I think the issue here is cause and effect and whether we were wrong when we blamed recaptcha.net and maybe it was just the limit being set to 0.5 that was the issue. I would however not want to bring the frustrating ReCaptcha issues back either in case it is.

I'm not sure if this is a good idea but what I would propose is setting it to 'recaptcha.net' for a single wiki where users from China could register from, so as to not affect users from other countries. (Proposals like this have previously been declined but that's only because they would've changed threasholds (with weaker Captcha's or weaker limits) but here we're not changing the actual threashold)

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

In T9257#187875, @Reception123 wrote:

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

In T9257#187879, @Universal_Omega wrote:

In T9257#187875, @Reception123 wrote:

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

In T9257#187880, @Reception123 wrote:

In T9257#187879, @Universal_Omega wrote:

In T9257#187875, @Reception123 wrote:

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

I hope this attempt will succeed.

In T9257#187875, @Reception123 wrote:

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

@Reception123 Per T9307, I also concur that reverting back to recaptcha.net is the better interim solution, and longer term, I recommend we move to hCaptcha. I would like to see this implemented ASAP. Can we try and implement it in the next 24 hours, if possible? (Note, this change should be done globally, as I'm quite certain we used recaptcha.net originally. What we rolled back was the ReCaptcha 3.0 change.) Thanks.

In T9257#187880, @Reception123 wrote:

In T9257#187879, @Universal_Omega wrote:

In T9257#187875, @Reception123 wrote:

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

It definitely is, we've known for months also, but last time we tried it it caused even more issues for everyone else, as it returned lower scores.

In T9257#188474, @Universal_Omega wrote:

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

It definitely is, we've known for months also, but last time we tried it it caused even more issues for everyone else, as it returned lower scores.

I wouldn't rely on aggregate statistical data (i.e., "lower scores") with little to no context. My understanding from @Reception123 is that using recaptcha.net might be better for the spambots, but would also be better for real people. I can put up with extra spambot user creations. We used to have ReCaptcha V2.0 and recaptcha.net and way higher spambot creations.

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

We are not rolling back to version 2, as far as I know.

In T9257#188481, @Universal_Omega wrote:

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

We are not rolling back to version 2, as far as I know.

Oh, I thought @Reception123 told me we were going to, but he wanted to try something else first (back in November-ish). Wouldn't be a bad idea, to be honest. Only downside would be potentially more spambots. On the other hand, the current situation is still seeing a lot of rejected attempts, and load, on the servers. It may actually reduce load on the server to allow the spambots through. In turn, fewer legitimate users will be prevented from creating accounts.

Last time we used recaptcha.net was a mess because ReCAPTCHA returned lower scores than it would if we used google.com. There was no observable improvement at all and instead just a deterioration in CAPTCHA service. I would suggest a limited test for a day or two to see if rolling back to using recaptcha.net causes the huge issues it did last time.

In T9257#188486, @Agent_Isai wrote:

Last time we used recaptcha.net was a mess because ReCAPTCHA returned lower scores than it would if we used google.com. There was no observable improvement at all and instead just a deterioration in CAPTCHA service. I would suggest a limited test for a day or two to see if rolling back to using recaptcha.net causes the huge issues it did last time.

What did we use with ReCAPTCHA version 2.0? That's what I'm talking about. I'd like to see some data, in terms of Grafana load data, jobqueue data, etc., if we, at least temporarily, revert to ReCAPTCHA 2.0 and whatever API URL we used last summer.

None, other than the potential for a pick up in spambot user creations, which Stewards are well placed to perform CheckUser investigations and block any web hosts/open proxies.

Can I please remind you that SRE had to take emergency action to restore the Abuse Filter and that CVT failed to even notice it had been throttled at one point?

up

If we attempt this test, I think it would be good to have some Chinese users who are able to create test accounts for us in order to confirm whether it has any effect. Would anyone subscribed to this task be able to / knows someone who is? (@metal_pail a ?)

As for rolling back to ReCaptcha 2.0, I would disagree with that idea as we have largely fixed registration issues for most users other than for Chinese users which is of course not an issue with ReCaptcha itself.

I will invite some friends in the QQ group to participate in the test

In T9257#188754, @IsutanPhab wrote:

I will invite some friends in the QQ group to participate in the test

Would your friends be prepared to test out the changes tomorrow? First of all, could they please test now and confirm that they are indeed completely unable to create accounts?

all cannot：（

@IsutanPhab The change will be active in around 10 minutes. Please get a few users (around 5) to test it out and see whether they are able to create accounts and let me know here.

I will be monitoring general activity and if there are too many issues for users generally, it will be reverted back and what we will attempt to do is to set it for a specific wiki only where Chinese users can create accounts.

@IsutanPhab any updates?

Oh, I was busy the first two days. I should have time this afternoon.

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

In T9257#190359, @RhinosF1 wrote:

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

That looks like a CSP problem rather than an issue with ReCaptcha?

In T9257#190385, @Reception123 wrote:

In T9257#190359, @RhinosF1 wrote:

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

That looks like a CSP problem rather than an issue with ReCaptcha?

Would it be okay if I make a PR on puppet regarding this?

Yes

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

In T9257#192527, @Reception123 wrote:

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

Excuse me, how was it tested?

In T9257#192535, @metal_pail wrote:

In T9257#192527, @Reception123 wrote:

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

Excuse me, how was it tested?

We are asking users from China to try to create accounts and to tell us whether they are able to or not

In T9257#192536, @Reception123 wrote:

In T9257#192535, @metal_pail wrote:

In T9257#192527, @Reception123 wrote:

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

Excuse me, how was it tested?

We are asking users from China to try to create accounts and to tell us whether they are able to or not

Are there any wikis that specify tests? Can all users participate in the test?

In T9257#192537, @metal_pail wrote:

In T9257#192536, @Reception123 wrote:

In T9257#192535, @metal_pail wrote:

In T9257#192527, @Reception123 wrote:

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

Excuse me, how was it tested?

We are asking users from China to try to create accounts and to tell us whether they are able to or not

Are there any wikis that specify tests? Can all users participate in the test?

Well we don't need say 50 users to participate but if you are one of those users who live in China it would be appreciated yes. There isn't a specific wiki, you should try on https://login.miraheze.org

In T9257#192538, @Reception123 wrote:

In T9257#192537, @metal_pail wrote:

In T9257#192536, @Reception123 wrote:

In T9257#192535, @metal_pail wrote:

In T9257#192527, @Reception123 wrote:

@IsutanPhab Is there a definitive answer as to whether it's possible or not to create an account from China?

Excuse me, how was it tested?

We are asking users from China to try to create accounts and to tell us whether they are able to or not

Are there any wikis that specify tests? Can all users participate in the test?

Well we don't need say 50 users to participate but if you are one of those users who live in China it would be appreciated yes. There isn't a specific wiki, you should try on https://login.miraheze.org

I tried it, but the reCAPTCHA still cannot be loaded successfully.

Update: Users in mainland of China can register new accounts directly.{F1879028}