captcha or similar for account creation?

James Bonacci jbonacci at mozilla.com
Thu Oct 17 17:39:31 PDT 2013


> For unknown domains this question is harder. By the way, is Mozilla planning to provide email addresses?

I sure hope not. We talked about this in 2011, 2012, ...

What may look like an email address may happen, though, for FxA, if only visible "internally" to the system we have set up.

James


----- Original Message -----
From: "Monica Chew" <mmc at mozilla.com>
To: "Chris Karlof" <ckarlof at mozilla.com>
Cc: "Ryan Kelly" <rfkelly at mozilla.com>, sync-dev at mozilla.org
Sent: Thursday, October 17, 2013 5:24:12 PM
Subject: Re: captcha or similar for account creation?

Having a verified email address at a big webmail provider provides some guarantee by proxy that a human is behind the address (or at least has figured out how to abuse the account creation system at the mail provider).

http://www.blackhatworld.com/blackhat-seo/seo-other/72970-youtube-gmail-hotmail-yahoo-accounts-highest-quality-lowest-price.html

For unknown domains this question is harder. By the way, is Mozilla planning to provide email addresses?

Monica

----- Original Message -----
> 
> On Oct 17, 2013, at 4:44 PM, Ryan Kelly <rfkelly at mozilla.com> wrote:
> 
> > 
> > Hi All,
> > 
> > 
> >  The current Firefox Accounts API does not have any protections around
> > account-creation - you submit an email address and password, click the
> > verification link, and you're done.
> > 
> >  Should we be looking to add a captcha or similar into this flow to
> > limit signups to Real Humans Only?
> > 
> 
> No CAPTCHAs. We're not going to push our problems on our users.
> 
> Which means we need a solution for our problems. So, yeah, I'd prefer some
> rating limiting approach.
> 
> I'm not so strongly opposed to context dependent CAPTCHAs or similar things,
> e.g., a user has attempted 5 failed logins and the next one is going to
> require some extra work.
> 
> -chris
> 
> 
> >  My instinct says no, as we've not had a good experience with captchas
> > in the past - IIRC correctly there was a bug filed to disable them in
> > the Sync account creation flow because they were more trouble than not.
> > 
> >  The alternative is to do request-level rate limiting, which is already
> > in the works and could easily be special-cased to add stronger limits on
> > the account-creation API.
> > 
> > 
> >  Thoughts?
> > 
> > 
> >    Ryan
> > _______________________________________________
> > Sync-dev mailing list
> > Sync-dev at mozilla.org
> > https://mail.mozilla.org/listinfo/sync-dev
> 
> _______________________________________________
> Sync-dev mailing list
> Sync-dev at mozilla.org
> https://mail.mozilla.org/listinfo/sync-dev
> 
_______________________________________________
Sync-dev mailing list
Sync-dev at mozilla.org
https://mail.mozilla.org/listinfo/sync-dev


More information about the Sync-dev mailing list