[RFC] stop distributing worthless CAPTCHAS in 3.1

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
stevemaury
Support Team
Support Team
Posts: 40
Joined: Sat Aug 30, 2008 12:44 am

[RFC] stop distributing worthless CAPTCHAS in 3.1

Post by stevemaury » Fri Nov 09, 2012 1:19 pm

It is beyond argument that all the Spambot countermeasures currently included in 3.0.x, and apparently intended to be continued in 3.1, are worthless except for Q&A. Why do we want to keep including these broken CAPTCHAS and thus give users a false sense of security while they are innundated with spam? And then explain to the user why the "Spambot countermeasure" we provided, isn't.

User avatar
tmbackoff
Registered User
Posts: 180
Joined: Sat Jun 12, 2010 3:25 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by tmbackoff » Fri Nov 09, 2012 3:43 pm

Related: https://area51.phpbb.com/phpBB/viewtopi ... 08&t=42745

I agree - the amount of people installnig phpBB3, leaving the default CAPTCHA in place, and then complaining about spam is too high to ingore this problem.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DavidIQ » Fri Nov 09, 2012 3:59 pm

I'm sure we spoke about this before. One of the problems with making Q&A the default is that when installing phpBB you'd then have to include as part of the installation wizard a step to set the question and answer. I mean it's not really a "problem" per say but it is something that needs to be thought about and handled appropriately. Also I don't think we should do away completely with the current CAPTCHAS. They are still useful for some things.
Image

User avatar
Jacob
Registered User
Posts: 100
Joined: Wed Jan 04, 2012 1:41 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Jacob » Fri Nov 09, 2012 6:04 pm

In my opinion, the question is how many spambots get through this worthless captchas.
If you get 10 spambots a day and the captchas stop 2 a day, then I would get rid of them, because in that case the false sense of security provided would prevent people from implementing a real and effective spambot countermeasure.

If Q&A is the best, a new installation step with a skip button would be the way to go for me.

stevemaury
Support Team
Support Team
Posts: 40
Joined: Sat Aug 30, 2008 12:44 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by stevemaury » Fri Nov 09, 2012 9:37 pm

Q&A doesn't have to be the default. Make nothing the default and tell users after installation there is no captcha and recommend q& a. Like we do with removing /install.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by imkingdavid » Fri Nov 09, 2012 10:16 pm

stevemaury wrote:Q&A doesn't have to be the default. Make nothing the default and tell users after installation there is no captcha and recommend q& a. Like we do with removing /install.
That, except unlike the /install message, make it temporary.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
tmbackoff
Registered User
Posts: 180
Joined: Sat Jun 12, 2010 3:25 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by tmbackoff » Sat Nov 10, 2012 1:11 am

DavidIQ wrote:One of the problems with making Q&A the default is that when installing phpBB you'd then have to include as part of the installation wizard a step to set the question and answer.
That's not a good argument in my opinion. If we are already telling users to setup Q&A in the support forums (and we are), why not make it a step so that they don't have to worry about it once the installation process is complete? Hell, you can even make a "skip" button for those who are not worried about completing that step.

User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Pony99CA » Sat Nov 10, 2012 2:55 am

I agree with Tabitha and Steve. However, I'm not sure why this topic exists -- I suggested removing useless CAPTCHAs in the topic that Tabitha linked to (and Steve had posted in, too ;)).

I even proposed a scheme to generate default questions and answers so that no extra user step was required at installation.

Maybe we should merge these topics.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DavidIQ » Sat Nov 10, 2012 10:41 am

t_backoff wrote:
DavidIQ wrote:One of the problems with making Q&A the default is that when installing phpBB you'd then have to include as part of the installation wizard a step to set the question and answer.
That's not a good argument in my opinion. If we are already telling users to setup Q&A in the support forums (and we are), why not make it a step so that they don't have to worry about it once the installation process is complete? Hell, you can even make a "skip" button for those who are not worried about completing that step.
As I said, it's not a "problem" necessarily it just needs proper handling during installation. But if we don't force the user to set up a CAPTCHA then we're going to have a bigger support problem :P Is it worse to have these "useless" CAPTCHAS than have no CAPTCHA at all? ;)
Image

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DavidIQ » Sat Nov 10, 2012 10:47 am

Pony99CA wrote:I agree with Tabitha and Steve. However, I'm not sure why this topic exists -- I suggested removing useless CAPTCHAs in the topic that Tabitha linked to (and Steve had posted in, too ;)).

I even proposed a scheme to generate default questions and answers so that no extra user step was required at installation.

Maybe we should merge these topics.

Steve
And as was mentioned there and I'll repeat here, assigning default Q&A answers from a set of questions and answers is going to be very easily breakable, more so than the current CAPTCHA that comes on by default. No matter how random you select the question/answer pair the list would still be available to SPAM bot developers at which point it would be a matter of adding them to their bots. At least with an image CAPTCHA the bots have to actually do some work to solve. In your proposal we're just giving them the answers.

I'll let the dev team decide if this should be merged to that other topic or not.
Image

Post Reply