Project

General

Profile

Task #2141

Replacing reCAPTCHA with self-hosted version

Added by Krasnaya Ploshchad’ over 1 year ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Category:
-
Target version:
Team - Q2/2018
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
URL:

Description

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service as well as many other Google services have been banned by PRC for a long time, making this site not useful for their people, to avoid that, Ask LibreOffice should replacing it by free and open source replacements.


Related issues

Related to Infrastructure - Task #2519: Disable google service on ask.libreoffice.org for zh-cnNew

History

#1 Updated by Florian Effenberger over 1 year ago

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service
as well as many other Google services have been banned by PRC for a long
time, making this site not useful for their people, to avoid that, Ask
LibreOffice should replacing it by free and open source replacements.

Do you know of a working alternative and have some hands-on experience
you can share with us? That'd be great! :-)

#2 Updated by Krasnaya Ploshchad’ 10 months ago

Florian Effenberger wrote:

Ask LibreOffice currently using reCAPTCHA for CAPTCHA, but this service
as well as many other Google services have been banned by PRC for a long
time, making this site not useful for their people, to avoid that, Ask
LibreOffice should replacing it by free and open source replacements.

Do you know of a working alternative and have some hands-on experience
you can share with us? That'd be great! :-)

I have found some alternates can provide captcha without relying on Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha
http://dice-captcha.com/
http://jcaptcha.sourceforge.net/
http://www.phpcaptcha.org/
http://www.sweetcaptcha.com/

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

#3 Updated by Florian Effenberger 10 months ago

I have found some alternates can provide captcha without relying on
Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha

Do you have experiences wrt. their detection rate? A properly working
captcha is quite important given the amount of spam we regularly see, so
if we have insight into their detection rate, that would avoid parts of
own tests. ;-)

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

Would this be working in China, or is this blocked as well?

#4 Updated by Krasnaya Ploshchad’ 10 months ago

Florian Effenberger wrote:

I have found some alternates can provide captcha without relying on
Google’s online service, all of them are FOS:
https://github.com/mewebstudio/captcha
https://github.com/dchest/captcha
https://github.com/Gregwar/captcha

Do you have experiences wrt. their detection rate? A properly working
captcha is quite important given the amount of spam we regularly see, so
if we have insight into their detection rate, that would avoid parts of
own tests. ;-)

Then I’m out of idea.

Alternatively, we can also get source from Google to build our own captcha:
https://github.com/google/recaptcha/releases

Would this be working in China, or is this blocked as well?

If you create your own captcha based on this, but not send any request to Google, it would be work and not being disturbed by GFW.

#5 Updated by Florian Effenberger 10 months ago

  • Subject changed from Replacing reCAPTCHA on Ask LibreOffice to Replacing reCAPTCHA with self-hosted version
  • Assignee set to Guilhem Moulin
  • Target version set to Qlater

I'll assign this to Guilhem
However, not sure when we will find time for this - if a volunteer wants to look into it before, happy of course to give them access to our testing site :-)

#6 Updated by Krasnaya Ploshchad’ 10 months ago

Florian Effenberger wrote:

I'll assign this to Guilhem
However, not sure when we will find time for this - if a volunteer wants to look into it before, happy of course to give them access to our testing site :-)

Thank you, I hope you can avoiding GFW soon.

#7 Updated by Krasnaya Ploshchad’ 10 months ago

LO Extensions and Templates website should do it too for Registration form.

#8 Updated by Florian Effenberger 9 months ago

Guilhem, I wonder whether that is some EasyHack and/or volunteer task to look into, or is it so trivial that it needs no investigating, but merely doing? (which then is limited to the admin group of course due to access requirements)

#9 Updated by Florian Effenberger 8 months ago

Florian Effenberger wrote:

Guilhem, I wonder whether that is some EasyHack and/or volunteer task to look into, or is it so trivial that it needs no investigating, but merely doing? (which then is limited to the admin group of course due to access requirements)

Something for the next infra call?

#10 Updated by Guilhem Moulin 7 months ago

  • Priority changed from Normal to Low

We're currently using reCAPTCHA v2 as plugins to MediaWiki, Askbot, Plone (https://extensions.libreoffice.org) and Silverstripe (https://libreoffice.org); switching to another captcha solution requires that we find and configure a working plugin, or possibly develop our own if there is no such plugin.

The WebSSO system uses a self-hosted captcha solution, and once we change the auth method of the above services their frontend for account creation will disappear. I'm thus lowering the priority per the Nov. 21 infra call. If there is a working plugin which can replace reCAPTCHA in Askbot I can offer to deploy it, otherwise I'd rather spend my time on the SSO migration than attempting to glue the various bits together :-P

#11 Updated by Krasnaya Ploshchad’ 6 months ago

Still relying on Google server while answering, so I've to seek the way to fanqiang for this. :-(

#12 Updated by Florian Effenberger 4 months ago

  • Related to Task #2519: Disable google service on ask.libreoffice.org for zh-cn added

#13 Updated by Florian Effenberger 3 months ago

  • Priority changed from Low to Normal
  • Target version changed from Qlater to Q2/2018

Let me try to prioritize that higher, it seems to be causing issues for many
Let's talk about this in a next team or infra call

#14 Updated by Florian Effenberger 3 months ago

Got hinted at http://www.karlgroves.com/2012/04/03/captcha-less-security/ which might provide further insight

#15 Updated by Krasnaya Ploshchad’ 3 months ago

Looks sad that reCAPTCHA has security holes.

Also available in: Atom PDF