Bug #2419

[CAPTCHA] Are you serious?

Anonymous - 12 months ago - . Updated 12 months ago.

% Done:



I have seen the CAPTCHA on registration page. This CAPTCHA is unacceptable.
It will make registration longer. It will not prevent robots from registering on the website.
I have read the source code. CAPTCHAs must not be done this way. Do you really think robots will execute YOUR JavaScript? Never trust the client.
If you will fix this issue, there are more issues:
Cards are stored here: This image can be used to bypass CAPTCHA.
Directory name is assets, which is not allowed by GNU.
There is '.' after '?' in 'would you?.'.
And, finally, it will be impossible to register without JavaScript, I think.



Updated by Anonymous 12 months ago

Update: the CAPTCHA is easily bypassed by executing the following code in the console:
$('#completed-div').show() ; setTimeout(()=> { location.reload() ; } , 5000) ;

Second update: more about this CAPTCHA:
  • Accessibility: BAD (possible using some software or code analysis, not possible using default interface)
  • Image Security: NONE (cards are always the same)
  • Script Security: NONE (never trust the client)
  • Security Even After Wide-Spread Adoption: NONE (client‐side, parser could be written easily)
  • Should I Make My Own CAPTCHA?: depends on license, most likely NO
    Also, why did you use abandoned library?

Updated by bill-auger 12 months ago

  • Status changed from unconfirmed to not-a-bug

registration was closed before that puzzle went up and it still is - the version of the puzzle that you saw is not complete - it is only a demo of the client-side javascript; and the page has in red printing: "this captcha is not yet fully operational" - that means this is not a bug report, because nothing is broken - this is a grievance discussion - it would be better on the mailing list or forum - please reserve the bug tracker for things that are somehow not as they were intended or stated to be

the puzzle will require javascript; and it is not going to be accessible - thats not for any inherent reason; but because those features would require more effort than i am willing to invest, merely for thwarting bots - there is no problem with that though; because it is only guarding, but allowing self-registrations; which are not enabled otherwise - the part of web page that is accessible via screen-readers, and is visible without javascript, clearly indicates that anyone who can not or does not wish to solve the puzzle, can ask on the mailing list or IRC, and a parabola dev will register that person manually

an accessibility issue would be allowing some people to do something in a way that prevents others from doing the same thing - in this case that something, is to acquire a nickname on the bug tracker; and that puzzle will not prevent anyone from doing that - all that anyone needs to do is ask - the alternative is to require everyone to ask - that is the case now; and that is how trisquel has been doing it for years - if the puzzle is effective at all, it will be an indubitable improvement

the important thing is that it will impede bots - if it turns out to not be effective at that goal, then it will go away and self-registrations will simply be closed again, until a better solution is found, or perhaps indefinitely

i will change the word 'assets' in the source code to 'blobs', if it pleases the Great Gnu - now that i think of it, i like that better

Also available in: Atom PDF