Page MenuHomeMiraheze

Change CAPTCHA to ReCaptcha v3
Closed, ResolvedPublic

Description

As you all know our current CAPTCHA (ReCaptcha v2) is simply not doing it, and MW.org itself says "ReCaptcha has been cracked by most spambots targeting wikis, mainly due to its accessible captcha alternative."

This is why we must upgrade to ReCaptcha v3. Unfortunately, the process doesn't seem to be getting anywhere upstream so I feel like we only have two options: either 1) we fork all of ConfirmEdit and do it ourselves or 2) we integrate ReCaptcha v3 into MirahezeMagic. It is useful to note that there is already an open PR upstream that would facilitate the work for us - https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/539679

I've set this to normal priority as we get regular complaints about spambots and we really need to do something about it. Until now I've waited a bit to see if something would move upstream but it doesn't seem to be happening at all.

Event Timeline

Reception123 triaged this task as Normal priority.Jun 22 2021, 05:18
Reception123 created this task.
Reception123 assigned this task to Unknown Object (User).Jun 22 2021, 05:24

I suggest we try and fork and then apply upstream's patch on top of our fork.

Then we can just pull other changes as needed.

Unknown Object (User) moved this task from Backlog to Actions Needed (Review) on the Extensions board.Jun 22 2021, 05:31
Unknown Object (User) moved this task from Unsorted to Goals on the Universal Omega board.

I suggest we try and fork and then apply upstream's patch on top of our fork.

Then we can just pull other changes as needed.

Universal Omega will try to do it in MirahezeMagic first is my understanding since a lot of ConfirmEdit isn't needed for us but if that's too complicated or doesn't work then we can do a fork.

For the time being I've applied the upstream patch on test3 and it appears like there's an issue with the site and secret keys.

Honestly, those spam-bots have been persistent as of lately.

I'm personally not convinced this will be the most effective at combating spambots, but I do agree the current ReCaptcha method is broken and this can't hurt, so I have no concerns really. I will be preparing a couple other initiatives which can be deployed around the same time, and which I believe will be even more effective.

Sorry if this is misguided, but what about hCaptcha?

In T7509#150801, @Shili wrote:

Sorry if this is misguided, but what about hCaptcha?

That would be great but is off-topic for this task, IMO.

hCaptcha is also a possible alternative. We could potentially consider switching to that if ReCaptcha v3 proves to be uneffective.

Per the discussion in -sre, I propose we should try to get an approximate number of spambot registrations/attempted edits using the Abuse Logs for a week, then after that week we switch to v3 and compare numbers.

Per above, will be providing this comment with approximate counts of spambots when using ReCaptcha V2. These are not really fully accurate but are just meant to provide a rough idea. These will be provided until Friday and afterwards we should be switching to ReCaptcha v3 and once again extracting the same data to compare.

NOTE: As otherwise it would take way too long, the way this is recorded is by AbuseLog entries related to filters 18,19 (so there may be multiple entries for one account). While of course this decreases the accuracy if V3 is effective we should still see a decrease.
NOTE: Account creations includes all account creations (not only spambots). Considerations are the same as above.

ReCaptcha V2 is active

MONDAY (5 July 2021): 1081 ALEs (Abuse Log entries), 391 ACs (account creations)
TUESDAY (6 July 2021) 1471 ALEs, 412 ACs
WEDNESDAY (7 July 2021): 2082 ALEs, 498 ACs
THURSDAY (8 July 2021): 1998 ALEs, 542 ACs

ReCaptcha V2 is active (part 2):
THURSDAY (2 September 2021): 3738 ALEs (Abuse Log entries), 1016 ACs (account creations)
FRIDAY (3 September 2021) 4546 ALEs, 1196 ACs
SATURDAY (4 September 2021): 4845 ALEs, 828 ACs
SUNDAY(5 September 2021): 5484 ALEs, 667 ACs

ReCaptcha V3 is active:
MONDAY (6 September 2021): 309 ACs (note V2 active until 08:00 UTC)

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

Not immediately sure, but it does look like the extension is using hooks to remove the custom captcha messages that are not specific to v3, which is very likely the cause. I'll try and take a look through on a test instance to determine the best solution for this.

In T7509#153165, @Void wrote:

@Void From what I understand from @Universal Omega it seems like if you don't pass the CAPTCHA instead of it telling you that it tells you that you put the wrong password. Do you have any idea how to change that in our MirahezeMagic version in order to get a different message?

Not immediately sure, but it does look like the extension is using hooks to remove the custom captcha messages that are not specific to v3, which is very likely the cause. I'll try and take a look through on a test instance to determine the best solution for this.

Thanks!

Reception123 reassigned this task from Unknown Object (User) to Void.Jul 28 2021, 07:22

Now blocked on Void to figure out how to have a special message rather than saying password forgotten when the CAPTCHA is wrong.

Unknown Object (User) moved this task from Goals to Short Term on the Universal Omega board.Aug 3 2021, 07:16
Void removed Void as the assignee of this task.Aug 3 2021, 22:37

Don't really have time for this at the moment. I don't want to block anyone else from looking at this if they want.

Unknown Object (User) added a comment.Aug 11 2021, 22:45

I will try and do further investigation into it, and hopefully hopefully come up with a solution, but no guarantees.

Unknown Object (User) claimed this task.Aug 13 2021, 17:54

Am looking into it again.

Unknown Object (User) added a comment.Aug 13 2021, 20:37

This should now work as expected.

Reception123 removed a subscriber: Unknown Object (User).Aug 24 2021, 19:05
Reception123 removed Unknown Object (User) as the assignee of this task.Aug 25 2021, 10:44
Reception123 added a subscriber: Unknown Object (User).

per absence

Herald removed a subscriber: Unknown Object (User). · View Herald TranscriptAug 25 2021, 10:44
Unknown Object (User) closed this task as Resolved.Sep 6 2021, 08:16
Unknown Object (User) claimed this task.

With the PR now merged, this should be done.

This will be reopened if there's any issues with V3 or if it proves to not be effective.

I went ahead and updated the upstream patch and requested review.