Implemented Add hCaptcha support

[hCaptcha]

Hello,

Some of our users for hCaptcha.com have requested XenForo support.

Since XenForo offers a variety of built-in captchas already, it seems like the best answer is to directly integrate hCaptcha as well.

Our API is compatible with reCAPTCHA, so it typically takes only a few minutes to port over existing implementations.

Would you be interested in doing so, or taking patches from us that add support?

 

[Ozzy47]

Try opening an incognito window in a different browser and you'll likely see captchas fail as you expect.

That makes absolutely no sense, pass is pass, fail is fail. If I can make a fail pass ten times over in a row, a bot surely could produce the same thing.

 

[hCaptcha]

That makes absolutely no sense, pass is pass, fail is fail. If I can make a fail pass ten times over in a row, a bot surely could produce the same thing.

A pass is not in fact always a pass. You can read a bit more about this approach here: https://en.wikipedia.org/wiki/Shadow_banning

 

[Ozzy47]

I can see a use case for shadow banning, but I would expect a captcha to fail a user upon trying to register rather than faking them out and letting them think they passed.

Should it be a legitimate user trying to register on my site, and they fail the captcha, but they think they passed, what happens to the attempted registration process?

 

[Slavik]

Right once again the "usual suspects" have jumped on a potential new provider/service with unjustified hostile comments, criticism and skepticism.

It has gone beyond tiresome now and only serves to off put potential developers and service providers which may have fantastic products that may or may not one day end up in XenForo or as an addon. If it happens again, we will look at removing or restricting posting privileges.

If hCaptcha want to release an addon integrating their service, then I suggest users try it and evaluate it on its actual effectiveness on their site, before becoming so negative.

I personally welcome them to give it a go in every forum owners battle against spam.

 

[Ozzy47]

I welcome them as well, just trying to find out as much information as I can. Sorry you do not have time to ask questions but you should not look down upon those that do have the time to test out the product, ask questions, and try to improve it.

 

[Slavik]

I welcome them as well, just trying to find out as much information as I can. Sorry you do not have time to ask questions but you should not look down upon those that do have the time to test out the product, ask questions, and try to improve it.

Ozzy, this is a recurring theme that has not gone unnoticed by the staff.

Someone new comes into the community either wanting to learn, offer a product, or a service and they just get jumped on, with over critical comments or finger pointing and suspicions, frankly its an attitude that has to stop.

Suggestions and questions are fine, but the hostility and harsh criticisms are not going to be accepted any longer.

 

[Ozzy47]

Ok, back on topic:

I can see a use case for shadow banning, but I would expect a captcha to fail a user upon trying to register rather than faking them out and letting them think they passed.

Should it be a legitimate user trying to register on my site, and they fail the captcha, but they think they passed, what happens to the attempted registration process?

In a addon I had coded before for another forum platform, it would fake out bots allowing them to think they were successful in registering but it would only affect bots, there was no way (well 99.99999%) that a human would get caught up in the fake out process. So that is why I ask about what happens to a user during the registration process.

 

[hCaptcha]

Ok, back on topic:



In a addon I had coded before for another forum platform, it would fake out bots allowing them to think they were successful in registering but it would only affect bots, there was no way (well 99.99999%) that a human would get caught up in the fake out process. So that is why I ask about what happens to a user during the registration process.

The limitation there is that there are malicious humans as well, so an ideal system should be able to distinguish multiple types of abusive behavior.

In our case, for enterprise customers we provide a granular stream of abuse analysis they can use to evaluate whether a particular new user or protected site action is likely to be problematic.

There's an intrinsic tradeoff between making more info available and making your system easier to defeat, so we're still working on which features we can make available to everyone. If you want more traditional captcha behavior on the free account, just move the difficulty slider to Hard.

 

[Ozzy47]

Wait, there are different levels a customer can have? I have not seen anything on the hCaptcha site not on my dashboard to indicate this. Can you point me to a link that describes the various plans you offer?

 

[hCaptcha]

Wait, there are different levels a customer can have? I have not seen anything on the hCaptcha site not on my dashboard to indicate this. Can you point me to a link that describes the various plans you offer?

Right now the enterprise version is invite-only, but we'll likely make a formal announcement this year. If you happen to run a large or high-value site with a fraud problem you can direct message me for more info, and we can figure out whether it'd be useful for you.

 

[Ozzy47]

Good to know. At this point I will wait till the formal announcement and if and when there is a addon released, that way a true assessment of the service you are providing can be evaluated.

Thanks for the info and I wish you the best of luck.

 

[Nicolas FR]

Finally it ends well

 

[dvsDave]

Cloudflare just switched from ReCaptcha to hCaptcha

Not an insignificant endorsement!

Moving from reCAPTCHA to hCaptcha

We recently migrated the CAPTCHA provider we use from Google's reCAPTCHA to a service provided by the independent hCaptcha. Since this change potentially impacts all Cloudflare customers, we wanted to walk through the rationale in more detail.

blog.cloudflare.com

 

[RobinHood]

Cloudflare just switched from ReCaptcha to hCaptcha

Not an insignificant endorsement!

Moving from reCAPTCHA to hCaptcha

We recently migrated the CAPTCHA provider we use from Google's reCAPTCHA to a service provided by the independent hCaptcha. Since this change potentially impacts all Cloudflare customers, we wanted to walk through the rationale in more detail.

blog.cloudflare.com

Was just about to post this, pretty big deal for @hCaptcha!

 

[Onlyme]

Google is now charging for use of its reCAPTCHA tool – but customer privacy and availability were other factors.

 

[dvsDave]

Google is now charging for use of its reCAPTCHA tool – but customer privacy and availability were other factors.

Yup, and I would love to see this supported as an addon or if someone could figure out how to add it as an alternative to recaptcha on Xenforo installs.

 

[Onlyme]

Yup, and I would love to see this supported as an addon or if someone could figure out how to add it as an alternative to recaptcha on Xenforo installs.

I've seen it popping up all over the place now. We definitely need this

 

[Lukas W.]

I'll leave this here in the meantime. No warranty and no support though, just a weekend project while I was waiting for some import to finish.

 

[Nirjonadda]

@Lukas W. Installed and working. So API key are not required?

API key- Use this for /user management endpoints, like adding more sitekeys to your account. Do not use this as your/siteverify secret; this will not work.

 

[dvsDave]

@Lukas W. Installed and working. So API key are not required?

You set the API key here: youdomain.com/admin.php?options/groups/usersAndRegistration/