Les #hCaptcha c'est de la merde...
Voilà les captcha textes (donc sensés être accessibles) proposés par discord.
Pour pouvoir accéder au site, il faut prouver que vous êtes un humain et pour ce faire, répondre (texte libre) à une question qui clairement n'a pas été écrite par un humain.
Brilliant! #PayPal now uses #HCaptcha too! SO I now can't log into it because no matter what you change the cookie will just not set, and they don't enable the text option. I apparently now need to switch to stripe to accept payments, I'm being locked out of a business account here because of this bullshit!
Pixelfed.social hat einen captcha eingebaut! Ich bin schwer enttäuscht. Dabei wollte ich doch so gern die Fotos von der #LetzteGeneration in #Hamburg#Altona mit Euch teilen.
Schade, so werde ich das nicht weiter nutzten, denke ich mal.
@annaelbe@OrntLaOkro Oh, das ist leider wirklich ein guter Punkt, insbesondere, weil #pixelfed doch so betont, dass Userdaten nicht weitergegeben werden.
Gibt es denn andere Instanzen, die ohne #hCaptcha auskommen? Und kann eins das vorher testen, ohne einen Account anzulegen?
Re last: Please please please, don't use #HCaptcha! We blind people call it HateCaptcha, and it's for a reason. Their accessibility so-called innovative technology is simply broken and doesn't work reliably. You can't imagine how much time I spent fighting with this so-called accessibility cookie. Please don't use it, for goodness sake. #MastoAdmin
The Mastodon development team currently suggest enabling #hCaptcha in order to combat the current spam wave in the fediverse.
However, hCaptcha discriminates genuine users with disabilities from accessing your instance. So if people and inclusion are important to you, please just don't. Consider closing your public registrations instead, for the time being.
So, again, #MastoAdmin, please refrain from requiring #hCaptcha on your instance and only use it as a very last resort, when all other measures fail. If you absolutely have to, please provide an alternative sign-up method that safely works without it.
Thank you very much, on behalf of all of us disabled users - and also on behalf of most of the not-quite superhumans here.
P.S. there are also huge privacy concerns with commercial #Captcha services.
I love your whole thread! The feature to stop spam registrations has been there all along, make registrations invite only. The instance users can generate invite links where the person automatically follows them, even. #HCaptcha is inaccessible, even with their text based captcha. I genuinely don't understand why #Mastodon and the #Fediverse at large are so against closing down open registrations, at least until this spam wave has passed. There's enough users across instances now where we can still have an influx of users if that's what they really want. Bonus points, you get to see what user is doing the most inviting. As for how inaccessible HCaptcha is,
The cookie doesn't always work. Not to mention, it won't handle VPN's or unorthodox emails.
The text captcha requires perfect spelling and grammar, and, quite honestly, as a person without any mental challenges I found a lot of these text questions to give me a headache as I try and parce the answer. This makes it inaccessible to people with mental disabilities.
There is no secure method to get an accessibility bypass. The #Privacy issues alone are a huge issue.
The cookies break, often, similar to 1 above but if your cookie breaks, it's gonna be a pain getting another cookie.
I've lost all hope of HCaptcha being a company that cares about accessibility.
I had major trouble getting the accessibility cookie to work in Firefox yesterday, though I eventually solved it by disabling both Privacy Badger and the enhanced tracking protection built into Firefox.
So I e-mailed the company with an accessibility inquiry. I suggested that when requesting an accessibility cookie by e-mail, the user should also be given a code they can enter into the HCaptcha challenge. This would save users from having to deal with cookie problems, and would also allow them to solve a captcha in something like Discord, where the captcha is embedded in the app and there's no way to use the cookie at all.
Support responded and said that it was up to each app developer to implement a way to use the accessibility cookie in their app.
I responded with the following:
> Now it sounds like we're shifting the burden of accommodating HCaptcha onto developers instead of users. Developers want to implement a solution that is accessible already. If they have to design their own UI for accommodating the accessibility cookie, the solution is not accessible. Why is HCaptcha so opposed to solving this problem once so that developers do not have to solve it over and over again?
And they responded:
> The reason is because cookies are supposed to be used in a web browser. If you open Discord or Signal in a web browser, it will work. However since the apps aren't web browsers they won't be able to consume it. We have other clients that have implemented ways to consume the accessibility cookie in their apps, so it's up to the developer.
Am I crazy or does this go 0% of the way to addressing anything I said in the previous e-mail?
Update on that weird text Hcaptcha from yesterday. I left the page alone for a while, came back to discover the whole thing had reset and I had to click the checkbox again to load the challenge, and then it just kinda... went straight through. I guess the answers I gave it were right? I honestly have no idea what happened. I wish I had a better answer than "fixed, bai" but that's all I've got. My guess to the presence of typos is that they're meant to throw off transformer models, but that's a UX choice worthy of an r/asshole design post IMO, especially if you're blind. That's extra brainpower you have to dedicate to fixing the typos in your head as you process the rest of the statement at the same time. It's one of those things where it makes you feel the insanity slowly creeping in from the edges. Not fun. In conclusion: fuck captchaas
This is the text challenge Hcaptcha has given me when I tried adding a discord bot to my server. Yes, the typose are directly copied from the captcha with no edits at all.
"Pleasе answеr the following question with a sіnglе word, number, or phrasе.
Select the most recent four figures of 47-0o6763249"
Does anybody know what this is asking me to input because I genuinely have no idea. I figured the answer is 3249, but I've gone through like 10 of these now with no luck.
Can i just express my amused disgust at the way #hCaptcha has, after multiple people have complained about it's lack of #accessibility, actually managed to make it worse by putting unicode characters for various letters in the instructions on what to click, and by no longer rendering the actual buttons to click but rather making it a single image you have to click at a particular spot on? Like ...it takes skill to be THIS bad and tonedeaf where accessibility is concerned. I salute you. FFS.
So I wrote a blog post for the first time in 5 years, warning about hcaptcha's accessibility account. Long story short, they banned me from the accessibility account because I'm not blind. I am blind, but well, they seem to think not. Please boost, share, etc since this seriously affects me, and it's not ok at all. You can read the full blog post here: https://4mt.me/hcaptchastory
Ok, I emailed #HCaptcha for my issues, and they asked me to try their demo, send them the log it generated, and also asked me to provide my IP address.
WTF, why do people use #HCaptcha for accessibility instead of audio Captcha? I signed up, set the cookie, answer all the questions, and still doesn't work!
Oh look. Another example of hCaptcha ruining my day:
I can't sign up for an email address at email.radio because #hCaptcha sucks, with their stupid accessibility cookie that doesn't work, and their images that I can't see with no audio alternative.
#hCaptcha needs to die!
I can't ever get the accessibility thing to come up, which sucks even when it works. So, do I just go through all 4,357 possible combinations (I think I did the math right) of which images contain <insert_thing_here> or what, since I can't see the CAPTCHA. Surely, I can get it somewhere around the 1,941 mark, right?
A note for #mastodon#admins. Apparently, a beta of mastodon is introducing #HCaptcha. If you aren't aware, this can present #accessibility issues for some #blind users. If their accessibility cookie works, it's fine. However it breaks on a pretty regular basis. I encourage you to either not activate this, or be prepared to disable it temporarily if a blind user tries to sign up and has problems.
What use to be called Calckey is now called, #FireFish?
Well, it's a flaming hot name of fantastic proportions if I have ever heard one...
Great, now I need to refollow the 'other' crowd, again! Good thing most of them I still have in my followers list.., particularly the crowd of 'CheeseCakes', which sadly makes up most of that list!
@queenslight Thanks for link! Cannot sign up! Hcaptcha.com accessibility cookie will not set, even after white listing in my adblocker. Firefox 115, here. Using orca on Debian. I'm not touching it again; this shit is BROKEN!!! #accessibility#EpicFail#hcaptcha#firefish 😠
There's something so abhorrent to me about not only #CAPTCHA, but CAPTCHA without an audio option, and no I'm not discussing #hCAPTCHA in this instance. No cookie here. Just pure, unadulterated inaccessible crap. 'Slide to complete the puzzle' and that's the lot... Great.
At this point I am literally just begging you to stop putting hCaptcha in your apps. Please. I don't know what else to do. Please. Please don't do it. If it's on a website we at least have a chance. As bad a chance it might be. But if it's in your app anyone who can't do a captcha is completely locked out. So please. Do not do it.
PSA: If Discord offers you to set a new nickname and you use a screen reader, better to do that on mobile. I just got the request on the desktop app, but after reading some horror stories of people getting stuck due to the #HCaptcha, even after solving multiple text answers which would either cause them to be locked out or forced to do an image captcha, I quit out of the app and tried doing the procedure on my phone which appeared to work for at least one person. The mobile app also asked me if I was human, but pressing confirm was enough to let me through.
The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.
But do note this comment on the PR:
“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”
Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.
Please have a look at this excellent reply for more details: