XSF Discussion - 2018-09-22


  1. marc

    Anyone an idea how xep401 can be combined with IBR CAPTCHA?

  2. lovetox

    asd

  3. jonas’

    g

  4. jonas’

    f

  5. !xsf_martin

    ghjkl

  6. Maranda has no clue what xep 401 is about tbh, *goes looking*

  7. Maranda

    Oh that nasty thing

  8. Maranda

    marc, you present the captcha challenge in the returned form after account creation? (5.4 / Example 6)

  9. Maranda

    marc, you present the captcha challenge in the returned form after account creation request? (5.4 / Example 6)

  10. Maranda

    marc, and s/IBR Captcha/XEP-158/

  11. marc

    Maranda: nasty?

  12. Maranda

    The xep number is nasty for sure 😜

  13. marc

    😶

  14. Maranda

    (and for all the security implications it has, so 401 is befitting :P)

  15. marc

    Has anybody more useful / non-trolling comments / ideas?

  16. Zash

    Abort, Retry, Ignore

  17. Zash

    marc: Sorry. I didn't notice the original question. And I tought 301 at first.

  18. Zash

    Captcha for whom? And why?

  19. marc

    Zash: I think capcha should at least be supported during ibr via invitation to avoid automatic account creation on public services

  20. marc

    But it's not possible to advertise captcha and 401 in ibr if I understand the XEP correctly

  21. Zash

    Why do you think that?

  22. Zash

    Would the one creating the invite be the one doing the captcha or the one being invited?

  23. Zash

    With reservation for not having read it in detail recently, I see there are forms, can you stick media elements in those?

  24. Zash

    Or however captchas work

  25. marc

    Zash: the invitee I would say

  26. Maranda

    marc, the fact you should return the xep-158 captcha in the presented form in request response is trolling are you serious?

  27. Maranda

    ibr needs to be secured it doesn't need captcha, there're other ways to protect from automated registrations

  28. Maranda

    The security concern in that xep *is spam bots* potentially abusing invites, IBR being flawed is another matter

  29. Maranda

    and should you be concerned about captcha support in clients just use another out of band verification, e.g. email/token based, and have users insert the token in the invite form. The same goes for IBR, you need to support dataforms to use this XEP anyways and same goes for server needing to support extended IBR fields.

  30. Zash

    I'd suggest rather limiting the number of invites that can be sent (per user and/or time)

  31. Zash

    Combine with marketing to make them seem exclusive

  32. Maranda

    Zash, you can easily go around that e.g. 1 spam bot registering can send at least one invite out.

  33. Maranda

    I had this discussion when this xep got brought out time ago.

  34. Maranda

    I had this same argument when this xep got brought out time ago.

  35. Zash

    If the goal is to make it easy for users, it will also make it easy for spammers. No way around that.

  36. Maranda

    Indeed

  37. Zash

    If they do exploit it that way, then the data of who invited who could be used to find potentially related spam bot accounts

  38. Maranda is particularly against not making clearer in the XEP only admins should be able to create accounts

  39. Maranda

    or rather pre-create accounts

  40. Zash

    That sounds like it should be up to local policy

  41. Maranda

    Anyways if the problem is media elements support in forms by clients you can easily solve that OOB. (and any protection obviously makes it a "Less Easier User Onboarding")

  42. marc

    Okay, seems that I implement it without captcha first :-/