XSF Discussion - 2018-09-22

Anyone an idea how xep401 can be combined with IBR CAPTCHA?

asd

f ✏

ghjkl

Oh that nasty thing

marc, you present the captcha challenge in the returned form after account creation request? (5.4 / Example 6) ✏

marc, and s/IBR Captcha/XEP-158/

Maranda: nasty?

The xep number is nasty for sure 😜

😶

(and for all the security implications it has, so 401 is befitting :P)

Has anybody more useful / non-trolling comments / ideas?

Abort, Retry, Ignore

marc: Sorry. I didn't notice the original question. And I tought 301 at first.

Captcha for whom? And why?

Zash: I think capcha should at least be supported during ibr via invitation to avoid automatic account creation on public services

But it's not possible to advertise captcha and 401 in ibr if I understand the XEP correctly

Why do you think that?

Would the one creating the invite be the one doing the captcha or the one being invited?

With reservation for not having read it in detail recently, I see there are forms, can you stick media elements in those?

Or however captchas work

Zash: the invitee I would say

marc, the fact you should return the xep-158 captcha in the presented form in request response is trolling are you serious?

ibr needs to be secured it doesn't need captcha, there're other ways to protect from automated registrations

The security concern in that xep *is spam bots* potentially abusing invites, IBR being flawed is another matter

and should you be concerned about captcha support in clients just use another out of band verification, e.g. email/token based, and have users insert the token in the invite form. The same goes for IBR, you need to support dataforms to use this XEP anyways and same goes for server needing to support extended IBR fields.

I'd suggest rather limiting the number of invites that can be sent (per user and/or time)

Combine with marketing to make them seem exclusive

Zash, you can easily go around that e.g. 1 spam bot registering can send at least one invite out.

I had this same argument when this xep got brought out time ago. ✏

If the goal is to make it easy for users, it will also make it easy for spammers. No way around that.

Indeed

If they do exploit it that way, then the data of who invited who could be used to find potentially related spam bot accounts

or rather pre-create accounts

That sounds like it should be up to local policy

Anyways if the problem is media elements support in forms by clients you can easily solve that OOB. (and any protection obviously makes it a "Less Easier User Onboarding")

Okay, seems that I implement it without captcha first :-/