Re: [fossil-users] Captcha and blind and visually impaired users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Legend has it that on 05/10/2014 19:47, the fair wind whisper'd the words of Stephan Beal: Agreed completely, but most people, i assume, who are contributing to the wiki and tickets are capable of entering a captcha? Yes, the keyword here being most. Visually impaired people are unfortunately an exception. To be clear: i'm not saying no, we can't, i'm just voicing concern for automated repo pollution which such a combination creates. I see your concern and would certainly like to avoid spam just as much, thus I completely agree with what you wrote. My concern is that at the moment blind and visually impaired people are unable to contribute to any repository where registration is enabled with equal access rights (due to the required captcha). What I am requesting might not be perfect (hence it should be toggleable), but it would be a step forward compared to what we have now. If anyone could implement a textual captcha that asks for a word or the sum of numbers, then we would have a perfect solution. I feel though that this is perhaps a bit too much to ask. A moderation step is essentially the same thing registration via email to the admin, but arguably requiring less effort on the admin's part (checking the timeline page periodically for pending moderation requests, and clicking accept/deny for each requests). Exactly. Email-based moderation on the other hand might not be a viable option, as Fossil, to my knowledge, does not contain any feature that would allow sending emails. But do you want robots to be included in those tickets? i once had a repo where the anonymous user had (due to an error on my part) privileges which allowed him to edit wiki pages and create tickets. Over a span of a few weeks, it injected dozens of entries via the anonymous account (where autocaptcha was active). It remained undetected because it was clever enough to know not to edit the configured home wiki page, so the site looked okay to casual observers. As i was the only contributor to that repo, there was no need for me to follow the timeline, or i might have noticed the problem sooner in the form of timeline entries. Again: not an objection, just a cautionary tale. I appreciate this, after all, bots are getting more clever by the day! I am just not sure what I could go with without asking too much. Rob -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMrRWAAoJEJV7oeIt3hbR1PUIAK9fMwXZm/MJhZMsC4uQkRcp kjHz/kLMeOpWwII/G0rf/oFmc/6P4jILsxpvG+I562J+ERQtVq6BRVzPx3oEwMJ9 yXuR2d5iFF4L6p5CYABoxL5M37PMVJOYbhuXKMWH2PycnS1cUsz71eHIcGEnQK0E ceFknJuG2XohGLNC+QXC5qlgUqgJEzbCYDpSqs7zGcvfUH3nlyUwllLLgcmtziMD SBWEK55Pfd8sOzwrLdUBEtzPD/3B71/XX62QbdzzdTV/6mEpIhH/c+yL1oTz13VL icV5hT6XBnmlzLMnC1guL6xUqHKuswJQMxUBwZCzhe2NPYSyCj4lDF6/oTxXAZE= =E0hO -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
On Sun, Oct 5, 2014 at 1:34 PM, Rob robjo...@gmail.com wrote: Legend has it that on 05/10/2014 18:55, the fair wind whisper'd the words of Stephan Beal: i.e. what i'm afraid of is that once you start hosting a repo with such an option for the registration page, some bot is going to come along, register himself, and start flooding your tickets and wiki pages with... whatever it is that bots fill tickets and pages with. I think moderation can be helpful in this case, but it is a fairly thin line. If registering is too easy (i.e. it has no captcha or has something that can be defeated easily), bots might end up spamming the repository as you said. If the registration is too hard (e.g. takes too much time or is unsolvable), users are not going to register to report bugs, contribute to the wiki, etc. I can disable the self-register option, but in most cases, users would rather self-register than contact me for a registration request. An audio CAPTCHA is possible, but you would need help from a webserver to do this. Off hand, I can think of 2 options. 1. Have the webserver run Fossil as a CGI or SCGI, letting the webserver handle user management. This is the easiest. 2. Enhance Fossil to provide an encrypted copy of the secret string for use by the CGI/whatever that handles the audio CAPTCHA. (I can help with the encryption part.) And to have an alternate Javascript in the registration page that uses the CAPTCHA handling CGI/whatever instead of the auto-CAPTCHA. While the easiest way to handle a CAPTCHA would be to subscribe to one of the existing CAPTCHA services, you could do it by yourself. Maybe there are open source tools for implementing CAPTCHAs, but I don't know. If you decide to do it yourself, your CGI/whatever will need to generate some text, convert it to speech, send an audio file to the browser, then accept and verify the response. Your response handler will likely need to be tolerant of spelling variations. For the audio part, in the past (about 6 years ago) I have used eSpeak and Festival (both open source) for text-to-speech. As I recall, neither was hard to use. To avoid bots clever enough to have speech-to-text handling, I would suggest the generated audio describe something, including random details, then ask the user about 2 or 3 of the random details. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Legend has it that on 06/10/2014 19:42, the fair wind whisper'd the words of Ron W: An audio CAPTCHA is possible, but you would need help from a webserver Do youthink it would be possible to implement a very simple textual captcha that randomizes a few numbers and a few operations and asks for the result? I think that should be fairly secure, especially if we output numbers as letters (one, two, etc). This would remain faithful to Fossil's single-file nature and might be even integrated into the official Fossil release, as a toggleable option. Rob -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMutyAAoJEJV7oeIt3hbRj7cH+gIYg2YwBUMZF0PalYW7n+bC W2ZBmPoRJb2Fljh3s+F/FTSa6TkMd6Ag7EZrO0vEZRopR4/b5rG2OPuGjDT8ij0b q1vOblT5bz6wnQAkdjwshTAv7kFWyt8/ybEom0ePCrxI/37Fe6/B0CGFTtOfob/B TtMqOJQ4SNu36gOhJnW7jQ5CrdGZQiKKwMWal9smIZcZ66lBOXWMmv1nB5Xbx9ID LpydKyX/NeTEs2BJCM8AiJIDyaaJiznGjwaKDAaortJgD0RvdMGx9iYkLmmX+YPS V0jJq/SRAMEeItpdIRjeBojHmkjlLgqWsT7PKkJxCqSFssl+8G0wYAKconsgkMg= =A4B4 -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
On Mon, Oct 6, 2014 at 3:20 PM, Rob robjo...@gmail.com wrote: Do youthink it would be possible to implement a very simple textual captcha that randomizes a few numbers and a few operations and asks for the result? I think that should be fairly secure, especially if we output numbers as letters (one, two, etc). This would remain faithful to Fossil's single-file nature and might be even integrated into the official Fossil release, as a toggleable option. It is doable, but a bot would still be able to read and interpret it. Assuming any of the existing CAPTCHA services support a mode of operation where Fossil could generate an encrypted URL to include in the registration page (as opposed to Fossil sending a request to the service), then I would suggest that the best way for Fossil to support CAPTCHAs for the visually impaired would be to provide the needed TH1 primitives to enable a TH1 script to generate the required HTML and encrypted secret string to include in the registration page. FYI, even if a text-based version of what I described for an audio CAPTCHA were used, I'm pretty sure there are bots that could pass the test. (When presented as text, my test essentially amounts to a reading comprehension test. Also, several top tier universities have open source natural language processing projects that are, supposedly, very good.) There are word puzzles that, so far, only humans can solve, but (a) these may be too hard for a CAPTCHA and (b) they almost always have more than 1 correct answer. (But I'm far from an expert in word puzzles, so I would not know what to suggest as puzzles.) ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Legend has it that on 06/10/2014 22:35, the fair wind whisper'd the words of Ron W: It is doable, but a bot would still be able to read and interpret it. Theoretically speaking, making an automatic captcha solver for Fossil's current ascii art captcha is not really hard to do. The question is how far is anyone willing to go to defeat any captcha? I have been using a very simple solution to keep out spammers for a few years now, alongside the math puzzles. My registration form has a checkbox, that simply says I am a spammer. Most bots select and check form controls, just in case the form needs it to be checked when validating. Of course, if this checkbox is checked, the site is not going to accept the form submission. These are very easy to defeat, but the site has to be specifically targeted. If that happens, it is trivial to log in with a manually created account and create havoc. Assuming any of the existing CAPTCHA services support a mode of operation where Fossil could generate an encrypted URL to include in the registration page (as opposed to Fossil sending a request to the service), then I would suggest that the best way for Fossil to support CAPTCHAs for the visually impaired would be to provide the needed TH1 primitives to enable a TH1 script to generate the required HTML and encrypted secret string to include in the registration page. While they can be great (see Akismet), I'd rather not use captcha services outside Fossil. Rob -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMw7uAAoJEJV7oeIt3hbRHBIH/ApOj4gcl8sWJu3jxe/U24jt QFpAVlAqiC8fSifzHDCEKiA8JIokV+mtGwm6uksj+NGv4EMCyUX1CwyzCni1x2LZ 3d3rOVT2+72TRnNAKAccLDmBBy3tTwIvG6Ebk6R3p0jO1pvSdgyO4PIu/rtFY4OA o7n0yDOysQiK/ahkUZXlY4yqh2ak99pZ9GJUYb5NN1aRTf3p+LacuRD0ryIP0pjQ Z7Rfth2oiwTYgriCThF+nJ8By+OarJ3n7BZB9sscICLgoZULhnk2FyMTg14RNxYV U2s/FAwZeGhOp4qB5ZJyGwRvwGz4hwTfpUUcn/zcDYrEUgFp0FKqQBHLUtBG8qc= =0w+0 -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Captcha and blind and visually impaired users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, As it stands, Fossil is using ASCII art to display captchas. Unfortunately, this is impossible to interpret for screen reader users, i.e. the blind and visually impaired. For the anonymous user this is not an issue, as it is possible to autofill the password, however when a new user wishes to register, there is no such option for the captcha. Is there a way to add this autofill feature, possibly as a toggleable option, to Fossil's web ui for registering users? As a sidenote, I've compiled Fossil on a Raspberry Pi and I have to say I am very satisfied so far! Cheers, Rob -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMSx0AAoJEJV7oeIt3hbRCyQIANH1g7ope1UgWA/AAVp8PVNz PlS9yPQR89+4LtrHcV//aphcmqSMp38IhvG22YDrUhiz+DMm5bu2spNyMDGEV1P5 gt6yrm9fh0R35E/D4lviwcvC4sj0E35tByTUrDZYTnrPR5nWj02+eS3H9kq0oFVL 9uDc9E5SeALRokS0NaikxnFNkEBPpGXyffMOEErwcdMQJ+2MqKkWLwXt/q4+SQAS RcAvFqEipDIu901dzDW+FrwAAUblRpPigQLozpjWNM7ZyvvJMcNqbi/3ElC387cX A97FESuZ814xIOr/wd0b27s8RkYyvAGppqpBeAyArK45Rhee4G0ev3U0WB31QR0= =Ga0w -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
On Sun, Oct 5, 2014 at 1:33 PM, Rob robjo...@gmail.com wrote: For the anonymous user this is not an issue, as it is possible to autofill the password, however when a new user wishes to register, there is no such option for the captcha. Is there a way to add this autofill feature, possibly as a toggleable option, to Fossil's web ui for registering users? The comments in the admin pages imply that the autocatpcha option for that page was left out intentionally. Given that, and the ability of bots (nowadays) to work with JS code (autocaptcha was added a short while before bots which can run JS code became common), i'd be hesitant to want to see a repo have such a feature. i see the utility for the corner case of visually impaired, but i have seen a repo get ravaged by bots (due to bad permissions on my part, not a bug in fossil), so i know they can run the JS to get past the autocaptcha. My instinct is that the safety of the masses outweighs the benefit for the minority in this case, at least for the registration page (as opposed to the anonymous login page, since the anonymous user tends to have fewer rights than users). It is an inherent property of Fossil that any bot-injected content (wiki and tickets, in my case) is there to stay forever, polluting the affected repository forever unless it is feasible to restore from a backup. i.e. what i'm afraid of is that once you start hosting a repo with such an option for the registration page, some bot is going to come along, register himself, and start flooding your tickets and wiki pages with... whatever it is that bots fill tickets and pages with. As a sidenote, I've compiled Fossil on a Raspberry Pi and I have to say I am very satisfied so far! FYI: i occasionally post Pi and ODroid binaries here: http://fossil.wanderinghorse.net/fossil/binaries/unofficial/ The Pi/ODroid are currently playing Home Entertainment System(s) on the tv, but i'll get the binaries updated next time they're booted into Linux. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do. -- Bigby Wolf ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Legend has it that on 05/10/2014 18:55, the fair wind whisper'd the words of Stephan Beal: i.e. what i'm afraid of is that once you start hosting a repo with such an option for the registration page, some bot is going to come along, register himself, and start flooding your tickets and wiki pages with... whatever it is that bots fill tickets and pages with. I think moderation can be helpful in this case, but it is a fairly thin line. If registering is too easy (i.e. it has no captcha or has something that can be defeated easily), bots might end up spamming the repository as you said. If the registration is too hard (e.g. takes too much time or is unsolvable), users are not going to register to report bugs, contribute to the wiki, etc. I can disable the self-register option, but in most cases, users would rather self-register than contact me for a registration request. I could probably create a help page detailing how to get repository access using the anonymous user for those who need it, but I'd rather see actual usernames associated to tickets or to wiki entries than one anonymous user. FYI: i occasionally post Pi and ODroid binaries here: http://fossil.wanderinghorse.net/fossil/binaries/unofficial/ The Pi/ODroid are currently playing Home Entertainment System(s) on the tv, but i'll get the binaries updated next time they're booted into Linux. This is great to know, thank you! Rob -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMYElAAoJEJV7oeIt3hbRFr8H/0VYMb+BwRGzVzO3UwQXkhwt GS+FnH5c/nzYVM5f0ZPTYs5MhUbRQMZrYGLWkx8RU+gJhEFnlYbWWngi/wX5MMsQ 35ObpUsIIcQdy40ZWTkGEknbN7dI32B5OQD/clf0LfGhrLv5s0Xu7mSzqKEDneRz RBkpe8KscbGF8i5PqHijOmW1QCca1spB5gZ0QA8QxuSy3Yr0+i2RXeZfkgd4dPt7 wn8HkYFDYvgM58fJqPNnYNGq3Dl8H4mk5eT4sCOh+3JcmuPzspWLgJR1AoDCgsZt WmDcuW4W8YlVpwOAZ6LH4lqdTimU7XioYWqd0mfBPf8dVr3dgInomNFzc8HKIaM= =aEwc -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Captcha and blind and visually impaired users
On Sun, Oct 5, 2014 at 7:34 PM, Rob robjo...@gmail.com wrote: repository as you said. If the registration is too hard (e.g. takes too much time or is unsolvable), users are not going to register to report bugs, contribute to the wiki, etc. Agreed completely, but most people, i assume, who are contributing to the wiki and tickets are capable of entering a captcha? To be clear: i'm not saying no, we can't, i'm just voicing concern for automated repo pollution which such a combination creates. I can disable the self-register option, but in most cases, users would rather self-register than contact me for a registration request. A moderation step is essentially the same thing registration via email to the admin, but arguably requiring less effort on the admin's part (checking the timeline page periodically for pending moderation requests, and clicking accept/deny for each requests). I could probably create a help page detailing how to get repository access using the anonymous user for those who need it, but I'd rather see actual usernames associated to tickets or to wiki entries than one anonymous user. But do you want robots to be included in those tickets? i once had a repo where the anonymous user had (due to an error on my part) privileges which allowed him to edit wiki pages and create tickets. Over a span of a few weeks, it injected dozens of entries via the anonymous account (where autocaptcha was active). It remained undetected because it was clever enough to know not to edit the configured home wiki page, so the site looked okay to casual observers. As i was the only contributor to that repo, there was no need for me to follow the timeline, or i might have noticed the problem sooner in the form of timeline entries. Again: not an objection, just a cautionary tale. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do. -- Bigby Wolf ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
