[RFC] stop distributing worthless CAPTCHAS in 3.1

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
/a3
Registered User
Posts: 97
Joined: Mon Sep 20, 2010 6:44 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by /a3 » Thu Nov 22, 2012 3:03 am

keith10456 wrote:Just thought I would share this link... It's a different way of defeating bots (using games):

http://areyouahuman.com
A few issues:
  • JavaScript sources aren't GPL. Nobody can modify/distribute them, except for the authors. As per the phpBB.com homepage, phpBB is "the #1 free, open source bulletin board software".
  • phpBB 3.0 currently supports users without JavaScript. Even reCAPTCHA supports non-JS users.
  • I haven't seen how their CAPTCHA works, but it might be worth considering that servers can also execute JavaScript (good example is node.js which uses V8).
On the subject:
stop distributing worthless CAPTCHAS in 3.1
+1 :)
$ git commit -m "YOLO"

User avatar
DionDesigns
Registered User
Posts: 51
Joined: Sat Apr 21, 2012 4:29 am
Location: Uncertain due to momentum
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DionDesigns » Thu Nov 22, 2012 8:37 pm

keith10456 wrote:Just thought I would share this link... It's a different way of defeating bots (using games):

http://areyouahuman.com
If one's site is in the United States, use of this CAPTCHA requires a fallback registration option (Admin-approval, COPPA-style, whatever). Such a CAPTCHA cannot be completed by people with many types of physical disabilities, which is a violation of ADA (Americans with Disabilities Act) if there are no other options for registration.

User avatar
callumacrae
Infrastructure Team
Infrastructure Team
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by callumacrae » Thu Nov 22, 2012 9:17 pm

DionDesigns wrote:
keith10456 wrote:Just thought I would share this link... It's a different way of defeating bots (using games):

http://areyouahuman.com
If one's site is in the United States, use of this CAPTCHA requires a fallback registration option (Admin-approval, COPPA-style, whatever). Such a CAPTCHA cannot be completed by people with many types of physical disabilities, which is a violation of ADA (Americans with Disabilities Act) if there are no other options for registration.
wat
Made by developers, for developers!
My blog

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by RMcGirr83 » Fri Nov 23, 2012 1:15 am

DionDesigns wrote:Such a CAPTCHA cannot be completed by people with many types of physical disabilities, which is a violation of ADA (Americans with Disabilities Act) if there are no other options for registration.
The ADA has no such authority as currently written. It encompasses employment, public entities, public accommodations and commercial facilities. It has absolutely nothing to do with CAPTCHAs/registrations. The US DOJ can ask for one if a complaint is filled but that's it. The company can choose to or not to comply with the request.
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
DionDesigns
Registered User
Posts: 51
Joined: Sat Apr 21, 2012 4:29 am
Location: Uncertain due to momentum
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DionDesigns » Fri Nov 23, 2012 2:04 am

Are you familiar with the online reservation service called OpenTable? Six years ago, they were sued on ADA grounds because a disabled individual was not able to register. It was settled out of court, and their registration page was completely rewritten. Was it a frivolous suit? Don't know, don't care. It's also very possible that the "ADA militants" who actively looked for violations are no longer as active as they once were. But you know, I (and I suspect most people) don't want to deal with a lawsuit, however frivolous and/or unlikely it may be.

Getting back on topic. Clearly people can do whatever they want, but if they are considering the use of an animated CAPTCHA, they should also consider offering an alternative method of registration.

User avatar
Ger
Registered User
Posts: 270
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Ger » Fri Nov 23, 2012 7:53 am

DionDesigns wrote:If one's site is in the United States, use of this CAPTCHA requires a fallback registration option (Admin-approval, COPPA-style, whatever). Such a CAPTCHA cannot be completed by people with many types of physical disabilities, which is a violation of ADA (Americans with Disabilities Act) if there are no other options for registration.
That's where [RFC] Contact Page comes in.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

User avatar
callumacrae
Infrastructure Team
Infrastructure Team
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by callumacrae » Fri Nov 23, 2012 9:04 am

DionDesigns wrote:Getting back on topic. Clearly people can do whatever they want, but if they are considering the use of an animated CAPTCHA, they should also consider offering an alternative method of registration.
That defeats the point in the animated CAPTCHA, as bots will just use the fallback…
Made by developers, for developers!
My blog

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by RMcGirr83 » Fri Nov 23, 2012 11:47 am

DionDesigns wrote:Are you familiar with the online reservation service called OpenTable? Six years ago, they were sued on ADA grounds because a disabled individual was not able to register. It was settled out of court, and their registration page was completely rewritten. Was it a frivolous suit? Don't know, don't care. It's also very possible that the "ADA militants" who actively looked for violations are no longer as active as they once were. But you know, I (and I suspect most people) don't want to deal with a lawsuit, however frivolous and/or unlikely it may be.
No I was not aware of it. My post was to simply state that currently, as the law stands, Title III has not been amended for websites. Saying that, of course a company is going to revamp their registration process in lieu of a law suit as the former is much cheaper than the later. I am willing to bet that the "settlement" was nothing more than OpenTable stating they would change the registration part of their site and probably pay for the lawyer fees that were incurred to bring action.

https://www.federalregister.gov/article ... s-of-state
That's where [RFC] Contact Page comes in.
I don't believe that would satisfy the requirements of the law but not being a lawyer and there nothing in the law about web accessibility as it pertains to commercial endeavors, not completely sure.
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
Ger
Registered User
Posts: 270
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Ger » Fri Nov 23, 2012 12:16 pm

Well, I'd say that you can simply put in something like:
Trouble registering? contact us for assistance.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

ecwpa
Registered User
Posts: 181
Joined: Mon Jan 24, 2005 2:10 am
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by ecwpa » Fri Nov 23, 2012 11:38 pm

I agree with stevemaury's original point. From the moment a CAPTCHA get's figured out by bots, it's over. Q&A are never over because they're never the same. If you ship phpBB with any of those, then bots can focus on a few single targets, Q&A (without defaults) doesn't allow this.

In a small forum I run we used to have 20+ spambots registering daily no matter what method we used until we switched to Q&A, since then it's been years since I saw a spambot which was a few days ago. My question was "what's the surname of the president of x country", I though it was something bots could figure out but they didn't until now. My current question is "what's the nickname of x athlete", I think we'll be safe with that one for a while.

So, Q&A without defaults is the way to go.
Slightly better English than it was in 2005, still improving :D

Post Reply