Bitcoin Forum

I probably won't make changes in the near future, but I've been thinking about the captcha issue, and I wonder what people think about reCaptcha.

Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying on NSA-lite Google, and occasionally on Tor they throw you into some insane black hole of difficulty (though you can change your Tor exit to fix that).

Can't vote, but the most easy is the most i need  ;)

It was a necessary step, but to me the most annoying aspect is to enable JavaScript, I run noscript not so much for the added security but because it allows me to load websites faster, that is not much of a problem in the forum but I hate to have enabled anything that is related to Google also sometimes is annoying to resolve a captcha several times especially when there is not a clear answer but that does not bother me that much.

Its okay. Most browsers support javascript and its not that hard to solve.

honestly its ok for me using this recaptcha system and i dont have any problems , also its not that hard and time consuming to solve it.  it only takes 10 seconds of your time. i dont know why there were some users are having a hard time solving it.

recaptcha is ok for me and any other captcha wil just work fine if your using a google chrome browser.

When do you have to solve these? Don't think I've ever noticed, perhaps while logging in, but I rarely have to do that anyway.
Recaptcha is my favourite though, I'd rather have one where I can use my mouse instead of keyboard.

Those captchas with numbers and letters are the worst.

Personally, I've only had a problem with these sort of captcha with Tor it doesn't bother me too much having to enable java script. But, using Tor they can become very annoying quickly.

I'm not sure why it's different with Tor, however I've tried for a couple of minutes a few times just to login. I noticed a few times that you'll go through them and you can only click next even though you have followed the directions correctly. Eventually, you'll come to one which you can actually verify. Slight issue with Tor is too many requests, but like you mentioned you just need to change node to solve it.

Even though I have my issues with it, I think it's the best thing around right now and you'll probably have to make a compromise on spam if you were to take a different approach.

It is fine other than:
1) The necessary use of JavaScript at the login page.
2) For people who log in and out frequently. This is not an issue for individuals such as myself, who are pretty much always logged in.
3) May be annoying to log in on the phone.

---

As long as it combats some forms of attacks, it is fine as is.

I agree.  Knowing it annoys the account farmers is good enough for me to support it and I've only had to solve it once so far.  :)

The reCaptcha is insanely incisive when you are using Tor. It asks you to make the "street sign" and "vehicles" ones which are tolerable, but then there comes additional rounds of "cars", which are the ones where you have to click on car pictures that fade to white in slow motion several times until the system considers you not a bot. It is honestly annoying. The fact that you have to turn on javascript on then off manually is also annoying.

Btw, I don't know what the hell is up with the latest Tor upgrade, but the noScript button has disappeared. I was considering whitelisting the login url (https://bitcointalk.org/index.php?action=login) but I can't find the button anymore.

Let me stress what Theymos posted here for TOR users.  I am here exclusively via TOR and have experienced the "black hole" he mentioned above.  For some reason the change circuit feature on the TOR bundle fixes it.  Nobody likes to stop and answer Captcha's, but if it keeps us from getting pounded on the server front end so be it!  Once I go through the 30 second process to get in it runs slick for me.  Good job!

Didn't notice that the forum uses it until few weeks when I accidentally logged off, and I don't think that it is hard to solve it.
Keep it that way tho

I'd like to start using the new forum.

Re-CAPTCHA is not a problem for those of us who remain logged in. But, its a BIG barrier for Tor users as Re-CAPTCHA tend to treat Tor users as bot.

ReCaptcha ins't a problem for me on bitcointalk, because I always staying signed in and don't have to solve it. But from my experience, I know that people who have to solve it frequently, they get more difficult captcha (faucets users will understand about what I'm talking about).
But, is it there are no good alternatives for Recaptcha?
Maybe Coinhive proof of work captcha can be used? Just kidding...

About Tor... the DDOS attacks are brutal specially on Tor users. I wasn't able to browse the site today with Tor at the office, so I had to wait to arrive home and try with a normal IP, it was still slow, but Tor becomes unusable and today there was a heavy attack going, I got "busy, (504) and (502)" messages.

Now it's pretty decent again. And btw Tor got updated today and the noScript button is back so turning javascript on and off is now easier.

For me, I always checked the box to stay my account logged in with no time limit so I rarely solve those captchas. Anyway, it isn't that hard to solve those so I can't understand what trouble does it bring to other people since I understand what its purpose is.

Honestly, I don't mind the captchas, and they are not that difficult, but I've only ever seen captchas in the login page... (?_?)

Yeah, I don't remember when was the last time I logged out from my usual devices lol. Really,  the captcha is not annoying or anything a giving a few seconds in the name of security before logging in shouldn't be much of a problem.

I vote for this "I don't mind it too much mainly because they're not THAT difficult" but my only concern is that it is not supported with browsers like Operamini. I've been using Operamini browsers all the time on my mobile phone because it saves battery and data usage but the problem is I think that was way back August 2017 me and my friends are trying to access the forum but seems we need to answer the reCaptcha and we prefer SolveMedia because it is working on Operamini browsers. I also had an experience of like my Chrome browser keep on saying "Cannot contact reCaptcha". Hope we had a choice on which method we should use on loging in either SolveMedia or reCaptcha for our convenience.

I recently saw a thread in which someone’s account was banned because they had been inactive since the 2015 hack, so I presume the other accounts that meet this criteria are also banned.

The above along with the email security notification should resolve most of the security issues with the 2015 hack.

It is my understanding that the ReCaptcha was implemented because of the 2015 hack and the bot spammers.

It is only a matter of time before spammers start using mTerk to solve the existing reCaptcha. If we implemented a weaker reCaptcha that doesn’t use JavaScript then some spammers might be able to beat it, however this would also allow you to learn more about the spammers and additional countermeasures can be implemented if necessary.

My biggest concern about requiring JavaScript to login is it effectively makes it impossible (or very difficult and you must really know what you’re doing, eg have very advanced technical knowledge) to stay anonymous.

All of them are really very easy and most of the times i dont have to solve them..but yes they may waste 10 seconds

The login page is the only page it is on.  :)

In the grand scheme of things I don’t think this really affects account farmers very much.

A smart farmer will make many posts on one account before moving onto their next account. I would say this causes a farmer to spend nominally additional time logging in and the affect will be unnoticeable.

I agree that old, unused accounts should be locked before they fall victim of hackers and abusers and in most cases it's only a matter of time before it happens.
If someone who hasn't used his account for 3+ years will decide to return (which IMO is a rare case) they can always sign a message to message a moderator.
It would greatly reduce the amount of work they have to put into investigating hacked accounts.

Not really a problem for me, but makes the people with alt accounts waste more time. I know it was intended for security, but had a second purpose.

Not a problem at all. It's to me. Besides, it takes only seconds to solve them. It's just account farmers are annoyed with this function because they have to do Captchas everytime they log in to their othet accounts. Anyway, if it's for security. Then why would i oppose that? Actually you can stay and keep your account always logged in. Just check the always logged in. That's it. You don't have to solve captchas if you are really annoyed at it. What i really don't like about captchas, typing words and letters. Those really annoys me. But i never encountered that in this forum yet. Hope not.😄😄

Do you know how to set a noScript exception on the login page only?

When I try to put the login page url, noScript automatically adds "bitcoin.org" as an exception it's entirety. It looks like you aren't allowed to add subdomains.

I hate solve the reCaptcha, but manually turning on and off javascript is an added annoyance that could be automated with noScript, if noScript allowed to add the login url.

I don't mind solving them at all and they are fairly easy. I do it twice a day at most so it's 3 additional seconds that I have to spend before accessing the forum.
Does it annoy farmers? I think they don't care and wouldn't care even if they had to solve 5 captchas before logging in.

I'm not an account farmer but it annoys me.I'll tell you why,
 1.I somewhat feel we're commercialising the platform by using Google's services.I mean we could go for another open-sourced captcha solving service.
 2.I feel I'm obliged to solve captaches (imagine how you feel when you're forcefully asked to watch adds before accessing the content).
 3.There could be a.better b.simpler bot preventive mechanism.Although a lot of members would disagree with m opinion here but that's just me.

I think for the forum's sake, its okay to go through it. Although I do think it as annoying because, because for some reason, I have to solve it every time as my browser clears all cookies and I have to sign in every time I come here.

i get this error "Cannot contact reCAPTCHA. Check your connection and try again."
and some times when solve it right i get wrong answer (i get same pic when register and when sign up solve boxes work in register and get error when sign in )

This happens to me when using Tor a lot of times, so to the annoyance of the captcha itself, and to the annoyance of having to turn on then off javascript to log in, you have to add the fact that it takes several attempts of changing IP with the "New Tor circuit for this site" option a bunch of times until you find one that Google hasn't banned. So yeah, not very Tor friendly this reCaptcha.

Only problem I had with the reCaptcha was losing the great Forum layout i enjoyed on my Opera browser and the difficulty solving the puzzle .. I noticed nobody was going through  thesame problem as me so I moved on and have really gotten used to things. So everything is fine now. Forum security is all that matters.
I appreciate!

solving recaptcha on the phone is hard and it takes much of my ram and as a result im oftenly kicked out on my browser and  i need to solve the recaptcha again but it works fine on desktop and laptop. i think the letters captcha are more easier and consumes less ram.

ReCaptcha is fine for me as a regular user here in forum. Pictures are excellent way of captcha. It is easy that it comes as regular part of logging in. Pictures are better than those captchas with alpha numerical characters as I find it sometimes unreadable. The admin and moderators are doing a great job to make this forum better.

Agreed with some of the posters here. It is annoying sometimes if you use your phone and If it will prevent BOT or API ( i don't know if this is possible) to login it will prevent robot users and also prevents the forum to easily accessed and it make sure that everyone is human.

yes its possible, it  will prevent bots and that is the main reason why captcha's are invented  and admins/website owners need to install it on the login page or any kinds of joining/signing up form,  to ensure  that everyone is a human and not robots that will likely spam and automate the process of the system because that is considered cheating in any way and they are too lazy to do it themselves.

The Noscript logo disappearing from the browser is a known bug I think, I do not use Tor but in the Firefox browser the same happened to me so I uninstalled noscript and then installed it again and everything worked perfectly, maybe you will need to do the same in order to white list bitcointalk.org, and I will also agree that the captcha where the cars fade is very annoying especially when my connection is slow.

I use Tor.  On my current login, I got this:


Changing circuits worked—this time; but if Google is sometimes refusing to even serve up a CAPTCHA, that bodes ill for the future.  These things tend to go one way.

I posted separately (https://bitcointalk.org/index.php?topic=2497803.msg25577326#msg25577326) on the general issue of the login CAPTCHA.  Sorry that post was misplaced.

It is also problematic that Google’s image-clicking CAPTCHAs force me to work for free, enslaving me to their so-called “AI” on projects I despise.  Right.  “Self-driving cars. (https://xkcd.com/1897/)”  No, cars which are not under your control.  A Google-driven car is like money in a bank, as opposed to Bitcoin, the car with a steering wheel and pedals.

I am having problems solving Recaptcha
it started a couple of months ago and for some time I was not able to solve it all,because it kept me in an everending loop of
"incorrect" answers although I was sure I solved them correctly
when I googled(sic!) I found out that the problem was pretty common(and random) and the only way to get rid of it
was logging out of all of your google related accounts or using incognito mode in your browser
needless to say that its a hassle,so I think any captcha BUT recaptcha will do

This reCaptcha is suck, each time im use the cafe internet, too many popup pop out from it and asking me to choice. Its like an English class for 2yo baby. But it keep the forum safe from the flood. So unfortunately, we need to deal with it.

I feel like it's a great system. It keeps the bots away from easily mass-spamming us.
reCaptcha can be solved easily & quickly. Although it sometimes says correct answers are incorrect, if you use your brain, you should be able solve them correctly most of the time.

I saw that some people say that it's very buggy whilst using terrible internet, but I feel like there's more wrong then, as I come across horrible internet all the time, in restaurants, on vacation, etc... And until now it has always worked well.

Of course, it would be nice if it was possible to choose an alternative that works well for everyone and I'm completely in for that, unless it has disadvantages for people that are currently not experiencing any negative side effects from the reCaptcha.

On the cost of authority by google.I don't like my  time being wasted by google.Why would I spend 20 seconds of my precious time to prove I'm not a bot when I'm really not.I don't know rant isn't gonna help but just saying since you asked.


Brains ? Let;s way for a day google asks you to solve complex logarithms in the specified amount of time to prove you're a human.


The best alternative is to control that from the server side.

This forum is Tor-friendly, which I much appreciate.  According to theymos, Satoshi “always used Tor” to connect to this forum (https://bitcointalk.org/index.php?topic=178330.msg1869406#msg1869406).  But Satoshi would now find his time wasted, likely to the eventual point of giving up in frustration.

The following happened again just now, multiple times.  I had to repeatedly change circuits before I could even get a CAPTCHA.  Observe that this gives Google the power to fully lock Tor users out of Bitcointalk.org any time they want:


The CAPTCHA then took me 89 seconds to solve—first slowly-reappearing storefronts, then a long batch of street signs.  This was when I knew I was timing it, so I tried to do it as fast as I could; and as one who has exclusively used Tor to access the Internet for some years, I think I must have world-class CAPTCHA solving skills.

I suspect that the issue is not keeping out bots as such, but preventing bruteforce attempts against luser passwords.  theymos et al., am I right?  Bots need an account for spam.  The forum already charges “evil” IP addresses Bitcoin for new signups.  But most people pick bad passwords; they think that “p4ssw0rd1975” is super-unguessable.  Do the maths.


The CAPTCHA varies its “difficulty” (actually: its tediousness) based on Google’s opinion of the connecting IP address.  Do not assume your experience to be the same as others’.  It isn’t.

For Tor users, this often means page after page of “challenges” which in total take up to a few minutes to solve.  I have not recently done a Google CAPTCHA in less than sixty seconds, and I’ve had plenty of practice.  When I click “Verify”, I get hit with another round; n.b. it does not say my answers are “incorrect”, it just gives me another “challenge”.  Also, as I posted above, Google may even refuse to serve a CAPTCHA.  Google now has the peremptory power to lock people out of bitcointalk.org.

I also have big problems with reCaptcha and sometimes I get that message about sending automated queries.Only way to log in in forum is to reset my modem and get new IP.So problem is connected with IP address of individual user,but may be also related to specific site.

For example if I have problem with reCaptcha on one site,on some other site same reCaptcha is so easy to solve,or there is no even captcha like in Google short link service.I notice also if you try to reload captcha to many time to get an easier one,this may tag you as bot.

Last few days reCaptcha is super easy for me on bitcointalk,it can be solved in a single attempt.When your IP get block from Google,there is link-help page and you should send them e-mail with your IP address so they maybe check and unblock your IP.

For the past few days, I have been unable to even get a CAPTCHA without changing Tor circuits.  I did some rough testing, hitting “New Identity” in the login page and then changing circuits until I could get a CAPTCHA.  Rinse, repeat.  At worst, I had to try a total of six different circuits before Google would even deign to waste my time clicking pictures.

This brings to mind another thought:  Google could force Tor users to rapidly rebuild circuits to the same endpoint, then potentially watch for any other network activity which could be correlated by timing, size, etc.  Hmmm.  How many Tor nodes are hosted on Google Compute, or otherwise network-visible to Google?  —  Next question:  Does the NSA like to see Tor users rapidly rebuild circuits to the same endpoint?

Those are the sorts of subtle questions which make for papers on anonbib.  Or for attacks.  For a “cloud” provider who hosts many Tor nodes, I think I smell at least the possibility of a guard-discovery attack here.  Tor is known to be weak against an adversary who can observe both endpoints.  If Google forces Tor users to build circuits until they hit a Google-hosted middle node, then I conjecture they could use a similar attack to find the guard (counting the guard as if an “endpoint”).  They then know that a user with guard X logged into bitcointalk.org at dates and times which can, in turn, be correlated with a bitcointalk username (assuming they can’t just use some XSS to grab that off the login page—or share/cross-reference databases with Cloudflare (https://bitcointalk.org/index.php?topic=2485318.msg25449826#msg25449826)).  Every little bit helps a network observer gathering data for deanonymization.

As an aside, Tor Browser/Torbutton could really use a feature which permits conveniently changing exits without rebuilding the entire circuit.

I believe that everything in this forum reason behind it nothing is waste I believe strongly in it. This is what I think of the forum's usage of recaptcha though I not technical person to go deep into it.

I use FireFox and it works fine too, so I also don't see a problem or any annoying factor in that.
The only thing that I am still learning to use is the time of log in, it's stays 60 min automatically and I oftenly forget to change it as it suits to me the most (always stay logged in), so it happens that I write a comment, press "post" and come to the page where I need to log in again and that's the most annoying thing to me :D

Because you are irrelevant

We, human beings, are no longer relevant to Google (or whatever is hiding behind its facade) at this point in time. Basically, we are a hindrance to it, a pain in the ass if you please, so why should it give us a free pass? Welcome to 1984 brave new world, mate. Since I stay always logged in (well, sort of), I don't care so much about Google reCaptcha at this site, but I definitely know how annoying it can be at other sites where you have to endlessly click on an infinite loop of squares, monkey style

Just like the other members, I do not have problem with reCaptcha because it doesn't take much of my time. I understand if it is for the security concerns and will likely support it if it will prevent and stop possible security attacks. It maybe a nuisance for some because if you have a poor connection, it will consume your time in clicking what is required. Anyways, if reCaptcha will also slow down those people who are going against the rule of having multiple accounts, then it is just and right.

Is there another solution for those who use tor. Changed circuits over 16 times (yeah I counted) and then recaptcha showed up. I am not complaining about the recaptcha thing but another solution will be appreciated.

Tor user here.  Please see the thread I started after my 17-circuit-change login instance, documented with screenshots of various error messages (https://bitcointalk.org/index.php?topic=2549690.0); my conclusion thus far:


P.S., I suggest that you consider purchasing a Copper Membership.  Your Tor signup fee can be put toward the price; and it will let you embed images as a newbie, among other perqs.

I don't know. It may somehow prevent some attacks. I personally find it anoying but if it can always secure the forum and users privacy then I wouldn't mind solving those captcha everytime I visit or logged in.  Mayba a 2fa is much better? Just sayin tho

I think Theymos should replace the captcha with a proof of work challenge such as https://coinhive.com/

Reduce Spam AND make the forum some additional money.  :)

That is pretty cool and a great idea.

This would (0) require Javascript (as reCAPTCHA does—but worse, IIRC this also requires asm.js/webasm which I disable even when enabling JS), and (1) have a drastically disparate impact on those using fast computers versus slow computers/netbooks/mobile devices.  It is also questionable whether it would answer the threat being staved off by the CAPTCHA.  Admittedly, it would work better against what I suspect the threat to be, rather than against spam.

Vod, do you know the actual purpose of the CAPTCHA?  Everybody seems to assume that it’s there to keep out spambots.[1]  My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts.  You may perhaps know for certain, not as a matter of assumptions or speculation.

I would understand if theymos desires that such information not be disclosed.  But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.

---

1. This common assumption simply does not make sense to me.  An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts.  It would be trivial; all the bots would need to do is to keep their cookies.  I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023.  I have not filled out the CAPTCHA since 10 December.  Whereas a password bruteforcer would indeed be stymied by the CAPTCHA.  A bruteforcer would also be slowed down by a POW.  A spambot could complete the POW once, then stay logged in for years or until permabanned.

Sad thing is I don't have any bitcoin. Also checked the cooper membership price. It costs around $31 which I don't have. :(

I read your other topic and it had a lot of insights. Some trolls always lurk around and take things other direction. You also said you are very good with tor. I am not an expert and just use it for bitcointalk browsing with java script enabled.

What I wanted to know if there is any other browser like tor so I could use that and browse anonymously.

I think you should reconsider your opinion

As to me, it doesn't make a lot of sense to use just one spam bot (account) when you can use hundreds or even thousands of them, and this is where captcha kicks in. Without it a spam bot could constantly log in and off using different accounts from the same IP address, so it would be next to impossible even to track them down let alone ban them all. Regarding preventing users' passwords from being brute forced, you don't need a captcha for that. If you enter an incorrect password, the forum will let you try again only after 1 minute, if I remember correctly. And I'm not sure if your IP won't be banned for longer after a few unsuccessful attempts

Please reread what I said, as quoted above; I have edited the quote to put the key words in red.  If already building a spambot which opens web login sessions, it would be trivial to make it keep many different sessions in parallel.  Get them all logged in—perhaps via a scammy website which proxies the CAPTCHA, and offers real or imaginary freebies (free Bitcoin!) for completing CAPTCHAs.  Then, leave them logged in.

You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address.  Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address.  Also, multiple accounts can be logged in from the same IP address.  Either way, there is no reason for a spambot to ever log out.

Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing.  If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node.  Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like.  Granted, I could be wrong there.  It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login.

Assuming a correlation between users and IP addresses is a common fallacy.  N.b., I have no idea how many users are currently logged into bitcointalk.org from the same IP address as I am using to post this right now.  I’m almost certainly not the only one; moreover, my connecting IP address frequently changes.  There are also reasons other than privacy why many users may share the same IP address:  Carrier-grade NAT due to IPv4 address exhaustion, corporate proxies, etc., etc.  —Also reasons why the same user may rapidly change IP addresses:  Mobile users....  There is not and never was any strong correlation between people and IP addresses; security systems which assume that tend to simultaneously lock out legitimate users, and fail to lock out malicious attackers.  Failure both ways.

---

Well, if you signed up via Tor, then you must have some Bitcoin; theymos charges a small anti-abuse fee for new account signup from Tor and other IP addresses which have high risk for abuse.  And if you didn’t sign up through Tor, then you are mixing Tor and non-Tor usage for the same account.  That’s a big privacy no-no.

If you use Tor, then you should use only Tor Browser for your web browser.  I actually dislike it, myself; but it has special privacy and antifingerprinting features (https://www.torproject.org/projects/torbrowser/design/), and also, it helps you blend into a crowd when you use the same browser as everybody else.  The technical term is “anonymity set”.  If you use a different browser with Tor, then you may still be more or less readily identifiable and/or trackable (web session linkage).  You could be the only person using Browser X in a crowd of two million people using Tor Browser through Tor exits.  If you want to use some privacy network other than Tor, I have no specific advice for you at this time.  But this is all off-topic.  If you desire a few further tips of where to learn about these things, feel free to ask your question in the Off-topic forum (https://bitcointalk.org/index.php?board=9.0) and PM me a link to your post.  Just don’t get sucked into the huge heaps of trash posted there—much of which is posted by spammers trying to up their post counts; that’s the kind of dirt which can rub off on a newbie, if you get involved with it.

I guess you should also reread what I wrote

Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)


I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority

Forums can use the two and the members could select which option they like to log with it.
I remember such feature was used in faucets years ago.

A reply to this:


...devolved to this:


Are you speculating, or do you have certain knowledge?  I asked a question, because I don’t know.  I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not.  And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots.[1]

I set forth a query clearly in the interrogative; and I laid out my reasoning for an educated hypothesis.  Whereas my question can only be answered by somebody who does actually know the precise nature of the problem which theymos ameliorated with the login CAPTCHA.  If you do know, please say; but if you don’t, then I can tell you, your guess isn’t nearly as good as mine is.

I have been repeatedly asking all month whether my hypothesis about the login CAPTCHA is correct.  There are exactly three valid answers:  “Yes”, “no”, and “no comment—that is sensitive operational security information which we will not tell to someone we don’t know and trust.”  Any of those would be fine—from someone who actually knows.  Whereas if you’re simply hashing out your own hypothesis, then this whole discussion is a waste of my time.

---

1. Any spambot which could log in and set up a client certificate for future logins, could also save a cookie for staying logged in.  Duh.  But I’d like to know for certain before I pour more time into the sorry state of public-key auth on the Web.  Browser vendors deprecated or even removed <keygen> while I wasn’t looking.  Only a minuscule fraction of users would be able to manually generate TLS certificate requests, or use alternatives such as SSH tunnels, OpenVPN, etc., etc.  I spent hours trying to figure out an administrator-friendly and user-friendly solution, with the goal of making a suggestion which might actually be implemented.  Then I realized, I shouldn’t bother trying to otherwise resolve the CAPTCHA’s purpose when I do not know its purpose with any degree of certainty.

---

Well, at least that wouldn’t make things worse; but from my perspective, it wouldn’t make things better, either!

I don't quite understand what part of my post you refer to as speculating. But I'm utterly curious what makes you think that all spammers (well, most of them) have simultaneous access to multiple IP addresses (if that was your point). Anyway, why don't you just ask theymos directly (via PM or elsewise)? I guess he is the only one who can give you precise answers as to his intents and purposes. But since you are still sticking around here, I arrive at a conclusion that he is not likely to respond to your queries. So who is wasting whose time actually?

But never mind. When you are a newbie you can't post more than once in a while (like 6 minutes or so), and if you try you will get a warning that clearly states that your IP address is being limited, i.e. not your session or whatever. What else do you want to know?

how can someone complain about the NSA running Google and Cloudflare but still advertise TOR? Seems you have no issues with it, even its known where most of its funding is coming from... just curious...

Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China. 

Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site. 

At some point this kind of issue really needs to be addressed. Forum should be welcome to all users anywhere in the world. Tho, I haven't seen any chinese in this forum contributed since basically most of them are just talking to their local boards and creating similar forum for them would really not be a problem

What would be the solution to this though? Assuming there would have to be a compromise we would likely see this abused by the many and more bots would be registering and spamming the forum. Chinese members could just use a VPN to sign up, unless there's another alternative which is just as effective as keeping the bots away.

There's services which offer to write out the captcha and send it to the users registering, so any other system which doesn't use the image could easily be abused and automated.

The ReCaptcha prompt is sometimes unsolvable, or when it's the one with the fading blocks, takes far too much time to make it worth it.

Sometimes I don't sign in, simply because I can't be bothered to wait 1 minute for the fading blocks to go away. If there was a paid option to bypass the ReCaptcha, I would seriously consider it.

What you are saying is, why have any local forums at all?

Actually, why have a forum at all?  Creating a similar forum for me would really not be a problem, yes?  And another one for you?

---

Prescribing any kind of censorship circumvention measure is problematic as for users in a country which blocks censorship circumvention measures.  Though there are always ongoing concerted efforts to keep Tor available to PRC (People’s Republic of China) users behind the GFW (“Great Firewall”—adverse nickname for PRC network censorship measures).  It’s an arm’s race.  And then, Chinese-through-Tor users would hit the reCAPTCHA problem I had:  “Google is locking Tor users out of Bitcointalk.org! (https://bitcointalk.org/index.php?topic=2549690.0)”  I would suppose that some/many VPNs (as you suggest) might hit similar trouble, though I have not tried VPNs with this forum.

Here is an interesting bibliography, which includes references to many research papers written on GFW:
https://censorbib.nymity.ch/


Well, there’s your usual CAPTCHA arms race.

I myself would much prefer public-key authentication for login.  It’s a “crypto” forum, yet does not deploy basic cryptographic techniques for authentication!  Of course, this would make it trivial for bots to log in; and this returns to my unanswered question which I have asked many times upthread and elsewhere:  Is the purpose of the login CAPTCHA to stop login by bots, or to stop such bruteforcing of luser-selected passwords as may result in (more) so-called “hacked” accounts?

By the way, there is a(t least one) existing patent on a method for issuing fake or impossible CAPTCHAs to deny access to a service while pretending to allow access:
https://via.hypothes.is/https://www.google.com/patents/US9407661
(In other words:  A patent on a method of being a jerk and intentionally wasting people’s time, effort, and frustration.)


N.b. that the reference to typing on “a standard keyboard” unavoidably implies that the term “attacker device” includes humans (a/k/a not-a-robots).  The only conceivable purpose for serving an impossible CAPTCHA to not-a-robots (formerly known as humans) is to torment and lock out flesh-and-blood users on networks such as Tor.

Think of this, next time you see some error-comedy site post a screenshot of a “broken” CAPTCHA containing weird characters.  It’s not broken:  It’s sadistic and deceptive.

---

As linked above, some of us have trouble even getting a CAPTCHA—broken or otherwise (https://bitcointalk.org/index.php?topic=2549690.0).  Then when I can get a CAPTCHA, it steals time out of my life—60–90+s each time, mindlessly clicking pictures in servitude to a machine.

I myself have not yet received an unsolvable CAPTCHA on this forum.  Only either refusal to serve a CAPTCHA, or extremely drawn-out and tedious CAPTCHAs.


So would I—with the caveat that I would not pay more than I already have for Copper Membership.  If the purpose is a steeper anti-abuse fee which provides greater deterrent to abuse, then that shouldn’t be turned into a money-grab.  Doing so would be wrong, a squeezing of innocent people under false colour of stopping the wrong of spammers who treating this forum as a money-grab.

However, you raise a chicken-and-egg problem:  How does the forum know to whitelist a paid user at the login page?

I would suggest allowing the login page some restricted access to the data base, for the purpose of identifying the user type. If identified as a ReCaptcha bypass user then javascript code removing the ReCaptcha prompt will be executed. Alternatively, for the purposes of safety, a second database could be accessed which is generated as a subset of the original (again selecting the bypass users) thus avoiding any vulnerability concerns. This system could be easily implemented with a few IF ELSE statements in the original code.

However, there would need to be an alternative security measure in place to prevent brute force attacks, e.g. Only allow a maximum of ~5 password attempts before locking the account for some length.

That's true, it can be quite annoying when were selecting photos using our phone. It tends to misalign when you try to zoom into it then when you zoom out as well. Sometimes when you try to scan through the selections, it  tends to select when you just want to browse. I just feel that its response when using a phone is slow. It's not a big deal though, but it can be time consuming at times.

I was actually referring the chinese users who can't acess the forum because of the captcha that even if they can't access the site there is still no problem. Since most of them are just posting on their local section. Don't bother wasting your time in creating a forum tho, LOL

half a month necro/
I am using firefox latest version, i didn't have a problem until yesterday, i have to solve 20 recaptcha and mind you i have to select sometimes street signs in a photo without any street signs! this is ridiculous and annoying.

For me it is slow to load and sometimes asks two or three times ... Also it is quite boring... Instead of traffic signs and roads and cars it could be about telling if it is a character from Star Trek or Star Wars ... or if it is a men´s or a woman´s legs or ...

Seriously, it is slow, but I don´t know if there is anything out there that offers the same level of safety and is faster.

I really dont mind having them here in the forum as long as they are fast to load. Although I'm patient from waiting but not that long enough like the captchas in 2captcha.com, that's why I quit that work. Its just a matter of time just to solve it so if you added it here like the one from the log in I guess there won't be a problem.

As a Tor user, I quickly found the site totally unusuable when I was at Newbie rank.  One fine day, after I was forced to try 17 (seventeen) different Tor circuits before I could even get a CAPTCHA thrown at me (!) (https://bitcointalk.org/index.php?topic=2549690.0), I finally found a (not very good) workaround:


So...  I suppose the least-evil current answer is, check the box to stay logged in; and back up those precious cookies!

There, in this thread, and elsewhere, I have repeatedly made noises about a better solution:


However, I never did the writeup I intended on a practical suggestion for achieving that.  Back in early December, I hit a stone wall when I researched the topic.  Sadly, idiot browser vendors have deprecated the <keygen> tag reasonably needed for userfriendly not horridly unfriendly setup of TLS client certificates.  TLS client certs have other problems, too—not least of which is privacy toward other sites which could fish around for your bitcointalk.org cert; but what else is there?  I thought of SSH tunnels, OpenVPN, ad hoc copypasting of challenges signed with a PGP or Bitcoin key...  There are not any good options here.

Another problem is, per my repeated inquiries upthread, the purpose of the login CAPTCHA is unclear.  If, as I tend to presume, the purpose is to prevent online bruteforce of weak luser passwords (inevitably followed by “HELP CYRUS THEYMOS IM HACKED” threads), then pubkey auth would be an excellent solution.  But if the purpose of the CAPTCHA is to inhibit mass login by spambots, as many others assume—well, then pubkey auth would fix nothing.  If this is not a sensitive security question, I ask that theymos provide clarification.

---

Half a month isn’t really necro, even for a less important thread; and this thread is very important.  I hope that this thread will remain semi-active until a better solution is found.

It doesn't matter if I think because it is usual to avoid security robots that enter and roam mainly in this forum who could make the post contains useless garbage.