Remove CCaptcha from the core

Although CAPTCHA is common feature, I think that its use should be strongly discouraged because of accessibility problems for visually impaired users, so it should be removed from the core (it could be available as an extension).

Captcha alternatives could be evaluated, such as Bad Behavior or others.

Surely reCAPTCHA would be a better solution and there’s a API built for it in ZF which could be used easily enough.

reCaptcha carries it’s own API, freely available from Google.

It’s a piece of cake to implement. :)

The reason why it can’t be standard part of Yii is that it requires you to get a set of API keys.

Maybe it should be re-evaluated and it’s API made more friendly to implement different captchas? I, for example, for my projects use asciigen captcha created by SamDark ( - implementing that required to somewhat hack the code because captcha isn’t requested by seperate http request, but embedded into to the page.

Moreover, reCaptcha is a better CAPTCHA but it has problems too. The "audio captcha" is only available in English and reCAPTCHA can usually be defeated with an OCR software in 5-6 attempts.

Not good idea.

It’s usage is optional, but implementation should be standardized.

Other variants (recaptcha etc) may be available via package manager and it is up to developer to implement whatever variant is needed for a particular website (e.g. for visually impaired users).

+1 Vote to keep it as it is with the core.

CAPTCHAs are a very bad idea and an accessibility disaster.

Moreover, standardized CAPTCHAs are more prone to be defeated because everybody use them.

How about MotionCaptcha?

-> http://www.josscrowc…-jquery-plugin/

About removing it from the core: is it in the core in the first place?

I thought it was part of Zii ?

<edit>No, it’s core - my mistake.</edit>

How this would help visually impaired users?

I would like to hear your suggestions, Ekerazha. ;)

But I do agree that captcha does not belong in core.

It could be moved to Zii.

Ah yea forgot about that :P. Might be best suited to the package manager then.

Nothing is really fool proof and that motion one seems like a good idea but just trying the demo a few times threw up a few userbility issues for example you need to draw an arrow but can’t release the click, potentially confusing for the more novice internet user.

Premise 1: every thing that is easily readable by a reader for visually impaired people, is easily readable from a spam bot too.

Premise 2: a “standardized” CAPTCHA (this is true for every anti-spam method) can be an easy target for spammers, because defeating the standard Yii CAPTCHA (actually it’s not so difficult with an OCR software) they defeat the CAPTCHA of every Yii website which uses it.

reCAPTCHA does a decent job because of the audio CAPTCHA, unfortunately it’s only available in English language, so it’s still a major issue.

So… I’m for removing CCaptcha from the core (for the reasons that I’ve already explained). Alternatives could be systems like Bad Behavior and/or techniques based on hidden form fields or logical questions like these…i-spammer-tool/ . They’re not perfect solutions, however we remove and discourage the accessibility disaster of CAPTCHAs (moreover, I think that the current CCaptcha is not more effective than these solutions).

Some cues

Side note: actually, zii is part of the core, the zii directory is still there because of BC reasons ( ).

What would be really cool is if someone would make an Akismet extension for Yii. :)

I agree that standard measures are much less effective than custom ones.

An example:

The Ogre3d forum (been a moderator there since 2005) is a very popular target for spammers, and nothing could keep them out.

Then someone got the brilliant idea of making a custom mod which automatically flags new posts as posts to be approved of before they’re shown if they contain certain link patterns, images, etc.

It’s is extremely effective.

I was very reluctant to install it at first, but I did - and now we have very close to zero spam.

Compared to the usual 20 or 30 or so spam incidents a day.

Since there is only on such phpbb3 mod in the world, no one can prepare for it in advance… ;)

Akismet and approvation tools are suitable for certain uses (forum messages, blog comments, etc.) but not really suitable for other things (like protecting e-mail contact forms from spam flooding, etc.).

Logic questions are easy to implement by just using cform so any addition to that isn’t required.

In my experience, logic questions you have to change constantly.

We have/had that too, but they broke it all the time…

That’s because it’s easy to code a bot that parses logical questions in a given format (and that’s why it’s better to not “standardize” them).

My propose is to remove CCaptcha from the core because CAPTCHAs are a serious accessibility issue and their use should be discouraged. It can be moved to an external extension if somebody really want to use them. I think we don’t really need a replacement inside the framework core, but there could be an article in the cookbook with examples of some alternatives (techniques based on hidden form fields, logical questions, etc.). A Bad Behavior based extension would be nice too.