Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.It would be great if we could have the captcha field autofilled and hidden in javascript, as an option.
This feature would be a major usability improvement.
Vianney Stroebel
Likwid - Spécialistes Drupal - Paris
Comments
Comment #1
soxofaan commentedThis has been discussed before
#489300: Math challenge feature: autosolve with jQuery tricks?
http://groups.drupal.org/node/4883
but so far, there is no real implementation yet
Comment #2
Viybel commentedActually, this is not a duplicate of #489300: Math challenge feature: autosolve with jQuery tricks?.
Let me rephrase it:
Captchas are annoying. They should be used only if there is no better way to tell a human from a spam bot.
As far as I know, there is one thing that most browsers do that spam bots don't : execute javascript.
So there should be an option in the Captcha module to proceed like this:
So the captcha would only be shown to spam bots and to browsers that are not javascript enabled.
I could dive into the Captcha module and code it myself, but before that I'd rather collect feedback. It seems such a simple idea that there must be a reason why nobody mentions it. Am I missing something?
Vianney Stroebel
Likwid - Spécialistes Drupal - Paris
Comment #3
soxofaan commentedWell, I largely think it's a feature request duplicate from the user point of view.
As far as I understand your suggestion, there are two main differences with the request of #489300: Math challenge feature: autosolve with jQuery tricks?:
Sending the solution with the CAPTCHA to the client seems like asking for trouble because you create a backdoor for the spam bots to get the right answer. Note that spam bots don't necessarily have to execute Javascript for this if they just can read the solution in the source code. You would need at least a decent level of obfuscation/encryption as a counter measure.
But in the end, you still are sending the solution, with means and info on how to decrypt it. So when the return on investment for spam bot farmers is large enough to add intelligence to decrypt or even start executing the javascript, you're screwed :)
As long as the feature would be used on small scale, low profile sites, I don't expect this to be a problem, so it certainly can be a useful feature to have.
But once it get gamed on a high profile site, the small sites would suffer too. This could be limited by also obfuscating/transforming the javascript code too so that two sites with this feature enabled would have differently looking CAPTCHA-autofill-javascript code.
It is indeed a simple idea, but implementing it so it won't be cracked in a hard beat, requires a bit more than a simple javascript "one-liner".
Another issue is that not all challenges use a simple textfield for the solution. So, I'm not sure if a general solution will be feasible.
Moreover with challenges like ReCAPTCHA and egglue, the CAPTCHA core module doesn't even know the solution as the validation is done at a third party server.
That's why I would suggest to do #489300: Math challenge feature: autosolve with jQuery tricks? (which is easy and does not involves sending the solution to the client), rather than investing a lot of work in a convolved general solution.
my 2c
Comment #4
Viybel commentedThis feature would, of course, only be useful to low profile websites (probably 99,9% of Drupal sites). The same websites that use simple captchas, like those in captcha_pack.
Indeed, a spammer willing to bypass this particular test would not even have to crack anything : they would just need to have their spambot execute the script !
But I doubt any spammer in the world will have their global spambots execute javascript just because a few hundreds (or even thousands) of Drupal websites have enabled this feature...
In the case of high profile websites, if a spambot start bypassing the javascript test, they will just need to disable this feature.
As for the test with no text field or with no solution provided, you're right: this feature does not apply.
Which makes me think that what we are talking about is just testing that javascript is enabled on the browser. Or better still, testing that a key has been pressed and that the mouse has been moved and that a delay of a two seconds has passed since page load.
But this is a pretty different feature. Is it ok if I create another issue with it? Otherwise, no one would see my last suggestion.
Vianney Stroebel
Likwid - Spécialistes Drupal - Paris
Comment #5
Viybel commentedSorry, I changed the title by mistake. Changing back to original.
Comment #6
soxofaan commentedNo, this won't work.
I'm not a spam bot expert, but I don't think that a regular spam bots uses a real browser in some way. I guess it's basically just a script that fetches an url and sends POST data back (that how I would write a spam bot). There is no point in testing what happens client side, because all that stuff can be gamed. How can you tell the difference at server side between a genuine javascript supporting client and a spam bots that just says/pretends that it supports javascript? Between server and client, you can only ask questions and get responses back, but you can't prevent someone from lying/pretending. The point of a CAPTCHA is that you have a response that can't be known in advance without processing a imposed (random) challenge (we ignore lucky random guesses here). The CAPTCHA system assumes that solving the challenge is the result of real human skills.
Anyway, I think we agree the feature can be useful, given:
Comment #7
Viybel commentedSorry, but I really don't see the point in this "security expert" talk.
There are hundreds of thousands of Drupal websites that need protection from generic spambots, i.e. those who won't bother faking a keyboard, a mouse, a browser chrome or wait a few seconds for each form they visit. What's more, most of them don't even load the form, they just send a POST request, as you said yourself. These surely would not pass this test!
Should'nt we focus on relieving webmasters and users from any hassles (spam or captchas)? Isn't that what the Captcha module is about?
There must be only a handful of those $1,000,000 websites that spammers specifically target with custom spambots, that are built on Drupal and that use the Captcha module. If any of them ever use this feature (which I doubt), they would realize in a few hours that it's a mistake and disable it in one click.
Thanks anyway for taking the time to discuss this.
UPDATE:
This module implements an "invisible captcha", with javascript and cookie:
http://blog.ag-prime.com/2009/06/drupal-captcha-invisible-captcha-challe...
I think it should be implemented not as a captcha, but as an option in the Captcha module, so that a regular captcha can be shown to users that don't have js or cookies enabled.
What do you think?
Vianney Stroebel
Likwid - Spécialistes Drupal - Paris
Comment #8
soxofaan commentedWell, we're talking about the CAPTCHA core module here and it would be unwise to include features that are broken by design IMHO.
But in any case, you don't have to convince me that it would be a useful option to have. I hope I got that message across already.
About your suggestion of the invisible CAPTCHA module, I already commented a bit about it on #598330: Invisible javascript test before captcha fallback. In short: I think it should be kept separate from CAPTCHA core.
I propose to keep this feature simple for now and only do the autosolving+hiding in javascript
Comment #9
wundo commented