 core), I expect that the energy usage of downloading the challenge (up to 2MB for recaptcha) and the user spending time to solve it might not actually be all that different in energy usage (not to mention the infastructure to support this labeling task).

I wish a perfect captcha existed, but there seems to be inherent downsides to every solution.. I believe trading seconds of useless computation against accessibility, inclusivity and privacy issues is a good idea (but of course I'm very biased as that is literally why I created FriendlyCaptcha).

@gzuidhof commented on July 20th 2020

@gzuidhof ... it looks like a little better solution than Google reCaptcha... but it is still something which is annoying the user. And it looks like you want to sell something which is annoying Matomo user... ๐Ÿ˜‰
From my side you will get a ๐Ÿ‘Ž! I still prefer the principles of "negative captchas", it costs nothing, and is no-one annoying. Humans should never have to prove themselves to machines as humans! Your solution is another script with 24k, another dependence on another online service... nothing really new, but what has to be paid.

In response to this: honeypots are a good idea but are security through obscurity that screenreaders and other assistive technologies will have a hard time with. Have you tried the demo for my offering? In my experience it costs 0 extra time when you actually fill out the form (I personally can't fill a form in less than 5 seconds)..

My solution is available as free open source software and can be self hosted so there needs not be dependence on another service if that is desired. I offer the SaaS offering to try to make it a sustainable project and to make it as easy to integrate as other 'unfriendly' captchas. I think 9KB (gzipped size for modern browsers, only to be included on pages with an actual form) is good value for what it provides..

@Jookia commented on July 20th 2020

@Guido: I tried your demo on my Galaxy S2 and I can't say it's a good experience compared to other CAPTCHAs. It opens a page that shows a form (cut off at 'Any other thoughts or comments'). Completing the form causes it to say 'FriendlyCaptcha verification failure' and says I submitted before the CAPTCHA was finished- at no point did I see a CAPTCHA or agree for it to run. So going back and manually scroll I realize my phone's virtual keyboard was blocking the CAPTCHA and would submit, because the submit button lets you submit even if the CAPTCHA doesn't work or isn't visible.

A more fundamental issue is that the user has to wait for the CAPTCHA to solve. I used another newer phone to solve the CAPTCHA. With my phone on power saver it takes long enough that I switch over to another app since I want to use my phone to do things instead of solve CAPTCHAs. It was still solving so I just put my phone to sleep and checked it later. To its credit it did solve, but I really didn't know whether or not to press submit in case it gave me that error again.

@gzuidhof commented on July 20th 2020

@guido: I tried your demo on my Galaxy S2 and I can't say it's a good experience compared to other CAPTCHAs. It opens a page that shows a form (cut off at 'Any other thoughts or comments'). Completing the form causes it to say 'FriendlyCaptcha verification failure' and says I submitted before the CAPTCHA was finished- at no point did I see a CAPTCHA or agree for it to run. So going back and manually scroll I realize my phone's virtual keyboard was blocking the CAPTCHA and would submit, because the submit button lets you submit even if the CAPTCHA doesn't work or isn't visible. A more fundamental issue is that the user has to wait for the CAPTCHA to solve. I used another newer phone to solve the CAPTCHA. With my phone on power saver it takes long enough that I switch over to another app since I want to use my phone to do things instead of solve CAPTCHAs. It was still solving so I just put my phone to sleep and checked it later. To its credit it did solve, but I really didn't know whether or not to press submit in case it gave me that error again.

Oh no :(, I imagine something went wrong when loading the script the first time. Thank you for the detailed report, I will definitely have to fix this. On the demo form I intentionally made submitting with an incomplete captcha possible so you can make it fail. Maybe that only adds confusion :/, that was probably a mistake.

Could you tell me which browser you have installed on your Galaxy S2? If it's more than 8 years old I don't have a fallback for those browsers. (Well, it is possible to compile with support for them, but the polyfill makes it even slower).

If it took longer than say 20-30 seconds then that definitely needs improvement on my end. It's a balancing game of puzzle difficulty vs time. >15 seconds is an awful experience, but if it is 0.1% of users with that speed who use an outdated browser and device then I suppose it is acceptable for now..
For reference, the captcha takes 4 seconds on my phone, but that phone is less than 2 years old and has an up to date browser so of course it's very different.. I will have to do is more on actual device testing for older devices

Maybe what the world needs is a captcha that is a labeling task, without tracking, with a fallback to proof-of-work for those who struggle with the task ๐Ÿค”

EDIT: In conclusion, FriendlyCaptcha right now is not so friendly when it comes to old low power devices (>6 years old) with even older browsers. I am afraid that perhaps proof of work based CAPTCHAs will never work if the UX has to be good for those devices as well, maybe there should be a fallback for those users with a labeling challenge.

@Jookia commented on July 20th 2020

In all honesty I'd be okay with this system. I gave it as an example to
my blind friend and she didn't mind it, though she didn't know it was
happening in the first place which isn't great.

I like the idea of it but since it doesn't do what CAPTCHAs do I'm not
sure if this would even solve the problem outside clientside throttling?

@supervisitor commented on July 20th 2020

@gzuidhof I really don't want to talk bad about your solution, because after all I think it's a better solution than Google's. But... first I fill out all the fields and then I have to click "Press to Start" and wait until it is ready... not really optimal...
This was not a "paranoid"-configured browser... this I see with the browser of the office-notebook from my girlfriend company?!

Screen-Shot-2020-07-20-at-17 41

@gzuidhof commented on July 20th 2020

@gzuidhof I really don't want to talk bad about your solution, because after all I think it's a better solution than Google's. But... first I fill out all the fields and then I have to click "Press to Start" and wait until it is ready... not really optimal...
This was not a "paranoid"-configured browser... this I see with the browser of the office-notebook from my girlfriend company?!

Thank you for letting me know, the captcha listens to a vanilla focusin event on the parent form (see these few lines of code), it looks like Safari is misbehaving and not firing that correctly, I'll have to find a workaround. The button is there as a fallback for these kinds of issues.

I appreciate the bug report here and it's good to be aware of limitations and bugs when considering which captcha to switch to, but I suppose we need to be careful not to take over this discussion. I will create an issue in the respective repo to track this issue.

@hawkoon commented on July 20th 2020

Hey all, I hope it's ok to post my own alternative here, I created FriendlyCaptcha to fill this gap. There is a demo here. The client side code and algorithms are fully open source (MIT), the SaaS wrapper around it is not (yet). If Matomo is keen on self-hosting I'm happy to discuss that.

As far as I know it doesn't have any accessibility or inclusivity issues that any cognitive skill based captcha will have.

Happy to answer any questions about it!

Hi there. I have nothing to do with Matomo or anything, but I am always looking for better captcha solutions. Appreciate you coding this and I'll be researching it more. A downside to proof of work solutions like these is that people who have javascript disabled are left out, but it's still a good solution I think.

@gzuidhof commented on July 21st 2020

Hi there. I have nothing to do with Matomo or anything, but I am always looking for better captcha solutions. Appreciate you coding this and I'll be researching it more. A downside to proof of work solutions like these is that people who have javascript disabled are left out, but it's still a good solution I think.

You're right that you need JS enabled, what I tend to do is add something like:
<noscript> You need Javascript enabled to perform the anti-spam verification to submit this form</noscript>

With an open source captcha you can put the JS in your own bundle so at least those who block third party scripts won't run into this issue.

Unrelated update: I've changed the default difficulty parameters of FriendlyCaptcha making it around 60% easier to alleviate the time it takes on older devices to get it under the 20s upper bound. Thank you all for the contributions :)

@Findus23 commented on July 22nd 2020 Member

Hi,
I know this is getting quite off-topic here, but apparently this now seems to be the place for people to talk about Captcha-ideas.
As long as people find alternatives to recaptcha this way, I won't complain.

@gzuidhof I like the idea of Friendly Captcha. Of course, it has some issues (the largest being that it does not actually detect bots, so I would not call it a CAPTCHA for the lack of the CHA part), but this also means that it doesn't have the huge privacy and accessibility issues most solutions proposed here would have.
What would stop me personally from using it on a website (but I am probably not speaking for a lot of people) is the dependency on a non-free third-party server. So for me to use this, the server-side part would need to be FOSS and self-hostable, but I might be a minority there.

@atjn commented on September 4th 2020

My organisation is also having a hard time finding alternatives to Google ReCaptcha. We are currently looking at Antispam Bee, which is a solution that runs entirely locally in Wordpress.

Unfortunately, the plugin has very limited compatiblity with third-party forms, but we are getting desperate enough that we will probably build our own version that works specifically with our forms solution.

There is work underway to make Antispam Bee more compatible, but progress is really slow.

Powered by GitHub Issue Mirror