Bug #2419
[CAPTCHA] Are you serious?
0%
Description
I have seen the CAPTCHA on registration page. This CAPTCHA is unacceptable.
It will make registration longer. It will not prevent robots from registering on the website.
I have read the source code. CAPTCHAs must not be done this way. Do you really think robots will execute YOUR JavaScript? Never trust the client. https://labs.parabola.nu/match_game/match_game.js
If you will fix this issue, there are more issues:
Cards are stored here: https://labs.parabola.nu/match_game/assets/cards.png. This image can be used to bypass CAPTCHA.
Directory name is assets, which is not allowed by GNU. https://www.gnu.org/philosophy/words-to-avoid.html#Assets
There is '.' after '?' in 'would you?.'.
And, finally, it will be impossible to register without JavaScript, I think.
History
Updated by Anonymous over 4 years ago
$('#completed-div').show() ; setTimeout(()=> { location.reload() ; } , 5000) ;
Second update: more about this CAPTCHA:
From http://captcha.net/:
- Accessibility: BAD (possible using some software or code analysis, not possible using default interface)
- Image Security: NONE (cards are always the same)
- Script Security: NONE (never trust the client)
- Security Even After Wide-Spread Adoption: NONE (clientâside, parser could be written easily)
- Should I Make My Own CAPTCHA?: depends on license, most likely NO
Also, why did you use abandoned library?
Updated by bill-auger over 4 years ago
- Status changed from unconfirmed to not-a-bug
registration was closed before that puzzle went up and it still is - the version of the puzzle that you saw is not complete - it is only a demo of the client-side javascript; and the page has in red printing: "this captcha is not yet fully operational" - that means this is not a bug report, because nothing is broken - this is a grievance discussion - it would be better on the mailing list or forum - please reserve the bug tracker for things that are somehow not as they were intended or stated to be
the puzzle will require javascript; and it is not going to be accessible - thats not for any inherent reason; but because those features would require more effort than i am willing to invest, merely for thwarting bots - there is no problem with that though; because it is only guarding, but allowing self-registrations; which are not enabled otherwise - the part of web page that is accessible via screen-readers, and is visible without javascript, clearly indicates that anyone who can not or does not wish to solve the puzzle, can ask on the mailing list or IRC, and a parabola dev will register that person manually
an accessibility issue would be allowing some people to do something in a way that prevents others from doing the same thing - in this case that something, is to acquire a nickname on the bug tracker; and that puzzle will not prevent anyone from doing that - all that anyone needs to do is ask - the alternative is to require everyone to ask - that is the case now; and that is how trisquel has been doing it for years - if the puzzle is effective at all, it will be an indubitable improvement
the important thing is that it will impede bots - if it turns out to not be effective at that goal, then it will go away and self-registrations will simply be closed again, until a better solution is found, or perhaps indefinitely
i will change the word 'assets' in the source code to 'blobs', if it pleases the Great Gnu - now that i think of it, i like that better