Michael

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitig... show more

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

^GitHub

This entry was edited (1 year ago)

modulux

1 year ago •

The accessibility of hCaptcha is very, very bad, requiring registration, a permanent cookie, and lowering browser security settings. This is an awful solution. Yes, I understand it's necessary to combat spam; but please don't do this at the expense of disabled users.

Erion

1 year ago •

Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).

#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.

There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.

HCaptcha is NOT the future. #accessibility #a11y

GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component

A no-nonsense CAPTCHA system with seamless UX | Backend component - GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component

^GitHub

#Accessibility #A11y #blind #captcha #hcaptcha

grin

1 year ago •

what you describe opposes to what I experienced.
(And your second paragraph incidentally is not related to your first paragraph at all.)

Erion

1 year ago •

Experiences may vary. Please do share.

Relations are tricky aren't they? Someone sees a perfect relationship, while someone else can't imagine how the two things are related.

grin

1 year ago •

I agree with the impaired vision comment but hcaptcha does not require email nor disabling protection for me. Maybe they simply love me so I'm the someoone cannot imagine they do the things you described. 😉

Erion

1 year ago •

That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).

If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.

grin

1 year ago •

You have been missing both points. It's fine.

Erion

1 year ago •

You are right, I did not specifically point out that this is only true if you are blind or visually impaired. But it follows from the fact that I recommend not using HCaptcha if you care about the blind and visually impaired, because of point a and point b. Sorry about the confusion.

grin

1 year ago •

Thanks for the clarification. Then I agree on both points. IIRC reCapctha (of Google) is blind-friendly?

The Tardis🤞

1 year ago •

It's not only blind and visually impaired, though, what about blind deaf people? Them too. Or all the captcha companies who actually forget about the existence of those folks. I see only audios audios audios. Okay, they help us, the blind, but about those who're blind deaf, or blind and hard of hearing? That's not going to help them. Very little captchas actually have text options.

Erion

1 year ago •

Of course. Text captchas are likely the most accommodating, if you don't count people who might find answering text challenges difficult. This is why I prefer captchas that need no, or very little interaction at all. Mcaptcha is one of these, which is why I recommended it.

grin

1 year ago •

I tried to register the other day on a web forum and they required me to move attributes of a shark to the right and others to the left. I have failed three times and were firewalled.
Turns out English call the rear fin of the shark as "tail". 🤷

⇧

Michael 1 year ago •

Michael
1 year ago •