> For unknown domains this question is harder. By the way, is Mozilla planning > to provide email addresses?
I sure hope not. We talked about this in 2011, 2012, ... What may look like an email address may happen, though, for FxA, if only visible "internally" to the system we have set up. James ----- Original Message ----- From: "Monica Chew" <[email protected]> To: "Chris Karlof" <[email protected]> Cc: "Ryan Kelly" <[email protected]>, [email protected] Sent: Thursday, October 17, 2013 5:24:12 PM Subject: Re: captcha or similar for account creation? Having a verified email address at a big webmail provider provides some guarantee by proxy that a human is behind the address (or at least has figured out how to abuse the account creation system at the mail provider). http://www.blackhatworld.com/blackhat-seo/seo-other/72970-youtube-gmail-hotmail-yahoo-accounts-highest-quality-lowest-price.html For unknown domains this question is harder. By the way, is Mozilla planning to provide email addresses? Monica ----- Original Message ----- > > On Oct 17, 2013, at 4:44 PM, Ryan Kelly <[email protected]> wrote: > > > > > Hi All, > > > > > > The current Firefox Accounts API does not have any protections around > > account-creation - you submit an email address and password, click the > > verification link, and you're done. > > > > Should we be looking to add a captcha or similar into this flow to > > limit signups to Real Humans Only? > > > > No CAPTCHAs. We're not going to push our problems on our users. > > Which means we need a solution for our problems. So, yeah, I'd prefer some > rating limiting approach. > > I'm not so strongly opposed to context dependent CAPTCHAs or similar things, > e.g., a user has attempted 5 failed logins and the next one is going to > require some extra work. > > -chris > > > > My instinct says no, as we've not had a good experience with captchas > > in the past - IIRC correctly there was a bug filed to disable them in > > the Sync account creation flow because they were more trouble than not. > > > > The alternative is to do request-level rate limiting, which is already > > in the works and could easily be special-cased to add stronger limits on > > the account-creation API. > > > > > > Thoughts? > > > > > > Ryan > > _______________________________________________ > > Sync-dev mailing list > > [email protected] > > https://mail.mozilla.org/listinfo/sync-dev > > _______________________________________________ > Sync-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/sync-dev > _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
