Possibility to use reCAPTCHA instead of TextCHA
Would it be possible to include reCAPTCHA as an alternative way of protecting against spammers? I find TextCha really really annoying. I know, image-based CAPTCHA creates issues for blind people, but I find TextCHA really, really annoying. And it takes way longer to answer some of the questions for example on MoinMoin.in, than it would be with reCAPTCHA. I know, questions are customizable, but still they are really annoying;)
Plus, reCAPTCHA helps digitalizing books 
The point of a captcha-like thing is to avoid bots doing bad things (usually spam), while making it not too hard or impossible for interested humans to work with it. It is nice if reCAPTCHA helps digitizing books, but this is just a nice side effect.
A general problem I see with centralized services like reCAPTCHA is that if they are broken, they break on a global scale - every site using them will suddenly be a spam target and every spammer will be able to detect that and to exploit that. A site operator basically won't be able to do anything against this except using some other captcha method / provider. Even if there is no breach in the sense that someone writes an algorithm that cracks the captcha, there can be a global breach involving unsuspecting humans (you just require those humans to answer a captcha to view the next picture, play the next round of a game and they will help the spammer solving the captchas). Also, if you use some external service, you depend on it being available. What is if reCAPTCHA service is offline for some hours (or some days)?
Thus, the textcha stuff with questions being configurable by site admin is far superior:
- as every site has its own questions, there won't be a global breach
- as questions are domain specific, unsuspecting humans exploited by some spammer likely won't work
- if a breach happens, site operator can just exchange the broken q/a
- you do not depend on an external service
- if a vision impaired person can "read" your wiki somehow, they can likely also answer textcha questions
So, as some of this might not be obvious to every site admin, I don't see much usefulness in offering worse methods than the one we do offer already.
If you have problems with some site-specific textcha questions, maybe just read the front page of that site. If you still think the questions are impossible or bad somehow or you gave a valid answer and you were rejected, it is time to speak to the site operator about it (preferably via email). He can easily remove a bad question or make it accept additional answers. For moinmo.in, that is: talk to me. -- ThomasWaldmann 2009-03-25 08:38:08
reCaptcha has its place
I believe that reCaptcha has its place in the toolbox of a wiki-defender.
A MoinMoin wiki I use on occasion has a problem with automated vandals rather than spammers. A few minutes recording questions and answers to your site and Perl's handy =~ operator will enable a vandal to automatically deface pages with abandon (the script loads the edit page until it sees a known question). The site administrator can defend by creating new questions. But the vandal can then harvest answers again. Creating new questions every day or two is a major drain on time. reCaptcha is not subject to this type of replay attack.
reCaptcha is primarily an image based captcha (and thus accessible to the deaf), however, it does have an audio component for the blind (transcribing old radio shows), and thus it is accessible to them also.
An algorithm that cracks reCaptcha is unlikely because the images in reCaptcha are the images that state-of-the-art OCR algorithms could not interpret in an ongoing project to digitize the worlds great libraries. Someone who can reliably crack them can make a lot more money than spam will pay (and probably has better things to do with their time than write website vandalism scripts.)
The unsuspecting human (or room full of low-wage workers) attack works against all captchas. TextCha can also be broken that way; unless the answers are so domain specific that only experts can add to your wiki, a casual read through the wiki will reveal the answers, thus the room of low-wage workers can solve your captcha and a motivated vandal will have no problem. As an example of a motivated vandal, 4chan members spent a week solving captchas to game the Time 100 poll to spell "Marblecake also the game." The purpose of a captcha is to make misuse more expensive or difficult. It cannot eliminate it.
reCaptcha or any external service becoming unavailable is a good point. However MoinMoin's offering could easily address that problem by providing an alternate local textCha as a backup - or even allowing the administrator to designate a list of fall-backs.
I have a problem with my wiki at www.railpassenger.org. It uses textCha but I get several spams a week. I have no way of knowing how they are getting by the textCha, or what answer they are using. Please look into the logging or enable logging if you don't have yet, see for examples at logging. Try to find out if the spammer knows the answer of the textcha. I have seen too that you run 1.9.2. please upgrade to 1.9.3. Have a look at SecurityFixes.
My dilemma is this: I want to make it easy for random humans to edit, so I don't want to make the questions too hard. Yet I am wasting time with spam. This makes me think hard about continuing to use MoinMoin for new sites. I am lazy and don't like to have to deal with spam. If reCaptcha is just a "set it up and it works" solution, I would go for it in an instant. It takes too long to come up with good questions that foil spammers and are easy for humans to answer, and people are more familiar with answering captchas anyhow. -- JohnGoerzen 2010-09-29 13:40:42
So textCha has the advantages that it is local and, if properly implemented, domain specific and thus more expensive for a randomly chosen human to answer. It, however, is weak to replay attacks due to a small database size and requires maintainer attention and creativity when it is broken. reCaptcha would be a good alternative to have available because its un-replay-ability requires constant attention from a group of humans to solve the captchas and, once set up, requires little administrator attention. Its weakness as an external service could be fixed by using a local service when the external one was not available. -- -- 99.135.9.191 2009-11-18 05:42:36
Is there a good patch for recaptcha support? It is a bit late because 1.9 is soon to be released, but a non-intrusive, well-written patch could be considered. If not doable for 1.9, someone wanting to do this is invited to help with 2.0. -- ThomasWaldmann 2009-11-18 07:12:04
I have a simple recaptcha implementation I'm working on at the moment, loosely based on the existing textcha interface and using python-recaptcha to provide the backend. I've only plumbed into newaccount.py so far, as that's the only place I'm caring about yet. I'll send a patch to the -devel list shortly -- SteveMcIntyre
Codereview about this: https://codereview.appspot.com/70400043/ (see feedback there)