[17:51:55] Why WMF wikis didn’t implement turnstile as a captcha? [17:52:10] It seems better than FancyCaptcha! [17:52:42] Most things are better than FancyCaptcha ;) [17:54:56] Pretty sure that would require fully proxying traffic through Cloudflare [17:54:57] Then what’s the point to stick to FC? (re @wmtelegram_bot: Most things are better than FancyCaptcha ;)) [17:55:29] time, money, people, investment in resources [17:55:37] (I know traffic does pass through Cloudflare sometimes now / has before using magic transit but that's network pass only, not fully passing through their entire cdn) [17:55:45] Cloudflare is trustworthy tho [17:56:05] Don't disagree but would be a very big move [17:56:19] I think most of their captchas are big intersitals? [17:56:40] Sure (re @wmtelegram_bot: I think most of their captchas are big intersitals?) [17:56:55] Countless sites are using turnstile [17:57:13] countless sites are using recaptcha too [17:57:17] doesn't mean we can/should [17:57:36] ReCaptcha is weak [17:58:02] ok [17:58:08] Which most bots can bypass [17:58:19] You go get community approval for Turnstile [17:58:20] I'll wait [17:58:43] Please do [17:59:01] And someone at the wmf willing to back it [17:59:01] Create something on Meta or Wikitech? [17:59:07] Meta probably [17:59:22] Yes, I’m considering doing so [17:59:36] After you told me that we can [18:00:24] I didn't say we can [18:00:30] I said go get community backing [18:00:45] You'd also probably need the CTO & General Counsel's backing [18:01:27] I may talk to WMF engineer beforehand (re @wmtelegram_bot: You'd also probably need the CTO & General Counsel's backing) [18:01:50] Tgr? Jon? Who will be interested? [18:02:19] Jon assuming you mean Jdlrobson no [18:02:24] Absolutely not his area [18:02:29] I meant him (re @wmtelegram_bot: Jon assuming you mean Jdlrobson no) [18:03:05] I know that Tisza is in the area of authentication [18:03:15] Tgr is core platform but I doubt senior enough to have any sway [18:03:33] He is going to implement SUL3, which I’m against [18:03:48] Didn’t see any sense in that [18:04:09] Current SUL is fair enough [18:05:53] Let alone Denny: he’s in the area of WikiLambda (re @wmtelegram_bot: Jon assuming you mean Jdlrobson no) [18:06:16] SUL2 is not suitable [18:06:22] It's external factors [18:06:37] Browsers don't like the way SUL2 does things [18:06:48] WMF kinda has to move with the times [18:06:50] If the who I’m talking to takes exception to my opinion, then I won’t start this discussion [18:07:02] Cookies or caches? (re @wmtelegram_bot: Browsers don't like the way SUL2 does things) [18:07:15] Cookies [18:07:35] Id say you want to be talking to someone on https://meta.wikimedia.org/wiki/Wikimedia_Foundation/Product_and_Technology [18:08:26] Honestly I’ve experienced that (re @wmtelegram_bot: Cookies) [18:09:31] CentralAuth would probably utterly break eventually if SUL2 wasn't replaced with a more modern approach [18:10:19] https://phabricator.wikimedia.org/T289607 notes lack of WMF staff for any captcha replacements, that was in 2021 and I can tell you that is probably still the case [18:10:54] But Denny is in this team (re @wmtelegram_bot: Id say you want to be talking to someone on https://meta.wikimedia.org/wiki/Wikimedia_Foundation/Product_and_Technolo...) [18:11:06] He might has some to say [18:11:10] there seems to be some activity in https://phabricator.wikimedia.org/project/profile/7292/ though [18:12:07] He is [18:12:09] 2021 wasn’t so long ago… (re @sjoerddebruin: https://phabricator.wikimedia.org/T289607 notes lack of WMF staff for any captcha replacements, that was in 2021 and I can tell ...) [18:12:21] You might want to try him then [18:12:22] I’ve became active back then [18:12:45] Sure, also have many many to talk to him privately (re @wmtelegram_bot: You might want to try him then) [18:13:17] We’ve talked some technical stuff before [18:13:34] Ok [18:13:38] Go for it [18:13:41] You can ask [18:13:47] What about Daniel Kinzler? The name suddenly came to my mind (re @wmtelegram_bot: You might want to try him then) [18:14:14] Naming different wmf staff isn't that helpful [18:14:20] (Mostly related to WF) (re @cvictorovich: We’ve talked some technical stuff before) [18:14:30] My advice is pick someone from Product & Tech's leadership [18:15:00] I'm not a talking wmf org chart [18:15:12] I'm not even sure the wmf has a proper org chart [18:15:22] Its structure changes every 5 minutes [18:16:11] I’m only mentioning the few staffs I’ve interacted with before [18:16:37] Cool [18:16:40] Others, I don’t know either [18:16:57] If you prefer someone you've spoke to before, go with that [18:17:22] I think this would be a big decision that would require serious planning from seniors though if it was actually to happen [18:17:24] They might not be helpful on this specific issue [18:17:26] @cvictorovich I would be happy to discuss turnstile with you. WE4.2 in the annual plan is about improved anti abuse tools, and a sub point there is improved bot detection. Security team has been working with Trust and Safety Product on this. [18:17:40] Sure. (re @kostajh: @cvictorovich I would be happy to discuss turnstile with you. WE4.2 in the annual plan is about improved anti abuse tools, and a...) [18:17:43] Oh look, a wmf staffer appeared [18:17:58] /waves [18:17:59] I'm gonna leave you with kostajh who I know is nice and probably knows what he's talking about. [18:18:19] * RhinosF1 goes back to television [18:18:28] Au revoir ! (re @wmtelegram_bot: I'm gonna leave you with kostajh who I know is nice and probably knows what he's talking about.) [18:19:44] @cvictorovich I could chat 1:1 this week via IRC or Discord/telegram or we can discuss on the phab task about Turnstile [18:20:20] @kostajh If too many to talk about, feel free to direct message me. [18:20:47] My direct message is open [18:40:17] https://phabricator.wikimedia.org/T333770 (re @cvictorovich: Why WMF wikis didn’t implement turnstile as a captcha?) [18:44:27] Talking with Kosta for now (re @nerim4n: https://phabricator.wikimedia.org/T333770) [20:01:37] Would you mind sharing in a few keywords why? (Links to prior discussion or task would suffice). FYI, I'm principal engineer for the team implementing SUL3. (re @cvictorovich: He is going to implement SUL3, which I’m against) [22:47:22] Encrypted afaik, right? So just providing IP transit? That’s quite different than actually handling user traffic. (re @wmtelegram_bot: (I know traffic does pass through Cloudflare sometimes now / has before using magic transit but that's network pass o...) [22:51:10] Is Turnstyle something that can run only in the cloud? If so, that would be a hard no from privacy point of view [23:20:58] yes, any modern CAPTCHA requires running uncontrolled third-party javascript [23:21:16] and sending some amount of user data to that third party [23:37:14] My understanding is Turnstile would require the request to run through Cloudflare's cdn ye [23:39:13] I do believe Wikimedia does or has used Magic Transit by Cloudflare to prevent DDOS attacks which is at the BGP / networking layer so ye all traffic would remain protected by TLS. [23:39:43] I defer to someone who knows far more about how either of them product works though for any more complex answers [23:55:23] no, like other CAPTCHA options Turnstile is just a JS blob