Requests for Comment/Replace reCAPTCHA with another CAPTCHA

It's recently come to my attention that Miraheze is currently using reCAPTCHA for account creation, and is attempting to replace that reCAPTCHA with a new version of reCAPTCHA.

This is a major problem. reCAPTCHA has absolutely no place on Miraheze for several reasons:

reCAPTCHA is owned by Google, which is a massive tracking/surveillance company. The purpose of reCAPTCHA is for Google to crowdsource their work onto other people and to put trackers and other nasties onto every page that uses it. For the most part, Miraheze is free of these. All requests are in Miraheze and don't require a dependency on a third-party server. Except for reCAPTCHA, which both requires Miraheze's backend to have a dependency on an external server, and for users to be sending requests to Google servers, both breaching their privacy by keeping that data only on Miraheze but by using Miraheze, sending information to Google without their knowledge in the background. Fandom can keep those trackers and other nasties on their site, Miraheze is supposed to be free of that stuff. There's no ads, no clutter, and certainly shouldn't be any of this business.

This also breaks MediaWiki's commitment to w:unobtrusive JavaScript, which MediaWiki has a lot of information on. But as of right now, it is impossible to create an account without enabling JavaScript. This is a major problem for unobtrusive JavaScript which MediaWiki has for a reason and commits to. Being unable to do actions, especially basic actions like creating account, without enabling JavaScript is not okay. Even more damning, reCAPTCHA's JavaScript is proprietary, which requires users to run proprietary code to make an account, blatantly violating and damning Miraheze's free software commitment.

There are other, better ways to prevent spam, including many self hosted captchas, ones that do not require running proprietary JavaScript, are less of a burden or strain to fill out and stop spam better, which Miraheze can discuss and choose a new one to switch to.

Please bear in mind that this RFC seeks to remove reCAPTCHA, replacing it with another, better captcha that solves the problem above, not to just remove all captchas. All comments along the lines of "we need a captcha to prevent spam" or similar will be stricken.

Thanks for your time, Naleksuh (talk) 18:03, 7 February 2022 (UTC)

New Captcha
Sign your name on what you think should be the new captcha.

SimpleCaptcha
A simple captcha (that's the name) which requires you to answer a very basic math problem to pass. No dependencies or manual maintenance and works easily.

MathCaptcha
Like SimpleCaptcha, but displays an image with the problem instead of directly outputting text. A bit more maintenance for SRE, but may be more effective at stopping spam.
 * 1) Naleksuh (talk) 19:03, 7 February 2022 (UTC)

FancyCaptcha
Screenshots coming soon A more traditional type of captcha with skewed characters that must be identified. May be annoying to solve and requires some dependencies, but may be more effective at stopping spam than SimpleCaptcha.

QuestyCaptcha
Displays a question. Extremely effective at stopping spam (maybe even more than ReCaptcha), but requires tech debt on questions and users may not know the answer to them.

Discussion

 * ConfirmEdit has some interesting ones, the most popular one of which is QuestyCaptcha but has a bit more free form style. Any thoughts on those? Naleksuh (talk) 18:04, 7 February 2022 (UTC)
 * to my knowledge, support for visual editor is poor or nonexistent in all alternatives. ~ RhinosF1 - (chat)· acc· c -  18:13, 7 February 2022 (UTC)
 * It's my understanding that captchas are only being used to create accounts. Are they elsewhere too? That is even worse. Naleksuh (talk) 18:14, 7 February 2022 (UTC)
 * login, account creation and adding external URLs for new users. This has never been different. ~ RhinosF1 - (chat)· acc· c -  18:16, 7 February 2022 (UTC)
 * That's weird, I don't get any requests to Google servers when on the login screen. I certainly hope there aren't more wiretaps there. I will look into CAPTCHAs on Visual editor (although I'm not 100% sure it would have the desired result- I've never seen a spambot try to use the visual editor before). Naleksuh (talk) 18:19, 7 February 2022 (UTC)
 * Just noting that this comment is made in my capacity as a Miraheze user. From the start, I would note that in order to change to another captcha, an alternative or alternatives should be proposed, and ideally this should have been done by the proposer. Without being presented with a viable alternative, I don't see how we can discuss removing ReCapthca. Or if the purpose of this RfC is for people to propose their own captcha's that's fine, but how will it be clear which captcha is the preferred option which the community will propose to SRE? Reception123 (talk) ( C ) 18:25, 7 February 2022 (UTC)
 * My belief is that this is a request for comment, people can comment on the new captcha. I even gave my own suggestion, which is currently being discussed. "Replace X captcha with Y captcha" would be fundementally flawed for the same reason this is. What if people want to replace X, but oppose Y? That's one of the purposes of this RFC, to establish that. Naleksuh (talk) 18:29, 7 February 2022 (UTC)
 * In that case I think it would be more appropriate to have different sections for each proposal for a new Captcha, so it's clear who supports which Captcha, rather than have a long discussion where everything get's confused. I would've rather phrased this as 1) Do you wish to change from ReCaptcha? 2) Which Captcha would you prefer? Reception123 (talk) ( C ) 18:32, 7 February 2022 (UTC)
 * Fair enough. Let me experiment a bit with types of captcha and then I will add sections for each captcha type. Also, we need to discuss what we think about VisualEditor etc. My personal opinion is that 1) it not supporting VisualEditor is not a huge problem especially as bots usually use source 2) Even if that is a problem, the problems with ReCaptcha outweigh it so still worth switching 3) Problems are to be fixed, not avoided, unless they are out of our control like whatever Google is doing with ReCaptcha. Naleksuh (talk) 18:37, 7 February 2022 (UTC)


 * Dont you think this RfC should be Draftified so that it can be properly formatted as per suggestions from our recently closed RfC regarding RfCs? --  Joseph  TB  CT  CA   18:42, 7 February 2022 (UTC)
 * No, this is a discussion, and requiring draft RFCs failed. Naleksuh (talk) 18:51, 7 February 2022 (UTC)
 * I've just tried SimpleCaptcha, and it seems it works with VisualEditor perfectly fine. I have no idea what you were talking about. Infact, it's exactly the opposite-- the page warns ReCaptcha may break with VisualEditor. Yet another reason to switch. Naleksuh (talk) 18:51, 7 February 2022 (UTC)
 * What indications do you have that SimpleCaptcha/MathCaptcha are effective and can't be easily cracked by bots? I would note that I would oppose this based on MW.org which states that "Note that the display of a trivial maths problem as plaintext yields a captcha which can be trivially solved by automated means; as of 2012, sites using SimpleCaptcha are receiving significant amounts of spam and many automated registrations of spurious new accounts. Wikis currently using this as the default should therefore migrate to one of the other CAPTCHAs." Reception123 (talk) ( C ) 19:16, 7 February 2022 (UTC)
 * I never said SimpleCaptcha can't be cracked. It's called simple for a reason, and some of the other options are better. MathCaptcha is like SimpleCaptcha, but sends an image, which would require OCR to defeat. QuestyCaptcha is thought to be extremely effective, even more so than reCAPTCHA, but does have some drawbacks. Either way, even if it is less effective, it is my belief that reCAPTCHA is something Miraheze cannot use as it goes against its core principles, and that anything else is better. Naleksuh (talk) 19:55, 7 February 2022 (UTC)


 * 1) Yes, the new CAPTCHA is terrible. I don't know if it's still like this, but according to AbuseLog I still see spambots almost at work. Any good alternative is welcome. --YellowFrogger  ( talk ) ( ✔ ) 19:40, 7 February 2022 (UTC)