Requests for Comment/Replace reCAPTCHA with another CAPTCHA 2

Hi everyone from miraheze. I am isutan. Since Google no longer provides services in mainland China, a large number of Chinese users cannot register accounts and can only register through vpn or request others to register, so I hope that the captcha can be replaced.

Isutan (talk) 01:20, 20 May 2022 (UTC) .Isutan (talk) 23:58, 21 May 2022 (UTC)

Proposal 1: QuestyCaptcha
I think this kind of captcha works very well, especially for some games and anime wikis. I wish this could be in the other column of Managewiki and let the bureaucracy edit Isutan (talk) 01:20, 20 May 2022 (UTC)

Support

 * 1)  Isutan (talk) 23:58, 21 May 2022 (UTC)
 * 2) Neither of the opposes have anything to do with this proposal. One is claiming it is out of scope, the other is claiming that reCAPTCHA is fine and has no problems. Apart from this being false, it also doesn't address the proposal which is QuestyCaptcha. I reviewed QuestyCaptcha before here and liked it. Apart from the problem that reCAPTCHA being removed is a seperate issue to finding a replacement (hosting mandatory nonfree JavaScript is not an option), it would also likely be better at preventing spam. This is in combination with the IP blacklist. Naleksuh (talk) 17:01, 26 May 2022 (UTC)
 * 3)  Current issues with Google's reCaptcha is quite a lot. Does anyone forget the PRISM programme? Your data is not only seen by Google for tracking purposes, but also the US or the UK government. Another problem with it is JavaScript dependence, which is the main tracking method used by tons of google services like googletagmanager, google analytics. Because of this, there is a number of users who choose to disable JavaScript in the browser, and what reCaptcha do is to force them to enable it, tracking them over the web and left no options to opt out it. --Matttest (talk) 23:45, 26 May 2022 (UTC)

Oppose

 * 1)  This is highly out of scope, and nothing good can come out of an out-of-scope RfC. --DarkMatterMan4500 (talk) (contribs) 01:35, 20 May 2022 (UTC)
 * Except discussion, a founding principle of RfCs. That doesn't preclude its closure shortly, but I think it's worth mentioning and clarifying, especially given the direction in the comments. --Raidarr (talk) 11:19, 20 May 2022 (UTC)
 * The comments I made last night was mainly from my frustration I had with another user yesterday, so it might make sense why I wrote it like this. --DarkMatterMan4500 (talk) (contribs) 11:24, 20 May 2022 (UTC)
 * 1) The current system works well and does the job. While yes, this is a good-faith request, this is what helps us with spambots, and until SRE finds a better, working solution, and unanimously approves the new Captcha, this will stay. -- Cheers, Justin Aves (talk • contribs • global • rights) 23:13, 20 May 2022 (UTC)
 * First of all, several better solutions have already been provided, including new CAPTCHAs and a full import of Wikimedia proxy blacklists.
 * Secondly, the idea there needs to be a better replacement or even any replacement to remove reCAPTCHA is a problem. Having reCAPTCHA, at all, is a principle issue and must be removed. If a new CAPTCHA can be found, great, but otherwise that would simply mean no CAPTCHA. MediaWiki has a commitment to unobtrusive JavaScript, which this is not by any means. I also see no reason to be shuttling off background requests to Google servers on the signup page.
 * Also, do you have any problem with QuestyCaptcha or is this just "if it ain't broke don't fix it"? Do you care to actually discuss the proposal? Infact, QuestyCaptcha may actually be more effective at preventing spam than reCAPTCHA, due to the complete elimination of non-targetted bots, although the questions can be cracked. ReCAPTCHA, on the other hand, can be bypassed for less than a cent. Naleksuh (talk) 17:01, 26 May 2022 (UTC)
 * 1)  per above. I've never had any issues with recaptcha. Also the other captchas have proved to not quite so effective. I'd rather not force are stewards and global sysops to spend more time banning and locking spam accounts and IPs. MacFan4000 (Talk Contribs) 18:06, 26 May 2022 (UTC)
 * 2)  Per the reasons given here, I don't think this would be a good option. Reception123 (talk) ( C ) 18:24, 26 May 2022 (UTC)

Proposal 2: hCaptcha
Unlike mathematical verification code, which is extremely easy to be cracked by spambot, hCaptcha is suitable for any wiki, and is very similar to recaptcha, which is a click-and-click image type. I think this is very suitable, shoutwiki uses this kind of captcha Isutan (talk) 01:20, 20 May 2022 (UTC)

Support

 * 1)  as proposer. Isutan (talk) 01:20, 20 May 2022 (UTC)

Abstain

 * I don't particularly have any issues with hCaptcha. If we did want to replace reCaptcha for some reason this would be my preferred option. However, I think reCaptcha is working fine at the moment other than the mainland China issue for which there is currently a Phabricator task which I will be working on resolving soon. Reception123 (talk) ( C ) 18:27, 26 May 2022 (UTC)

Oppose

 * 1)  Are you actually serious? We already had something like this back in October, and it fell flat on its face, especially since the nominator was an IP who was behind multiple abusive accounts at the time. This could only end badly. --DarkMatterMan4500 (talk) (contribs) 01:31, 20 May 2022 (UTC)
 * DarkMatterMan4500 Sorry, I don’t know that… Isutan (talk) 02:04, 20 May 2022 (UTC)
 * That's fine. :) --DarkMatterMan4500 (talk) (contribs) 02:46, 20 May 2022 (UTC)
 * 1) As per my statement in Proposal 1. -- Cheers, Justin Aves (talk • contribs • global • rights) 23:13, 20 May 2022 (UTC)
 * 2) hCaptcha is nothing different from reCaptcha, it is still surveillance-funded and requires JavaScript.--Matttest (talk) 03:20, 21 May 2022 (UTC)
 * 3) hCaptcha has many of the same problems that reCAPTCHA does. It breaks the unobtrusive JavaScript committment, it breaks the free software committment, it has a dependency on an external server, . In fact it's almost an identical clone. The ONLY advantage is the lack of involvement with Google. I don't see a reason to change to something that still has most of the problems, so it would just have to be changed again. Naleksuh (talk) 17:01, 26 May 2022 (UTC)
 * 4)  per above. MacFan4000 (Talk Contribs) 18:06, 26 May 2022 (UTC)

Comments

 * 1) Procedurally speaking, this is out of scope for a Request for Comment so this request may be closed as invalid. However, SRE (the technical team) will gladly consider an alternative for ReCAPTCHA if needed. I will forward this to my colleagues at SRE to see what we can do as this is a perennial request.  Agent Isai  Talk to me! 01:28, 20 May 2022 (UTC)
 * But if you don't switch, it will block the registration of users in mainland China and make them suffer the same NOP dilemma as Wikimedia. But miraheze has not been blocked by GFW, why is it so complicated to do things that can be done by simply switching the verification code? If it is not resolved, miraheze's mail may be full, and there will always be such users in mainland China who want to contribute to wikis cannot register, which directly blocks more than 100 million netizens who want to have their own wiki or contribute to wiki. Isutan (talk) 02:14, 20 May 2022 (UTC)
 * Please remember that sometimes it's not that we don't want to, it's that we can't. We cannot simply flick a magic wand and move to hCaptcha, that is simply not possible. Our implementation of ReCAPTCHA is in-house and was developed by our own system administrators. What this proposal would do is require them to invest time to investigate hCAPTCHA and code something new so that'll take time. I'm sorry if you have issues but do note that the issue is simply bigger than just plain refusal because we don't feel like it. Agent Isai  Talk to me! 02:29, 20 May 2022 (UTC)
 * For once, Agent Isai has a valid reason and/or point on this one., as much as we want to make some supplementary changes in the system, it won't magically happen in a finger-snap. That would make the system feel rushed, and monetary damages might likely occur. Hope that clarifies things a bit. :) --DarkMatterMan4500 (talk) (contribs) 02:38, 20 May 2022 (UTC)
 * "For once"? DarkMatterMan, this has been the root of the problem since the inquiry first came up and repeated for a while. It also has little to do with 'monetary damages'. It's simply difficult at best for SRE to put on top priority while they're beta testing a full platform version upgrade and a long backlog wishlist. I'm not closing this because I believe in having the conversation and RfC is certainly a way to do it - however I'm under no illusions this RfC can or will have any real impact as it cannot mandate that SRE act in a particular way, nor will it change the realities that have been the case for some time. --Raidarr (talk) 11:20, 20 May 2022 (UTC)
 * True, but about the part where I said "for once", I talked with Agent on Discord, and I explained a bit more about it. I apologize if what I said makes no sense to you. --DarkMatterMan4500 (talk) (contribs) 11:23, 20 May 2022 (UTC)
 * 1) Procedural Correction regarding Agent Isai's procedural comment above: It is not out of scope for the community to discuss potential alternatives to the current CAPTCHA registration verification system. If consensus of the community was to switch to a CAPTCHA system does not meet the SRE, Trust and Safety, or even the Counter Vandalism Team's requirements, the respective teams retain the right not to implement the requested system. As it stands, I can see at least one CAPTCHA system that should meet with at least the CVT team's requirements and very likely the SRE and Trust and Safety team's approval. Overly simplistic CAPTCHAs, though, are unlikely to meet those requirements. It would have to be a system on par with reCAPTCHA. Dmehus (talk) 22:50, 21 May 2022 (UTC)
 * Would it be possible for you to direct me to where I said that it is out of scope to have a discussion? My point was that an RfC cannot serve as a binding vote in technical matters as it can in community matters. Either way, this has been communicated within SRE and an alternative for Chinese users is being considered being that this is a perennial request with a resolution hopefully coming soon. Agent Isai  Talk to me! 23:10, 21 May 2022 (UTC)
 * Where you said "Procedurally speaking, this is out of scope for a Request for Comment so this request may be closed as invalid" suggests you believe that this is out of scope as an RfC. An RfC is never binding upon SRE, Trust and Safety, or even Stewards, for that matter. If there are not legal, technical, or global policy conflicts, and the RfC was clear and unambiguous in its request, then it would be difficult to justify not implementing the results of an RfC, but if your latter reply is what you intended to say with the above comment, then that's fine as you're essentially suggesting the same thing. hCaptcha does seem to be one CAPTCHA alternative that SRE would support implementing, and, given the current issues with reCAPTCHA, I doubt there would be much, if any, objections from the community toward implementing, so could probably be posted as a Request for Feedback at community noticeboard that invites the community to express objections toward implementing it, as and when SRE is in a position to technically implement it. If there were more than one valid objection for different reasons, then I would personally recommend that SRE proceed to an RfC prior to implementing. Dmehus (talk) 23:27, 21 May 2022 (UTC)
 * I just want mainland Chinese users to get rid of recaptcha restrictions and register freely, please don't discuss irrelevant trivia about RfC restrictions and so onIsutan (talk) 00:02, 22 May 2022 (UTC)
 * 1) I have tested it several months ago and found that, the real reason is not recaptcha. Even if I use HeaderEditor or Gooreplacer to redirect google recaptcha to "recaptcha.net" (which is accessible in Chinese mainland), the connection fails as well. I haven't found the reason. Maybe further research is required. --SolidBlock (talk) 08:43, 22 May 2022 (UTC)
 * and I also found when researching several months ago that, the reason seems not to be with Google. "recaptcha.net" rather thant "google.com" is probably already used. One reason why it fails is, in Chinese mainland IPs, its API returns "gstatic.cn" instead of "gstatic.com". Both the gstatic domains are accessible in mainland of China, but "gstatic.cn" is not in Content Security Policy and is blocked by the client. I used to replace it with "gstatic.com" to solve the problem and succeeded. But later the method failed, even if it makes it possible to connecte the "gstatic" website. I have no idea of the reason. --SolidBlock (talk) 08:56, 22 May 2022 (UTC)

Proposal 3: Actually block abusive IP ranges
As you may know, Miraheze uses a much more aggressive CAPTCHA, one that is easily bypassed with CAPTCHA farms and harm's users freedom, with little to no benefit, in an attempt to stop spamming, and while spamming does continue due to having wide-open editing for all with very little ranges blocked, the spam is much less present on Wikimedia. I spoke with a Wikimedia sysadmin about it and they said this was primarily due to spam ranges being blocked. In fact, they are simply using the standard math CAPTCHA there, and that combined with this is enough to keep out way more bots than reCAPTCHA can do. Naleksuh (talk) 17:01, 26 May 2022 (UTC)
 * The primary reason I've received for why this is simply not feasible is because a raw list of Wikipedia blocks cannot be accurately split off from blocks made for other reasons (general abuse and so forth). If this is resolved (and I'm not the authority on it anyway, only bringing it out to be discussed), I imagine simply importing a spam/vpn list and going with a 'dumber' captcha would be more viable. --Raidarr (talk) 17:40, 26 May 2022 (UTC)
 * It already was resolved. I gave Reception123 a full list of proxies and they ignored it. Naleksuh (talk) 17:42, 26 May 2022 (UTC)
 * That's not true, I absolutely did not ignore it. I simply indicated that as Global Sysop I didn't feel it was my place to take such matters into my own hands as that's clearly a task for Stewards to do in my view. I also replied in more detail and said that I didn't feel it was appropriate anyway to just import all of Wikipedia's IP blocks indiscriminately like that to Miraheze, since they would include non-proxy/VPN blocks. And even if they didn't include them, how could a Steward actually check whether that is the case? One can't be expected to simply block a list of IPs given by a user. Reception123 (talk) ( C ) 18:23, 26 May 2022 (UTC)
 * Haven't we always done this in the first place? --DarkMatterMan4500 (talk) (contribs) 18:25, 1 June 2022 (UTC)