Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

https://www.phpbb.com/ideas/
Post Reply
weber2
Registered User
Posts: 10
Joined: Tue Jan 14, 2020 3:54 am
Name: Dave Keenan
Contact:

Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by weber2 »

Security can be increased by using Google's invisible reCAPTCHA in addition to another spambot countermeasure such as Q&A. Since Google's invisible reCAPTCHA performs its verification in the background, and no challenges are displayed if the user is deemed to be of low risk, there is no further inconvenience to legitimate users, beyond that of the Q&A itself.

You can experience this working on our registration page, where it has been working for over a year:
http://www.forums.aeva.asn.au/ucp.php?mode=register
After you click the "I agree ..." button you will see the Q&A at the bottom of the form, and the only way you know that invisible reCaptcha is also working, is the "three arrows" reCaptcha icon in the bottom right corner of the window.

This was done by modifying php and html code, and has no user interface. Here are the two modified files that make it work for the above registration page. To find the mods, search on "Dave" or diff them with the originals.
<forum>/styles/prosilver/template/ucp_register.html
<forum>/includes/ucp/ucp_register.php

I propose that Enabled/Disabled radio buttons be added to the end of ACP->Spambot countermeasures->Available plugins with the Description:

Combine with invisible reCAPTCHA:
Use Google's invisible reCAPTCHA in addition to the above selected plug-in.
Last edited by weber2 on Sun Apr 25, 2021 8:14 am, edited 2 times in total.
User avatar
david63
Registered User
Posts: 19423
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Allow invisible reCAPTCHA to be combined with other spambot countermeasures

Post by david63 »

Not sure that there would be any advantage in having multiple Captchas - the current ones (Q&A in particular) work very well when configured correctly. Adding more will only result in complications.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
weber2
Registered User
Posts: 10
Joined: Tue Jan 14, 2020 3:54 am
Name: Dave Keenan
Contact:

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by weber2 »

Hi david63. I'm not proposing to allow multiple CAPTCHAs in general. Just one visible and one invisible. I've changed the thread title to make that clearer. It seems to me that some bots may be stopped by one kind, and other bots stopped by the other kind, or at least take longer to crack them both.

What kind of complications do you foresee?
User avatar
HaioPaio
Registered User
Posts: 180
Joined: Mon Jan 08, 2018 7:39 pm

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by HaioPaio »

I think, this idea could improve spam protection without causing problems.
However, I think the task should be done preferably via extension. Provided extensions technically could provide such function.
www.der-räuchertreff.de phpbb 3.3.3 php 7.4.15
weber2
Registered User
Posts: 10
Joined: Tue Jan 14, 2020 3:54 am
Name: Dave Keenan
Contact:

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by weber2 »

I don't think it can be implemented by extension, as things stand now. But that would be a minimal version of my request. To please make whatever changes are required to the core, so that this can be implemented by extension. And that someone please write such an extension.

I don't know much about that, but I think it would at least require the addition of some new events, e.g.
<!-- EVENT ucp_register_captcha_before -->
and
<!-- EVENT ucp_register_captcha_after -->
to the file <forum>/styles/prosilver/template/ucp_register.html.
And possibly some supporting changes to <forum>/includes/ucp/ucp_register.php.
weber2
Registered User
Posts: 10
Joined: Tue Jan 14, 2020 3:54 am
Name: Dave Keenan
Contact:

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by weber2 »

Forget the radio-buttons. Could it be implemented as a new CAPTCHA plug in? So when you look at the drop-down list in ACP->Spambot countermeasures->Installed plug ins, as well as "Q&A" you would see an option: "Q&A + invisible reCaptcha"?
Heo32
Registered User
Posts: 196
Joined: Sat Jan 07, 2017 10:08 pm

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by Heo32 »

I'm not going to vote on this for several reasons, but I will provide some feedback.
weber2 wrote:
Sun Apr 25, 2021 2:46 am
Security can be increased by using Google's invisible reCAPTCHA in addition to another spambot countermeasure such as Q&A.
Wrong. Security has nothing to do with bot registration. There are never any compromises from merely registering on forums by people or bots, so stating this as fact is simply false.

There have been some security-related settings that needed (or need) to be changed for Google's No CAPTCHA reCAPTCHA to function. Essentially, using this function means you remove some security from your site. These are the required changes in the php.ini file for Google's No CAPTCHA reCAPTCHA to work:

From: session.use_strict_mode = 0
To: session.use_strict_mode = 1

The "session.use_strict_mode" should always be set to "1" as a security measure. Strict mode protects applications from session fixation via session adoption vulnerability.

From: allow_url_fopen = Off
To: allow_url_fopen = On

Having "allow_url_fopen" set to "On" also imposes a security risk. I will not provide details, but you will note this on various websites.
Windows & Nginx & PHP & MySQL & phpBB & WordPress & Cloudflare • Updated: January 12, 2021

Allow using Content-Security-Policy without unsafe-inline • Content-Security-Policy
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.
User avatar
3Di
Former Team Member
Posts: 16487
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Name: Marco
Contact:

Re: Allow invisible reCAPTCHA to be combined with another countermeasure such as Q&A

Post by 3Di »

Heo32 wrote:
Wed Apr 28, 2021 11:35 am
Having "allow_url_fopen" set to "On" also imposes a security risk. I will not provide details, but you will note this on various websites.
Are you aware the google recaptcha v3 invisible (in phpBB) has 3 ways to be used (automatically) in order to get in touch with the server? Like cURL for example, if needed. Visit the ACP of a 3.3.3 board, so that you can see. :ugeek:
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Post Reply

Return to “phpBB Ideas”