-
marc
Anyone an idea how xep401 can be combined with IBR CAPTCHA?
-
lovetox
asd
-
jonas’
g✎ -
jonas’
f ✏
-
!xsf_martin
ghjkl
- Maranda has no clue what xep 401 is about tbh, *goes looking*
-
Maranda
Oh that nasty thing
-
Maranda
marc, you present the captcha challenge in the returned form after account creation? (5.4 / Example 6)✎ -
Maranda
marc, you present the captcha challenge in the returned form after account creation request? (5.4 / Example 6) ✏
-
Maranda
marc, and s/IBR Captcha/XEP-158/
-
marc
Maranda: nasty?
-
Maranda
The xep number is nasty for sure 😜
-
marc
😶
-
Maranda
(and for all the security implications it has, so 401 is befitting :P)
-
marc
Has anybody more useful / non-trolling comments / ideas?
-
Zash
Abort, Retry, Ignore
-
Zash
marc: Sorry. I didn't notice the original question. And I tought 301 at first.
-
Zash
Captcha for whom? And why?
-
marc
Zash: I think capcha should at least be supported during ibr via invitation to avoid automatic account creation on public services
-
marc
But it's not possible to advertise captcha and 401 in ibr if I understand the XEP correctly
-
Zash
Why do you think that?
-
Zash
Would the one creating the invite be the one doing the captcha or the one being invited?
-
Zash
With reservation for not having read it in detail recently, I see there are forms, can you stick media elements in those?
-
Zash
Or however captchas work
-
marc
Zash: the invitee I would say
-
Maranda
marc, the fact you should return the xep-158 captcha in the presented form in request response is trolling are you serious?
-
Maranda
ibr needs to be secured it doesn't need captcha, there're other ways to protect from automated registrations
-
Maranda
The security concern in that xep *is spam bots* potentially abusing invites, IBR being flawed is another matter
-
Maranda
and should you be concerned about captcha support in clients just use another out of band verification, e.g. email/token based, and have users insert the token in the invite form. The same goes for IBR, you need to support dataforms to use this XEP anyways and same goes for server needing to support extended IBR fields.
-
Zash
I'd suggest rather limiting the number of invites that can be sent (per user and/or time)
-
Zash
Combine with marketing to make them seem exclusive
-
Maranda
Zash, you can easily go around that e.g. 1 spam bot registering can send at least one invite out.
-
Maranda
I had this discussion when this xep got brought out time ago.✎ -
Maranda
I had this same argument when this xep got brought out time ago. ✏
-
Zash
If the goal is to make it easy for users, it will also make it easy for spammers. No way around that.
-
Maranda
Indeed
-
Zash
If they do exploit it that way, then the data of who invited who could be used to find potentially related spam bot accounts
- Maranda is particularly against not making clearer in the XEP only admins should be able to create accounts
-
Maranda
or rather pre-create accounts
-
Zash
That sounds like it should be up to local policy
-
Maranda
Anyways if the problem is media elements support in forms by clients you can easily solve that OOB. (and any protection obviously makes it a "Less Easier User Onboarding")
-
marc
Okay, seems that I implement it without captcha first :-/