From 80f64e4246a09418dfc6b39f3a0ab5ef6fbdecb4 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Thu, 20 Aug 2020 23:59:42 +0200 Subject: [PATCH 01/10] Create 2733-add-hCaptcha-as-captcha-provider.md --- .../2733-add-hCaptcha-as-captcha-provider.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 proposals/2733-add-hCaptcha-as-captcha-provider.md diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md new file mode 100644 index 00000000000..f2358b3232c --- /dev/null +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -0,0 +1,40 @@ +# MSC02733 : Add hCaptcha as captcha provider + +This MSC proposes to generalize the use of a captcha api in the matrix spec and that +hCaptch is to be added to to provide a more privacy focused alternative to reCaptcha. + +## Context + +Since google is well known for their misuse of their customers data and general disregard +for basic privacy rights it is desireable to distance the Matrix spec from such a company. +The ubiquitously used reCaptcha is one such mechanism to accumulate more private data for Google. + +## Proposal + +The Matrix spec should not directly reference reCaptcha as the only captcha provider. +The spec should be generalized to use multiple captcha API's. hCaptcha should be added first +as a captcha provider and also should be used as the default moving forward. + +This move would have multiple benefits: +* Not relying on Google +* Protecting users privacy, see [here](https://www.hcaptcha.com/privacy) +* The captchas are easier to solve and aren't confusing like reCaptcha sometimes can be (only from own and anecdotal experiences) +* Used by Cloudflare, see [here](https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/). +* Supports [Privacy Pass](https://privacypass.github.io/) + +## Alternatives + +Some alternatives have been discussed in multiple Issues [1]. +There are generally two views regarding alternatives for reCaptcha. Design oriented and Security/Privacy oriented. +For Design, there are two notable mentions: +* [VisualCaptcha](https://visualcaptcha.net/) +* [MTCaptcha](https://www.mtcaptcha.com/) +Regarding security and privacy the by far best option is [hCaptcha](https://www.hcaptcha.com/): + +## Security considerations + +Arguably hCaptch isn't as bot proof as reCaptcha is, but to what degree is uncertain. + +[1] + - https://github.com/vector-im/element-web/issues/3606 + - https://github.com/matrix-org/matrix-doc/issues/1281 From b08276cd64c61abf49dc98a03c6761d05aea10d2 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:02:31 +0200 Subject: [PATCH 02/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index f2358b3232c..06b4a424450 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -18,13 +18,13 @@ as a captcha provider and also should be used as the default moving forward. This move would have multiple benefits: * Not relying on Google * Protecting users privacy, see [here](https://www.hcaptcha.com/privacy) -* The captchas are easier to solve and aren't confusing like reCaptcha sometimes can be (only from own and anecdotal experiences) +* The captchas are easier to solve and aren't confusing like reCaptcha sometimes can be (only from my own and anecdotal experiences) * Used by Cloudflare, see [here](https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/). * Supports [Privacy Pass](https://privacypass.github.io/) ## Alternatives -Some alternatives have been discussed in multiple Issues [1]. +Some alternatives have been discussed in multiple Issues [1](https://github.com/vector-im/element-web/issues/3606) [2](https://github.com/matrix-org/matrix-doc/issues/1281). There are generally two views regarding alternatives for reCaptcha. Design oriented and Security/Privacy oriented. For Design, there are two notable mentions: * [VisualCaptcha](https://visualcaptcha.net/) @@ -34,7 +34,3 @@ Regarding security and privacy the by far best option is [hCaptcha](https://www. ## Security considerations Arguably hCaptch isn't as bot proof as reCaptcha is, but to what degree is uncertain. - -[1] - - https://github.com/vector-im/element-web/issues/3606 - - https://github.com/matrix-org/matrix-doc/issues/1281 From 6c4721b8db82694a7624d766ab7b143382bd80ab Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:03:40 +0200 Subject: [PATCH 03/10] Rename 2733-add-hCaptcha-as-captcha-provider.md to [WIP] 2733-add-hCaptcha-as-captcha-provider.md --- ...provider.md => [WIP] 2733-add-hCaptcha-as-captcha-provider.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename proposals/{2733-add-hCaptcha-as-captcha-provider.md => [WIP] 2733-add-hCaptcha-as-captcha-provider.md} (100%) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/[WIP] 2733-add-hCaptcha-as-captcha-provider.md similarity index 100% rename from proposals/2733-add-hCaptcha-as-captcha-provider.md rename to proposals/[WIP] 2733-add-hCaptcha-as-captcha-provider.md From 8538c754143d12bb353a663c9f5b0a2165bb602d Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:05:54 +0200 Subject: [PATCH 04/10] Rename [WIP] 2733-add-hCaptcha-as-captcha-provider.md to 2733-add-hCaptcha-as-captcha-provider.md --- ...ptcha-provider.md => 2733-add-hCaptcha-as-captcha-provider.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename proposals/{[WIP] 2733-add-hCaptcha-as-captcha-provider.md => 2733-add-hCaptcha-as-captcha-provider.md} (100%) diff --git a/proposals/[WIP] 2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md similarity index 100% rename from proposals/[WIP] 2733-add-hCaptcha-as-captcha-provider.md rename to proposals/2733-add-hCaptcha-as-captcha-provider.md From 22b8a0a9607928e66f1998b058731bba671530f4 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:21:14 +0200 Subject: [PATCH 05/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index 06b4a424450..dd476c6f0b6 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -22,6 +22,16 @@ This move would have multiple benefits: * Used by Cloudflare, see [here](https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/). * Supports [Privacy Pass](https://privacypass.github.io/) +**All proposed changes listed chronologically:** +* implement needed changes for multiple captcha providers +* implementing hCaptcha api calls +* switching to hCaptcha as default captcha provider +* dropping reCaptcha + +## Potential issues +As a potential issue there would be the variables in homeserver.yaml, namely `recaptcha_public_key` `recaptcha_private_key` `recaptcha_siteverify_api` which would need to be renamed, which breaks config backwards compatibility. +Also adoption and integration with clients like element.io and so on could become an issue. And possibly cumbersome to maintain multiple captcha providers. + ## Alternatives Some alternatives have been discussed in multiple Issues [1](https://github.com/vector-im/element-web/issues/3606) [2](https://github.com/matrix-org/matrix-doc/issues/1281). @@ -29,7 +39,8 @@ There are generally two views regarding alternatives for reCaptcha. Design orien For Design, there are two notable mentions: * [VisualCaptcha](https://visualcaptcha.net/) * [MTCaptcha](https://www.mtcaptcha.com/) -Regarding security and privacy the by far best option is [hCaptcha](https://www.hcaptcha.com/): +Regarding security and privacy the by far best option is [hCaptcha](https://www.hcaptcha.com/) +Since hCaptcha is pretty simmilar to reCaptcha design wise, it would be the ideal replacement since the majority of users are already familiar with reCaptcha. ## Security considerations From 40056fb5449a1597a76dd8a493ed71bd53b22c77 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:22:15 +0200 Subject: [PATCH 06/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index dd476c6f0b6..40017e684ea 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -30,7 +30,7 @@ This move would have multiple benefits: ## Potential issues As a potential issue there would be the variables in homeserver.yaml, namely `recaptcha_public_key` `recaptcha_private_key` `recaptcha_siteverify_api` which would need to be renamed, which breaks config backwards compatibility. -Also adoption and integration with clients like element.io and so on could become an issue. And possibly cumbersome to maintain multiple captcha providers. +Also adoption and integration with clients like element.io and so on could become an issue and possibly cumbersome to maintain multiple captcha providers. ## Alternatives From 53d57118ea7e5c33178403bf20e3a6a57507e3d0 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:30:08 +0200 Subject: [PATCH 07/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index 40017e684ea..9d633428365 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -1,4 +1,4 @@ -# MSC02733 : Add hCaptcha as captcha provider +# MSC2733 : Add hCaptcha as captcha provider This MSC proposes to generalize the use of a captcha api in the matrix spec and that hCaptch is to be added to to provide a more privacy focused alternative to reCaptcha. From fc798623fabb495395d3e58688ae6b8fe58525f5 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:32:24 +0200 Subject: [PATCH 08/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index 9d633428365..40f73c4bfa8 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -1,7 +1,7 @@ # MSC2733 : Add hCaptcha as captcha provider This MSC proposes to generalize the use of a captcha api in the matrix spec and that -hCaptch is to be added to to provide a more privacy focused alternative to reCaptcha. +hCaptch is to be added to provide a more privacy focused alternative to reCaptcha. ## Context From 9a87f264727601bb83607c3fca2a6a3ddeb17449 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 00:34:18 +0200 Subject: [PATCH 09/10] Update 2733-add-hCaptcha-as-captcha-provider.md --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index 40f73c4bfa8..bc986b5753f 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -5,7 +5,7 @@ hCaptch is to be added to provide a more privacy focused alternative to reCaptch ## Context -Since google is well known for their misuse of their customers data and general disregard +Since Google is well known for misuse of their customers data and general disregard for basic privacy rights it is desireable to distance the Matrix spec from such a company. The ubiquitously used reCaptcha is one such mechanism to accumulate more private data for Google. From 184cf180a73a9e0cb7cf328b0decb046cacaec68 Mon Sep 17 00:00:00 2001 From: Toby4213 Date: Fri, 21 Aug 2020 11:43:47 +0200 Subject: [PATCH 10/10] fixed MSC ID --- proposals/2733-add-hCaptcha-as-captcha-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2733-add-hCaptcha-as-captcha-provider.md b/proposals/2733-add-hCaptcha-as-captcha-provider.md index bc986b5753f..3a3c0d86a44 100644 --- a/proposals/2733-add-hCaptcha-as-captcha-provider.md +++ b/proposals/2733-add-hCaptcha-as-captcha-provider.md @@ -1,4 +1,4 @@ -# MSC2733 : Add hCaptcha as captcha provider +# MSC2745 : Add hCaptcha as captcha provider This MSC proposes to generalize the use of a captcha api in the matrix spec and that hCaptch is to be added to provide a more privacy focused alternative to reCaptcha.