Project

General

Profile

Bug #2419

[CAPTCHA] Are you serious?

temporaryuser - 3 months ago - . Updated 3 months ago.

Status:
not-a-bug
Priority:
bug
Assignee:
-
% Done:

0%


Description

I have seen the CAPTCHA on registration page. This CAPTCHA is unacceptable.
It will make registration longer. It will not prevent robots from registering on the website.
I have read the source code. CAPTCHAs must not be done this way. Do you really think robots will execute YOUR JavaScript? Never trust the client. https://labs.parabola.nu/match_game/match_game.js
If you will fix this issue, there are more issues:
Cards are stored here: https://labs.parabola.nu/match_game/assets/cards.png. This image can be used to bypass CAPTCHA.
Directory name is assets, which is not allowed by GNU. https://www.gnu.org/philosophy/words-to-avoid.html#Assets
There is '.' after '?' in 'would you?.'.
And, finally, it will be impossible to register without JavaScript, I think.

History

#1

Updated by temporaryuser 3 months ago

Update: the CAPTCHA is easily bypassed by executing the following code in the console:
$('#completed-div').show() ; setTimeout(()=> { location.reload() ; } , 5000) ;

Second update: more about this CAPTCHA:
From http://captcha.net/:
  • Accessibility: BAD (possible using some software or code analysis, not possible using default interface)
  • Image Security: NONE (cards are always the same)
  • Script Security: NONE (never trust the client)
  • Security Even After Wide-Spread Adoption: NONE (client‐side, parser could be written easily)
  • Should I Make My Own CAPTCHA?: depends on license, most likely NO
    Also, why did you use abandoned library?
#2

Updated by bill-auger 3 months ago

  • Status changed from unconfirmed to not-a-bug

registration was closed before that puzzle went up and it still is - the version of the puzzle that you saw is not complete - it is only a demo of the client-side javascript; and the page has in red printing: "this captcha is not yet fully operational" - that means this is not a bug report, because nothing is broken - this is a grievance discussion - it would be better on the mailing list or forum - please reserve the bug tracker for things that are somehow not as they were intended or stated to be

the puzzle will require javascript; and it is not going to be accessible - thats not for any inherent reason; but because those features would require more effort than i am willing to invest, merely for thwarting bots - there is no problem with that though; because it is only guarding, but allowing self-registrations; which are not enabled otherwise - the part of web page that is accessible via screen-readers, and is visible without javascript, clearly indicates that anyone who can not or does not wish to solve the puzzle, can ask on the mailing list or IRC, and a parabola dev will register that person manually

an accessibility issue would be allowing some people to do something in a way that prevents others from doing the same thing - in this case that something, is to acquire a nickname on the bug tracker; and that puzzle will not prevent anyone from doing that - all that anyone needs to do is ask - the alternative is to require everyone to ask - that is the case now; and that is how trisquel has been doing it for years - if the puzzle is effective at all, it will be an indubitable improvement

the important thing is that it will impede bots - if it turns out to not be effective at that goal, then it will go away and self-registrations will simply be closed again, until a better solution is found, or perhaps indefinitely

i will change the word 'assets' in the source code to 'blobs', if it pleases the Great Gnu - now that i think of it, i like that better

Also available in: Atom PDF