This feature request was the outcome of an earlier discussion: http://drupal.org/node/590942

Let's face it: captchas are a pain in the ass. They just replace an annoyance (spam) by another. And if we are serious about improving usability, we shouldn't place the burden of spam protection on our users. And third party solutions like Mollom also have drawbacks.

Generic spambots don't even try to simulate a human user with a browser. They don't execute javascript and they don't store cookies. So there must be a better way!

A recent module implements an "invisible captcha", with javascript and cookie:

http://blog.ag-prime.com/2009/06/drupal-captcha-invisible-captcha-challe...

I haven't tried it and I don't know anything about the author, but I think it should'nt be implemented as a captcha (wich it isn't), but as an option in the Captcha module.

This way, the regular captcha would only be used as a fallback for users that don't have js or cookies enabled.

In order to make it even more difficult for generic spambots to simulate a real user, the javascript code could also test that a key has been pressed and that the mouse has been moved and that a delay of a two seconds has passed since page load, and that the page is shown inside a chrome window.

Of course, this option would not be of any use for the few high profile websites that spammers target with specific spambots, because these protections could then easily be bypassed.

What do you think?

Vianney Stroebel
Likwid - Spécialistes Drupal - Paris

Comments

soxofaan’s picture

soxofaan commented
Status: Active » Closed (duplicate)

At first sight I thought this was a duplicate of #590942: Autofill and hide field in javascript,
but apparently you're requesting to include (something like) that invisible CAPTCHA challenge in the CAPTCHA core module.

I'm not convinced that including it in the CAPTCHA core module is a good idea.
First, it already exists as a standalone module, and I don't see any structural need to merge it with CAPTCHA core. Moreover, the challenge is very easy to game, and adding it to CAPTCHA core would raise exposure and make it a more attractive for spammers to hack. I think it's better to keep this module separate from CAPTCHA core.
Second, I took a quick look at the module and as far as I could determine, the module does not provide a fallback when javascript or cookies are not available. This is a bad thing and not really acceptable for CAPTCHA core.

In conclusion, I think only #590942: Autofill and hide field in javascript makes sense for CAPTCHA core, because it includes a fallback by design. When javascript is enabled, the visitor would see/feel the same as with the invisible CAPTCHA module: nothing. Consequently I would propose to flag this thread as a duplicate.

Another thing, if you are really concerned with the user experience of your visitors, you should also check out the Mollom module, which only shows a CAPTCHA when the user's submission smells spammy.

Viybel’s picture

Viybel commented

The whole point of my feature request was indeed to show captchas only as fallbacks when js or cookies are disabled.

Other people may want to discuss this, and they won't see this issue if it's closed or flagged as a duplicate.

Vianney Stroebel
Likwid - Spécialistes Drupal - Paris

soxofaan’s picture

soxofaan commented
Status: Closed (duplicate) » Active

Please, stop flagging issues as duplicate when they aren't.

I didn't mean to offend or something. I wasn't blindly flagging around: I argumented in #1 why I flagged it as duplicate. I guess I didn't understand what you are requesting then. I still don't, I'm afraid :-)

The whole point of my feature request was indeed to show captchas only as fallbacks when js or cookies are disabled.

This sounds like you want a (what I would call) "opt-in" system for CAPTCHA's:

  • by default there is no CAPTCHA
  • when the visitor has no js and no cookies: add a CAPTCHA

How do you see this implemented in practice? You first offer a form without CAPTCHA, the visitor posts it, when you detect that the user has javascript: you accept the form, otherwise you reshow the form (as if there was an error), but now with a CAPTCHA?
This is a lot like the workflow with Mollom, but the main difference is that the CAPTCHA is added when the content smells like spam, which is more valuable than an easy to game javascript/cookie-availability test.
An opt-in system for CAPTCHA seems like asking for problems, unless the switch when to add CAPTCHA is smart/powerful enough. IMHO a javascript/cookie-availability test is too weak.

CAPTCHA core now provides a basic CAPTCHA system:

  • Always add a CAPTCHA for untrusted users.

The goal of #590942: Autofill and hide field in javascript is to increase the user friendliness (at expense of making it easier for advanced spam bots) and proposes an "opt-out" approach:

  • by default: add a CAPTCHA
  • when the visitor has javascript/cookies/somethingelse: remove/autosolve the CAPTCHA

So,

  • Is your feature request about an opt-in CAPTCHA system? If it only would include a javascript/cookie-availability test, I would not support the implementation in CAPTCHA core. However, if a lot of people still want this feature, it is possible to implement this in a separate module, outside of CAPTCHA core (with a dependency on CAPTCHA core and largely reusing it of course).
  • Is your feature request about an opt-out CAPTCHA system? If so, what is the difference with #590942: Autofill and hide field in javascript then?
wundo’s picture

wundo commented
Status: Active » Closed (outdated)