evaluate django-simple-captcha as a replacement for our current captcha system
while working on donate-neo, i looked into django-simple-captcha as a captcha system for the new donate application. after looking a bit, i decided to start using it, and the current donate-neo code uses django-simple-captcha for the captcha system. it works well, it's extremely simple to implement, and it has audio captchas built in. the only additional (optional) dependencies are sox (sound file conversion) and flite (speech synthesis). django-simple-captcha is also backed by a database, which would immediately fix at least one of the issues we have with the current captcha system (captcha re-use attacks). it even produces captchas that look like the ones we have now!
[image description: a captcha with a lot of noise that says "ZNQS". below the captcha is an html audio element, that sounds like this: b7fd52c4c5e7c268462f303c3c30c711ec7f1ee1]
on the surface, django-simple-captcha seems like the perfect thing to replace our current captcha system. but we should look into it more in-depth, and evaluate other options. in fact, this is a great candidate for an RFC!
so the goals of this ticket are:
-
draft a set of requirements for a new captcha system -
find alternative captcha systems that fulfill our goals -
evaluate captcha systems, and pick one -
draft a new TPA-RFC to propose the new captcha system -
seek input from affected groups (TPA, web, anticensorship, applications team, possibly more) -
implement it!