Extension:QuestyCaptcha

QuestyCaptcha is a plugin for the ConfirmEdit extension. Instead of using a math problem (trivially defeated) or an image (see below), QuestyCaptcha makes users answer a question. The site owner adds questions (and their answers!) in LocalSettings.php, and the extension picks from them randomly.

Installation
The installation process largely mirrors that of ConfirmEdit.
 * Download the snapshot for your version and extract it
 * Create a folder in the extensions folder named ConfirmEdit
 * Upload the files to the extensions/ConfirmEdit/ folder
 * Edit LocalSettings.php in the root of your MediaWiki installation, and add the following lines near the bottom:
 * You can also configure ConfirmEdit's triggers and other options

Weaknesses
Image-based CAPTCHAs have a few vulnerabilities. Bots using optical character recognition can crack them, and the only defense is to make the images harder to read for humans and computers alike. OCR algorithms are constantly being improved, though, and computers will probably eventually be better at solving CAPTCHAs than humans. In the meantime, spammers can pay workers in developing countries to solve CAPTCHAs or trick ordinary Web users into solving them. Math-based CAPTCHAs are trivial enough for automated spambots to crack for obvious reasons.

A question-based CAPTCHA isn't vulnerable to OCR. Humans can still be paid to solve them, but a question can be context-sensitive: if a question asks you which plant MediaWiki uses for its logo, the answer isn't going to be obvious unless you're on MW.org.

If your wiki contains controversial content or would otherwise tend to be a target of others' animosity, QuestyCaptcha might not be the best captcha for you, as vandals can simply solve all the captchas and load them into a vandalbot. QuestyCaptcha is not designed to fend off determined vandals.

On the other hand, because the database of questions used by any particular site is small, it is straightforward for a human to answer all questions for a given site and store the responses. Even for attackers who attack large numbers of sites, they only need to perform a small amount of manual work per site, and it is also possible for spammers to scrape questions and answers from various websites for them to use in defeating CAPTCHAs. In this sense it is inferior to other CAPTCHAs that produce a unique puzzle for each user. As a practical matter, though, if you run a small and unpopular site, generally the spammers won't bother to crack your QuestyCaptcha.

When selecting your question, it's important to avoid cultural bias. For example, a popular TV show in the US is not likely to be familiar to editors from Brazil, and conversely an American is not likely to know who the prime minister of Australia is. Stick to questions that rely on universal knowledge or knowledge that pertains to the wiki's topic.

You may wish to collaborate with your wiki's users in coming up with questions and answers. If you do so on-wiki, you might afterward want to delete the page containing the questions and answers, or at least blank that portion of the page so that attackers can't find it by googling or using Special:Search on your wiki to find the questions. Note that Extension:ROT13 will protect against googlers but not against Special:Search, which searches the raw wikitext.

Question and Answer Setup
Answers are case-insensitive, and you can add multiple answers to one question by placing them in an array:

TODO

 * Add a special page for viewing, adding, editing, and removing questions
 * Stats on how many people succeeded or failed for each question and what their guesses were


 * Allow the questions to parse wikitext (e.g. bold text)

External link

 * Thingles, Stopping MediaWiki Spam with Dynamic Questy Captchas.