Register reCAPTCHA Broken
-
The reCAPTCHA on the registration page seems to be broken. I click that I'm not a robot, select the squares, get this:
Buuuuut...when I click the "Register Now" button:
Anyone have any ideas?
For the record, this was reported to me by the Inedo employee who has been working on the server and just tried to register an account.
-
@boomzilla do either of you have anything installed that might mess with the js or anything else? uBlock? Ad blockers?
I've seen them cause it to fail. Or at least they succeeded when I disabled those extensions.
-
@boomzilla said in Register reCAPTCHA Broken:
Anyone have any ideas?
Yes. Fuck off with the stupid Captcha bullshit. It accomplishes nothing and is security theater at its worst.
Thank you for asking.
-
Time synchronization issues?
-
@El_Heffe said in Register reCAPTCHA Broken:
@boomzilla said in Register reCAPTCHA Broken:
Anyone have any ideas?
Yes. Fuck off with the stupid Captcha bullshit. It accomplishes nothing and is security theater at its worst.
Thank you for asking.
Also this.
-
@Polygeekery said in Register reCAPTCHA Broken:
@boomzilla do either of you have anything installed that might mess with the js or anything else? uBlock? Ad blockers?
I've seen them cause it to fail. Or at least they succeeded when I disabled those extensions.
I turned off noScript in the browser I was using. I guess I need to see if there's a bug in this unstable version of NodeBB that Ben put us on ().
-
Why does every page of the forum also load
https://hcaptcha.com/1/api.js
, even when one is logged in? (Could it be related?)
-
-
@Polygeekery said in Register reCAPTCHA Broken:
@El_Heffe said in Register reCAPTCHA Broken:
@boomzilla said in Register reCAPTCHA Broken:
Anyone have any ideas?
Yes. Fuck off with the stupid Captcha bullshit. It accomplishes nothing and is security theater at its worst.
Thank you for asking.
Also this.
Spambots are unfortunately very common. It can be argued that CAPTCHAs are not effective, but the problem they are attempting to solve, at least, is real,
-
@error but are they anything more than security theater?
It's my understanding that the one we use only looks for movement of the cursor. I've never attempted to fool one of these recaptchas, but I can't imagine it is anything more than trivial to accomplish.
I've also triggered them on several occasions. I was dropped on to a page with my cursor in an input field, completed the form by tabbing through, tabbed to the recaptcha confirm without thinking of it and got told I was a robot.
-
@Polygeekery said in Register reCAPTCHA Broken:
@error but are they anything more than security theater?
It's my understanding that the one we use only looks for movement of the cursor. I've never attempted to fool one of these recaptchas, but I can't imagine it is anything more than trivial to accomplish.
When I was trying it I had to pick the squares that had (taxi, traffic light, hills, etc) in their pictures. I don't think it's the captcha that's broken. I suspect something in NodeBB changed that affected the way it talks to the Spam-Be-Gone plugin, which manages the captcha itself.
-
@boomzilla said in Register reCAPTCHA Broken:
When I was trying it I had to pick the squares that had (taxi, traffic light, hills, etc) in their pictures.
I didn't have to. Maybe because of mobile?
-
@Polygeekery said in Register reCAPTCHA Broken:
@boomzilla said in Register reCAPTCHA Broken:
When I was trying it I had to pick the squares that had (taxi, traffic light, hills, etc) in their pictures.
I didn't have to. Maybe because of mobile?
I believe you only get the checkbox if it's already reasonably confident you're a human.
-
@Polygeekery hmmm, that sounds different.
-
@PleegWat said in Register reCAPTCHA Broken:
@Polygeekery said in Register reCAPTCHA Broken:
@boomzilla said in Register reCAPTCHA Broken:
When I was trying it I had to pick the squares that had (taxi, traffic light, hills, etc) in their pictures.
I didn't have to. Maybe because of mobile?
I believe you only get the checkbox if it's already reasonably confident you're a human.
It gives you progressively harder challenges depending on its confidence interval. Submitting the same form multiple times, even from multiple computers on the same net address, is considered "suspicious," and you'll start getting more and more difficult challenges. At the upper end you're asked to solve half a dozen before it accepts your input.
Fun fact: web developers often need to submit a form many times to test it.
-
@error Also, there is some evidence that if you use a non-Chrome browser and/or aren't tracked by Google, you get harder ones, while Chrome users get a fast pass
-
@hungrier I was using firefox when I tested.
-
@hungrier said in Register reCAPTCHA Broken:
@error Also, there is some evidence that if you use a non-Chrome browser and/or aren't tracked by Google, you get harder ones, while Chrome users get a fast pass
Since I use Firefox with private mode for everything, I always need to solve these fucking puzzles, several times. And most of the time it’s either not clear what the correct answer is or they’re outright wrong.
So, as usual, Google.
-
@julianlam confirmed there was a regression somewhere so for now I've switched over to hCaptcha.
-
-
@HardwareGeek
For extra security, NodeBB always shows 8 · characters for your password, regardless of length
-
@izzion I do the same thing with my penis. I claim that it is 8", regardless of length.
-
@Polygeekery
You are not fooling anyone
-
@Luhmann especially not my wife or any prior lovers. They know the truth. It's like a Pringles can with veins.
-
@Polygeekery said in Register reCAPTCHA Broken:
It's my understanding that the one we use only looks for movement of the cursor. I've never attempted to fool one of these recaptchas, but I can't imagine it is anything more than trivial to accomplish.
It does not. It does use stuff like that, in addition to whatever Google can find on you (meaning Incognito or Tor users are punished much more heavily than logged-in users - effectively does a pretty good job at blocking most bots)
-
-
@izzion said in Register reCAPTCHA Broken:
@HardwareGeek
For extra security, NodeBB always shows 8 · characters for your password, regardless of lengthOur UX designers wanted to show grayed out icons for the characters not yet entered. They just don't seem to grasp any security concepts. Oh, and show a checkmark icon when the last correct char (actually digit, as it's a passcode) was entered. I think I talked them out of that. (And I don't even do security!)
-
@dcon said in Register reCAPTCHA Broken:
@izzion said in Register reCAPTCHA Broken:
@HardwareGeek
For extra security, NodeBB always shows 8 · characters for your password, regardless of lengthOur UX designers wanted to show grayed out icons for the characters not yet entered. They just don't seem to grasp any security concepts. Oh, and show a checkmark icon when the last correct char (actually digit, as it's a passcode) was entered. I think I talked them out of that. (And I don't even do security!)
: We don't even know the user's password length.
: That's impossible, just count the characters! You programmer people are just needlessly obstructionist.
-
@topspin said in Register reCAPTCHA Broken:
Actually, my direct quote to them was "we can't know the length if we're doing things correctly"!
Wait, were you in that meeting???