I have a self-hosted matrix-synapse server up and running on a Debian linux server, but before I open it up I want to at least get a captcha service in place to reduce spamming. The only module I’ve seen to handle this function appears to require setting up a Google recaptcha though, however I would prefer to keep all of this entirely self-contained for the privacy of my users. Can anyone recommend a module that allows for a local captcha option? For that matter, can anyone also recommend a captcha system that is pretty straightforward to set up (which is compatible with matrix-synapse) and uses basic preinstalled code bases like perl or python?
And while I’m here, I would also like to provide the option of registering with an email address, but I’m having trouble finding any clear how-to pages on this. Seems like that function might be built directly in to matrix-synapse but I’m just not finding anything helpful. Any suggestions?
I’m fairly new to matrix in general, but I have an initial setup running with the homeserver, Element web page, and an IRC bridge, so if I can just nail down the validation part of registrations I’ll have what I think is a good starting point to launch from.
Worth noting, bots are now better than humans at captcha.
I’m not really surprised by this, but it still helps to have something in place to keep out the low-effort bots (and especially the low-effort humans). I also run some community-drive blocklists in front of things to knock out the worst of them.
I can’t help with a self-hosted captcha, but I do know that hCAPTCHA claims to be more privacy respecting than reCAPTCHA. They also have a 1:1 comparability layer with the reCAPTCHA API so it should be a drop-in replacement without too much effort.
I’m interested to hear if anyone chimes in with a self-hosted solution, but I’d imagine a managed solution would probably be best for an application of any size if you’re worried about bots.
Also, while I agree with the other poster that bots may be better than humans at solving captchas, I do want to say that they’re better than nothing. Just like I wouldn’t leave my front door unlocked (even though house doors are easily picked / broken), a simple deterrent is better than nothing. A site I was working on went from hourly spam to none at all with just a simple Cloudflare captcha.
You could use something like mCaptcha, which isn’t really a captcha (because it doesn’t do a Turing test), but fills the same use case, by providing users with a proof of work challenge, which rate limits them like a captcha would
I tried their demo page but it just takes the login credentials and never actually shows a captcha. Maybe it broken? Could you tell me what I should be seeing here?
You need to register an account on their demo page (this account gets automatically deleted after a while). And then you can create deployments, that can be embedded into other forms
I’m lost… Based on their link I expected a “demo” page, you know, something that actually shows an example of the captcha that this code is supposed to provide? I didn’t even see a description of what kind of input their captcha requests from the users. It seems like I have to do a full installation just to learn something they could have provided in a single picture.
they will have to generate proof-of-work (a bunch of math that will takes time to compute) and submit it to mCaptcha.
The user doesn’t have to do anything, your computer has to do the work
Ooooohhhh! Well now, suddenly this sounds a lot more interesting! Thanks for that breakdown, because I completely missed the point of this one.