CAPTCHA options for Cloudron Applications
-
CAPTCHA (Completely Automated Public Turing tests) are used to detect whether the user is human. Unfortunately, proprietary solutions are being used to collect biometric data which can be used to fingerprint visitors.
We should look around for some Freedom respecting options which are not troublesome.
If you have some ideas, suggestions, resources etc. please add them to this thread.
For example, here is a survey of Free Software options for 2022:
-
CAPTCHAs (Completely Automated Public Turing test) are being used to harvest biometric data to fingerprint people and relay results to Big Data corporations. It is insidious and we need to find a humane, Freedom respecting way of achieving the same outcome and try and support it.
For example,
There are others, but ... busy...
-
There's also hcaptcha.com
-
@robi hCaptcha is proprietary, I seem to remember.
A while back I investigated Free alternatives.
There was one where you tell the time on the clock. I must look again. -
Mini Doom game captcha, OSS
https://vivirenremoto.github.io/doomcaptcha/ -
@robi Hahaa!
That is the funniest thing! Easily the best Captcha!
-
-
Referenced by L LoudLemur
-
Why CAPTCHAs are considered harmful:
https://ezinearticles.com/?Captchas-Considered-Harmful---Why-Captchas-Are-Bad-And-How-You-Can-Do-Better&id=1104207W3
https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughtsHuman Presence (proprietary)
https://www.humanpresence.io/Visual Captcha (abandoned, i think)
https://visualcaptcha.net/demo/#Captchas.net (good candidate?)
http://captchas.net/FriendlyCaptcha
https://friendlycaptcha.com/SecurImage
https://www.phpcaptcha.org/Hcaptcha
https://www.hcaptcha.com/#planssvgCAPTCHA (from MIT)
https://openbase.com/js/svg-captcha -
@LoudLemur BTW Vaultwarden / Bitwarden has captcha built-in (appears after 5 unsuccessful login attempts)
-
@LoudLemur said in CAPTCHA options for Cloudron Applications:
Unfortunately, proprietary solutions are being used to collect biometric data which can be used to fingerprint visitors.
We should look around for some Freedom respecting options which are not troublesome.I agree with your motivation to find freedom respect login protections.
However the majority of captchas are not accessible - meaning any human with a visual impairment will not be able to log in to a system.
Multi-factor auth. is already configurable on Cloudron. In my view that is a suitable alternative, while also improving user security.
What is the problem you're trying to solve with a captcha?
-
@ei8fdb said in CAPTCHA options for Cloudron Applications:
@LoudLemur said in CAPTCHA options for Cloudron Applications:
Unfortunately, proprietary solutions are being used to collect biometric data which can be used to fingerprint visitors.
We should look around for some Freedom respecting options which are not troublesome.I agree with your motivation to find freedom respect login protections.
However the majority of captchas are not accessible - meaning any human with a visual impairment will not be able to log in to a system.
Multi-factor auth. is already configurable on Cloudron. In my view that is a suitable alternative, while also improving user security.
What is the problem you're trying to solve with a captcha?
Usually it’s a form of rate limiting - preventing too many login attempts from a malicious actor which uses different IPs
-
@necrevistonnezr said in CAPTCHA options for Cloudron Applications:
Usually it’s a form of rate limiting - preventing too many login attempts from a malicious actor which uses different IPs
Yep, I thought the same but then remembered Cloudron already has rate limiting via fail2ban. I don't know (and haven't tested) if it is enabled on login page of each application hosted on an instance.
Is there a reason why it wouldn't address the many login attempts from different IPs use case?
-
@LoudLemur Google reCAPTCHA destroying the internet:
-
We have been using hcaptcha for cloudron.io for a while now. Seems to work quite well.
-
Currently we use hcaptcha for this forum with limited success, however given that the remaining spam we get is usually handcrafted, those are likely real users.
Also we use it for https://console.cloudron.io now and that seems to work well.
