Page MenuHomeMiraheze

Change CAPTCHA to ReCaptcha v3
Open, NormalPublic

Description

As you all know our current CAPTCHA (ReCaptcha v2) is simply not doing it, and MW.org itself says "ReCaptcha has been cracked by most spambots targeting wikis, mainly due to its accessible captcha alternative."

This is why we must upgrade to ReCaptcha v3. Unfortunately, the process doesn't seem to be getting anywhere upstream so I feel like we only have two options: either 1) we fork all of ConfirmEdit and do it ourselves or 2) we integrate ReCaptcha v3 into MirahezeMagic. It is useful to note that there is already an open PR upstream that would facilitate the work for us - https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/539679

I've set this to normal priority as we get regular complaints about spambots and we really need to do something about it. Until now I've waited a bit to see if something would move upstream but it doesn't seem to be happening at all.

Event Timeline

Reception123 triaged this task as Normal priority.Jun 22 2021, 05:18
Reception123 created this task.

I suggest we try and fork and then apply upstream's patch on top of our fork.

Then we can just pull other changes as needed.

I suggest we try and fork and then apply upstream's patch on top of our fork.

Then we can just pull other changes as needed.

Universal Omega will try to do it in MirahezeMagic first is my understanding since a lot of ConfirmEdit isn't needed for us but if that's too complicated or doesn't work then we can do a fork.

For the time being I've applied the upstream patch on test3 and it appears like there's an issue with the site and secret keys.

Honestly, those spam-bots have been persistent as of lately.

I'm personally not convinced this will be the most effective at combating spambots, but I do agree the current ReCaptcha method is broken and this can't hurt, so I have no concerns really. I will be preparing a couple other initiatives which can be deployed around the same time, and which I believe will be even more effective.

Sorry if this is misguided, but what about hCaptcha?

In T7509#150801, @Shili wrote:

Sorry if this is misguided, but what about hCaptcha?

That would be great but is off-topic for this task, IMO.

hCaptcha is also a possible alternative. We could potentially consider switching to that if ReCaptcha v3 proves to be uneffective.

Per the discussion in -sre, I propose we should try to get an approximate number of spambot registrations/attempted edits using the Abuse Logs for a week, then after that week we switch to v3 and compare numbers.

Per above, will be providing this comment with approximate counts of spambots when using ReCaptcha V2. These are not really fully accurate but are just meant to provide a rough idea. These will be provided until Friday and afterwards we should be switching to ReCaptcha v3 and once again extracting the same data to compare.

NOTE: As otherwise it would take way too long, the way this is recorded is by AbuseLog entries related to filters 18,19 (so there may be multiple entries for one account). While of course this decreases the accuracy if V3 is effective we should still see a decrease.
NOTE: Account creations includes all account creations (not only spambots). Considerations are the same as above.

ReCaptcha V2 is active

MONDAY (5 July 2021): 1081 ALEs (Abuse Log entries), 391 ACs (account creations)
TUESDAY (6 July 2021) 1471 ALEs, 412 ACs
WEDNESDAY (7 July 2021): 2082 ALEs, 498 ACs
THURSDAY (8 July 2021): 1998 ALEs, 542 ACs
FRIDAY (9 July 2021)

ReCaptcha V3 is active
(starting Sunday since Saturday will be the switch day)
SUNDAY (11 July 2021):
MONDAY (12 July 2021):
TUESDAY (13 July 2021)
WEDNESDAY (14 July 2021)
THURSDAY (15 July 2021)

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

Not immediately sure, but it does look like the extension is using hooks to remove the custom captcha messages that are not specific to v3, which is very likely the cause. I'll try and take a look through on a test instance to determine the best solution for this.

In T7509#153165, @Void wrote:

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

Not immediately sure, but it does look like the extension is using hooks to remove the custom captcha messages that are not specific to v3, which is very likely the cause. I'll try and take a look through on a test instance to determine the best solution for this.

Thanks!

Now blocked on Void to figure out how to have a special message rather than saying password forgotten when the CAPTCHA is wrong.