Tasks related to the WMF FY2024-25 WE4.2.3 hypothesis on CAPTCHAs:
If we build an evaluation framework using publicly available technologies similar to the ones used in previous attacks we will learn more about the efficacy of our current CAPTCHA at blocking attacks and could recommend a CAPTCHA replacement that brings a measurable improvement in terms of the attack rate achievable for a given time and financial cost.
@acooper, what would be the producer of the captcha? Is it code we write and own? If so, this should be easy. If not, we have ways, but it kind of depends on the structure of the events sent.
We need to do something like this schema: https://schema.wikimedia.org/repositories/secondary/jsonschema/analytics/mediawiki/ip_reputation/score/current.yaml
Is this where the request gets blocked if the score if >x? If so we don't need to do that next quarter.
We can probably just create an instance under https://openstack-browser.toolforge.org/project/security-tools
Can defer this until spoken to the decision science team for advice
hCaptcha provides some reference nginx implementations of option 3, which frankly looks like something we could easily implement as an extremely simple helm chart. Note that their example uses the remote IP as an identifier, which we would need to change, and amazingly generates a 128 bit hash, which is not what they suggest in the documentation (and that was leaving me perplexed).
Looking at the nginx example from hcaptcha enterprise documentation the proxy works based on domain names rather than URL paths:
Noting also the description is rather out of date