Page MenuHomeMiraheze

Change the source of reCAPTCHA to enable users in mainland of China to register accounts
Open, NormalPublic

Event Timeline

Agent_Isai triaged this task as Normal priority.May 21 2022, 15:27

We previously used recaptcha.net but rolled back to using google.com because it was causing issues for everyone. We could evaluate moving back though.

I think the issue here is cause and effect and whether we were wrong when we blamed recaptcha.net and maybe it was just the limit being set to 0.5 that was the issue. I would however not want to bring the frustrating ReCaptcha issues back either in case it is.

I'm not sure if this is a good idea but what I would propose is setting it to 'recaptcha.net' for a single wiki where users from China could register from, so as to not affect users from other countries. (Proposals like this have previously been declined but that's only because they would've changed threasholds (with weaker Captcha's or weaker limits) but here we're not changing the actual threashold)

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

I hope this attempt will succeed.

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

@Reception123 Per T9307, I also concur that reverting back to recaptcha.net is the better interim solution, and longer term, I recommend we move to hCaptcha. I would like to see this implemented ASAP. Can we try and implement it in the next 24 hours, if possible? (Note, this change should be done globally, as I'm quite certain we used recaptcha.net originally. What we rolled back was the ReCaptcha 3.0 change.) Thanks.

I think perhaps an easier idea would be to try to restore recaptcha.net for a day or so and closely monitor the situation.

I would say 2 days, 1 day and it'd be hard to tell. 2 days and we can gather the patterns if we get more users unable to register etc... after 2 days then we immediately revert the change and consider other alternatives.

Yeah, 2 days is a better option. Though I think if we see like 10 times the amount of people using the form after a day it would probably indicate that recaptcha.net is the issue

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

It definitely is, we've known for months also, but last time we tried it it caused even more issues for everyone else, as it returned lower scores.

No test pattern needed. It's confirmed it is the issue, and I've suspected it is for awhile now.

It definitely is, we've known for months also, but last time we tried it it caused even more issues for everyone else, as it returned lower scores.

I wouldn't rely on aggregate statistical data (i.e., "lower scores") with little to no context. My understanding from @Reception123 is that using recaptcha.net might be better for the spambots, but would also be better for real people. I can put up with extra spambot user creations. We used to have ReCaptcha V2.0 and recaptcha.net and way higher spambot creations.

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

Dmehus raised the priority of this task from Normal to High.May 30 2022, 04:25

Increasing priority to match merged in ticket T9307.

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

We are not rolling back to version 2, as far as I know.

When checking LocalSettings.php, I also saw what looked like a config saying we're still on ReCaptcha 3.0. Is that the case? If so, I thought we were going to roll back to ReCaptcha 2.0 because of similar, but unrelated issues?

We are not rolling back to version 2, as far as I know.

Oh, I thought @Reception123 told me we were going to, but he wanted to try something else first (back in November-ish). Wouldn't be a bad idea, to be honest. Only downside would be potentially more spambots. On the other hand, the current situation is still seeing a lot of rejected attempts, and load, on the servers. It may actually reduce load on the server to allow the spambots through. In turn, fewer legitimate users will be prevented from creating accounts.

Last time we used recaptcha.net was a mess because ReCAPTCHA returned lower scores than it would if we used google.com. There was no observable improvement at all and instead just a deterioration in CAPTCHA service. I would suggest a limited test for a day or two to see if rolling back to using recaptcha.net causes the huge issues it did last time.

Last time we used recaptcha.net was a mess because ReCAPTCHA returned lower scores than it would if we used google.com. There was no observable improvement at all and instead just a deterioration in CAPTCHA service. I would suggest a limited test for a day or two to see if rolling back to using recaptcha.net causes the huge issues it did last time.

What did we use with ReCAPTCHA version 2.0? That's what I'm talking about. I'd like to see some data, in terms of Grafana load data, jobqueue data, etc., if we, at least temporarily, revert to ReCAPTCHA 2.0 and whatever API URL we used last summer.

None, other than the potential for a pick up in spambot user creations, which Stewards are well placed to perform CheckUser investigations and block any web hosts/open proxies.

Can I please remind you that SRE had to take emergency action to restore the Abuse Filter and that CVT failed to even notice it had been throttled at one point?

If we attempt this test, I think it would be good to have some Chinese users who are able to create test accounts for us in order to confirm whether it has any effect. Would anyone subscribed to this task be able to / knows someone who is? (@metal_pail a ?)

As for rolling back to ReCaptcha 2.0, I would disagree with that idea as we have largely fixed registration issues for most users other than for Chinese users which is of course not an issue with ReCaptcha itself.

I will invite some friends in the QQ group to participate in the test

I will invite some friends in the QQ group to participate in the test

Would your friends be prepared to test out the changes tomorrow? First of all, could they please test now and confirm that they are indeed completely unable to create accounts?

@IsutanPhab The change will be active in around 10 minutes. Please get a few users (around 5) to test it out and see whether they are able to create accounts and let me know here.

I will be monitoring general activity and if there are too many issues for users generally, it will be reverted back and what we will attempt to do is to set it for a specific wiki only where Chinese users can create accounts.

Reception123 lowered the priority of this task from High to Normal.Tue, Jun 7, 18:35

Lowering priority as testing is underway and there doesn't seem to be a negative impact for regular users so far. I'm still waiting for an answer from users in China

Oh, I was busy the first two days. I should have time this afternoon.

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

That looks like a CSP problem rather than an issue with ReCaptcha?

@Reception123: 2 reports of issues in China on IRC today.

Refused to load the script 'https://www.gstatic.cn/recaptcha/releases/4rwLQsl5N_ccppoTAwwwMrEN/recaptcha__zh_cn.js' because it violates the following Content Security Policy directive .......

That looks like a CSP problem rather than an issue with ReCaptcha?

Would it be okay if I make a PR on puppet regarding this?