Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

weber2 · Post by **weber2** » Sun Apr 25, 2021 2:46 am

Security can be increased by using Google's invisible reCAPTCHA in addition to another spambot countermeasure such as Q&A. Since Google's invisible reCAPTCHA performs its verification in the background, and no challenges are displayed if the user is deemed to be of low risk, there is no further inconvenience to legitimate users, beyond that of the Q&A itself.

You can experience this working on our registration page, where it has been working for over a year:
http://www.forums.aeva.asn.au/ucp.php?mode=register
After you click the "I agree ..." button you will see the Q&A at the bottom of the form, and the only way you know that invisible reCaptcha is also working, is the "three arrows" reCaptcha icon in the bottom right corner of the window.

This was done by modifying php and html code, and has no user interface. Here are the two modified files that make it work for the above registration page. To find the mods, search on "Dave" or diff them with the originals.
<forum>/styles/prosilver/template/ucp_register.html
<forum>/includes/ucp/ucp_register.php

I propose that Enabled/Disabled radio buttons be added to the end of ACP->Spambot countermeasures->Available plugins with the Description:

Combine with invisible reCAPTCHA:
Use Google's invisible reCAPTCHA in addition to the above selected plug-in.

david63 · Post by **david63** » Sun Apr 25, 2021 7:43 am

Not sure that there would be any advantage in having multiple Captchas - the current ones (Q&A in particular) work very well when configured correctly. Adding more will only result in complications.

weber2 · Post by **weber2** » Sun Apr 25, 2021 8:10 am

Hi david63. I'm not proposing to allow multiple CAPTCHAs in general. Just one visible and one invisible. I've changed the thread title to make that clearer. It seems to me that some bots may be stopped by one kind, and other bots stopped by the other kind, or at least take longer to crack them both.

What kind of complications do you foresee?

HaioPaio · Post by **HaioPaio** » Sun Apr 25, 2021 12:00 pm

I think, this idea could improve spam protection without causing problems.
However, I think the task should be done preferably via extension. Provided extensions technically could provide such function.

weber2 · Post by **weber2** » Mon Apr 26, 2021 12:45 am

I don't think it can be implemented by extension, as things stand now. But that would be a minimal version of my request. To please make whatever changes are required to the core, so that this can be implemented by extension. And that someone please write such an extension.

I don't know much about that, but I think it would at least require the addition of some new events, e.g.

and

to the file <forum>/styles/prosilver/template/ucp_register.html.
And possibly some supporting changes to <forum>/includes/ucp/ucp_register.php.

weber2 · Post by **weber2** » Mon Apr 26, 2021 1:02 am

Forget the radio-buttons. Could it be implemented as a new CAPTCHA plug in? So when you look at the drop-down list in ACP->Spambot countermeasures->Installed plug ins, as well as "Q&A" you would see an option: "Q&A + invisible reCaptcha"?

Heo32 · Post by **Heo32** » Wed Apr 28, 2021 11:35 am

I'm not going to vote on this for several reasons, but I will provide some feedback.

weber2 wrote: ↑Sun Apr 25, 2021 2:46 am Security can be increased by using Google's invisible reCAPTCHA in addition to another spambot countermeasure such as Q&A.

Wrong. Security has nothing to do with bot registration. There are never any compromises from merely registering on forums by people or bots, so stating this as fact is simply false.

There have been some security-related settings that needed (or need) to be changed for Google's No CAPTCHA reCAPTCHA to function. Essentially, using this function means you remove some security from your site. These are the required changes in the php.ini file for Google's No CAPTCHA reCAPTCHA to work:

From: session.use_strict_mode = 0
To: session.use_strict_mode = 1

The "session.use_strict_mode" should always be set to "1" as a security measure. Strict mode protects applications from session fixation via session adoption vulnerability.

From: allow_url_fopen = Off
To: allow_url_fopen = On

Having "allow_url_fopen" set to "On" also imposes a security risk. I will not provide details, but you will note this on various websites.

3Di · Post by **3Di** » Wed Apr 28, 2021 11:59 am

Heo32 wrote: ↑Wed Apr 28, 2021 11:35 am Having "allow_url_fopen" set to "On" also imposes a security risk. I will not provide details, but you will note this on various websites.

Are you aware the google recaptcha v3 invisible (in phpBB) has 3 ways to be used (automatically) in order to get in touch with the server? Like cURL for example, if needed. Visit the ACP of a 3.3.3 board, so that you can see.

Votes

Status