weblate icon indicating copy to clipboard operation
weblate copied to clipboard
verified publisher icon WeblateOrg

Add support for additional captcha implementation

Open nijel opened this issue 8 years ago • 5 comments

Current captcha is quite simple and prevents from random bots filling in registration page, but does not provide defense against targeted attack.

Therefore it might be good idea to have option to choose captcha implementation and to provide stronger protection.

Probably we could allow plugging existing captcha implementations for Django

nijel avatar Apr 28 '17 16:04 nijel

The current captcha implementation is also not accessible for visually impaired users.

pafcu avatar Nov 08 '17 10:11 pafcu

True, that's valid point as well.

nijel avatar Nov 08 '17 11:11 nijel

This issue has been added to backlog. It is not scheduled on our road map, but it might be eventually implemented. In case you desperately need this feature, please consider helping or funding the development.

github-actions[bot] avatar Dec 05 '19 10:12 github-actions[bot]

I just learned about https://www.hcaptcha.com/ which claims to be privacy friendlier than reCAPTCHA, see for example https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

nijel avatar Apr 10 '20 08:04 nijel

https://altcha.org/ might be a viable privacy respecting approach.

nijel avatar Oct 17 '24 06:10 nijel

Okay, I've almost completed the implementation of Altcha in https://github.com/WeblateOrg/weblate/pull/12995. But once I started to working on tests, I've realized that this is really a poor implementation of captcha:

  • The Python implementation uses os.random instead of using the secrets module.
  • Generally the code quality is poor (for example, verify_solution sometimes returns a tuple with two elements and sometimes with three, at the same time it doesn't give detailed reasoning for several error states).

PS: Those issues are not difficult to address, but I was surprised that a library aimed at securing something has so many issues.

nijel avatar Nov 12 '24 07:11 nijel

In the end, I think we need to clarify what kind of captcha we want:

  • Local only captcha requiring user interaction. This has zero privacy impact but is always limited in terms of catching the bots.
  • Local PoW captcha, which doesn't require user interaction, but might take too long to solve on slower devices.
  • Third-party captcha service. This has a privacy impact and can take additional aspects to prove there is a human (fingerpriting, problematic IP address ranges, ...).

nijel avatar Nov 12 '24 08:11 nijel

Down the rabbit hole there seems to be no great solutions. PoW seems to be the solution chosen by Codeberg in https://codeberg.org/Codeberg/Community/issues/479 (even though it takes them years to implement). I've decided to give PoW a try and include it in addition to existing math captcha in https://github.com/WeblateOrg/weblate/pull/12995. Still I'm not conviced that altcha is the best solution, but unline mCaptcha it doesn't require external service.

nijel avatar Nov 12 '24 09:11 nijel

Thank you for your report; the issue you have reported has just been fixed.

  • In case you see a problem with the fix, please comment on this issue.
  • In case you see a similar problem, please open a separate issue.
  • If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.

github-actions[bot] avatar Nov 19 '24 13:11 github-actions[bot]