Project

General

Profile

Task #2141

Replacing reCAPTCHA

Added by Krasnaya Ploshchad’ almost 5 years ago. Updated over 1 year ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

100%

Tags:
URL:

Description

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service as well as many other Google services have been banned by PRC for a long time, making this site not useful for their people, to avoid that, Ask LibreOffice should replacing it by free and open source replacements.


Related issues

Related to Infrastructure - Task #2519: Disable google service on ask.libreoffice.org for zh-cnClosed

Actions
#1

Updated by Florian Effenberger almost 5 years ago

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service
as well as many other Google services have been banned by PRC for a long
time, making this site not useful for their people, to avoid that, Ask
LibreOffice should replacing it by free and open source replacements.

Do you know of a working alternative and have some hands-on experience
you can share with us? That'd be great! :-)

#2

Updated by Krasnaya Ploshchad’ over 4 years ago

Florian Effenberger wrote:

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service
as well as many other Google services have been banned by PRC for a long
time, making this site not useful for their people, to avoid that, Ask
LibreOffice should replacing it by free and open source replacements.

Do you know of a working alternative and have some hands-on experience
you can share with us? That'd be great! :-)

I have found some alternates can provide captcha without relying on Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha
http://dice-captcha.com/
http://jcaptcha.sourceforge.net/
http://www.phpcaptcha.org/
http://www.sweetcaptcha.com/

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

#3

Updated by Florian Effenberger over 4 years ago

I have found some alternates can provide captcha without relying on
Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha

Do you have experiences wrt. their detection rate? A properly working
captcha is quite important given the amount of spam we regularly see, so
if we have insight into their detection rate, that would avoid parts of
own tests. ;-)

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

Would this be working in China, or is this blocked as well?

#4

Updated by Krasnaya Ploshchad’ over 4 years ago

Florian Effenberger wrote:

I have found some alternates can provide captcha without relying on
Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha

Do you have experiences wrt. their detection rate? A properly working
captcha is quite important given the amount of spam we regularly see, so
if we have insight into their detection rate, that would avoid parts of
own tests. ;-)

Then I’m out of idea.

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

Would this be working in China, or is this blocked as well?

If you create your own captcha based on this, but not send any request to Google, it would be work and not being disturbed by GFW.

#5

Updated by Florian Effenberger over 4 years ago

  • Subject changed from Replacing reCAPTCHA on Ask LibreOffice to Replacing reCAPTCHA with self-hosted version
  • Assignee set to Guilhem Moulin
  • Target version set to Qlater

I'll assign this to Guilhem
However, not sure when we will find time for this - if a volunteer wants to look into it before, happy of course to give them access to our testing site :-)

#6

Updated by Krasnaya Ploshchad’ over 4 years ago

Florian Effenberger wrote:

I'll assign this to Guilhem
However, not sure when we will find time for this - if a volunteer wants to look into it before, happy of course to give them access to our testing site :-)

Thank you, I hope you can avoiding GFW soon.

#7

Updated by Krasnaya Ploshchad’ over 4 years ago

LO Extensions and Templates website should do it too for Registration form.

#8

Updated by Florian Effenberger about 4 years ago

Guilhem, I wonder whether that is some EasyHack and/or volunteer task to look into, or is it so trivial that it needs no investigating, but merely doing? (which then is limited to the admin group of course due to access requirements)

#9

Updated by Florian Effenberger about 4 years ago

Florian Effenberger wrote:

Guilhem, I wonder whether that is some EasyHack and/or volunteer task to look into, or is it so trivial that it needs no investigating, but merely doing? (which then is limited to the admin group of course due to access requirements)

Something for the next infra call?

#10

Updated by Guilhem Moulin about 4 years ago

  • Priority changed from Normal to Low

We're currently using reCAPTCHA v2 as plugins to MediaWiki, Askbot, Plone (https://extensions.libreoffice.org) and Silverstripe (https://libreoffice.org); switching to another captcha solution requires that we find and configure a working plugin, or possibly develop our own if there is no such plugin.

The WebSSO system uses a self-hosted captcha solution, and once we change the auth method of the above services their frontend for account creation will disappear. I'm thus lowering the priority per the Nov. 21 infra call. If there is a working plugin which can replace reCAPTCHA in Askbot I can offer to deploy it, otherwise I'd rather spend my time on the SSO migration than attempting to glue the various bits together :-P

#11

Updated by Krasnaya Ploshchad’ almost 4 years ago

Still relying on Google server while answering, so I've to seek the way to fanqiang for this. :-(

#12

Updated by Florian Effenberger almost 4 years ago

  • Related to Task #2519: Disable google service on ask.libreoffice.org for zh-cn added
#13

Updated by Florian Effenberger over 3 years ago

  • Priority changed from Low to Normal
  • Target version changed from Qlater to Q2/2018

Let me try to prioritize that higher, it seems to be causing issues for many
Let's talk about this in a next team or infra call

#14

Updated by Florian Effenberger over 3 years ago

Got hinted at http://www.karlgroves.com/2012/04/03/captcha-less-security/ which might provide further insight

#15

Updated by Krasnaya Ploshchad’ over 3 years ago

Looks sad that reCAPTCHA has security holes.

#16

Updated by Krasnaya Ploshchad’ almost 3 years ago

  • Priority changed from Normal to Low
  • % Done changed from 0 to 100
#17

Updated by Florian Effenberger over 2 years ago

We had some discussion on this topic, but I don't recall the exact outcome. IMHO not all services support self-hosted ReCaptcha, and/or it was not as effective.
What are our options, what do other projects do in this regard?
Does it make sense to have something self-hosted for a set of services/IPs only?

#18

Updated by Florian Effenberger over 2 years ago

  • Target version changed from Q2/2018 to Qlater

We discussed this recently in the team call, but there seems no real effective ReCaptcha alternative around
We should revisit the need for the ReCaptcha in the various sites (i.e. is there a concrete need to handle antispam that way), and disable where it's not required

Anyone has insight what other FLOSS projects do for ReCaptcha?

#19

Updated by Krasnaya Ploshchad’ over 2 years ago

If there are no good alternates to reCAPTCHA, and Google’s releases doesn’t works well on our server, we can close this task in favor of task #2774.

#20

Updated by Krasnaya Ploshchad’ over 1 year ago

  • Subject changed from Replacing reCAPTCHA with self-hosted version to Replacing reCAPTCHA

Is there any site still relying on reCAPTCHA? I discovered a good replacement of that, and it doesn't be banned by Chinese Communist authority.
https://www.hcaptcha.com/

#21

Updated by Florian Effenberger over 1 year ago

  • Assignee deleted (Guilhem Moulin)
  • Target version deleted (Qlater)

Most services moved to SSO, so not relevant for these anymore
Relevant only for AskBot, which likely will be replaced in the near future as well
New extension site temporarily using it, will soon allow authenticated users to bypass

Also available in: Atom PDF