To solve for our current simple image captcha, and avoiding proprietary SaaS-S, we wrote down some notes and ideas - including the idea to write a simple self-hostable text-based service from scratch.

What do you think? Interested to participate? We are looking for your input to

The paragraph just before the conclusion looks wrong, too.
But I can't pinpoint what.

What services are you trying to secure with a CAPTCHA?

Why can't it be done manually?
Like, registration requires an admin to approve. E.g. after out-of-band communication via mail or Matrix.

It depends.

The Markdown describes the solution space without stating what problem it tries to address.

If you have single or low-double digit signups, a manual process could totally work out.

A bit more and you would need more people.

But it might still work as a quality gate.

Hence my question.

@RyunoKi @csddumi @codeberg The issue is that we have a low-double digit signup number each day *with* the captcha currently, and without it we'd have a triple digit number each day, with most of it being more-or-less obvious spam - also, it would be easy to run a DoS by just automatically creating 1000 accounts each day, then checking would take way too long and no new users could sign up.

On top of that, the volunteers already have enough stuff to do. 🙈

I see.

Mind adding that to the Markdown file, too?

Because that's important context in my opinion.
@csddumi @codeberg

Hmm, I'll consider adding a note. Still, it's obvious that this text addresses at people who already need captchas.

It also addresses e.g. at people who operate small services and do not want to have maintenance burden (e.g. a website with a contact form and don't want to read through spam. If they need to check everything anyway, they can also live with the spam in the first place).
@momar @csddumi

I like self hosted captchas. Have you also considered localisation?

@wmd "allow to record and display questions in multiple languages" is a (not yet priorized) idea.
The bigger problem is probably the quality. While simple English can be understood by many, even complex ambiguous questions (maybe with typos) in your native language will likely represent a problem.

@codeberg how do you measure when a given captcha is spent? What if there are none left?

@staticvoidmaine The none left issue will be avoided, probably by defining a min pool size and a max age and dynamically dropping between the two. (e.g. dropping after max age when more than min pool size left)

@codeberg This sounds like a pretty good solution, except for the part where you determine which questions users can reasonably answer. Sure, the most difficult ones will be dropped after a time, but will give users plenty of frustrations in the meantime. And the actually good ones will be dropped soon as well.
I can also forsee another variation of the "You Can't Get Ye Flask" problem (TVTropes, which I'm not linking to because it's dangerous); given the multitude of synonyms in the English language, it is quite likely that people will type in answers you did not foresee but are still factually correct. There may also be typos.
And lastly, overly complex questions could pose a problem for those for whom English is not the first language.
Basically, great idea, but only if done right.

@Mayana Thank you for the feedback, good points. We are ready to experiment and e.g. tune some values on the fly (like the retention policies of questions).

But you are right, we'd probably face a lot of operational problems after the prototype. We'll consider if it's still worth a try.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!