Introducing the new Mollom Java client library

I'm excited to announce the launch of the newest version of the Mollom Java client library. This latest version is a complete rewrite of the library with a modernized architecture, making it even easier to integrate with Mollom.

The library is open sourced under the MIT license. All usage documentation and source code is stored on https://github.com/Mollom/MollomJava. Pre-built JARs are also available on GitHub. For usage guides, please refer to the README.md within the library.
For the maven users out there, we also host a maven public repository that you can use to pull the client library:

<repositories>
  <repository>
    <id>mollom.com</id>
    <name>Mollom Maven Repository</name>
    <url>http://mvn.mollom.com/maven/</url>
  </repository>
</repositories>
<dependencies>
  <dependency>
    <groupId>com.mollom</groupId>
    <artifactId>client</artifactId>
    <version>2.1.0</version>
  </dependency>
</dependencies>

If you have any questions, comments or issues with the latest version of the Java client library, please let me know in the comments. Of course, being an open sourced project, also feel free to contribute back if there are any improvements that you would like to add.

Introducing new expected languages feature

LanguagesI'm excited to announce the latest feature to further improve the Mollom's ability to protect your sites from spam and unwanted content: Expected Languages.
As you may already know, Mollom has the ability detect the language of all content for classification, with over 99% precision for over 53 languages. With the new Expected Languages feature, you can now specify the subset of languages that you expect on each of your sites. Mollom will penalize and filter out posts in all other languages, keeping your site cleaner, effortlessly.

To enable the feature, navigate to the "Site Manager" on mollom.com by clicking "Manage sites" from the top bar. From there, click "Edit site" for any site that you would like to enable the Expected Languages feature on. Under the Expected Languages section, you can choose any language you would like to accept on your site from the drop down of supported languages. You're also able to choose multiple languages if you have a multilingual site. Leaving this section empty will revert to the original default behavior of accepting all languages. Once you are done, click "Update site" and your changes will be immediately effective.

This feature has been in testing for the past few months and has proven extremely useful to the our beta testers. We are now releasing this feature to the public for all of our customers to use. Please let us know what you think about this new feature in the comments.

Heartbleed update

HeartbleedYou've probably heard of CVE-2014-0160, also known as "Heartbleed", a flaw in OpenSSL that could allow theft of data protected by SSL/TLS encryption.

After assessing the vulnerability and doing an investigation of our servers, we have concluded that the Mollom services were not affected. This includes mollom.com, rest.mollom.com, xmlrpc.mollom.com, dev.mollom.com and my.mollom.com. As a result, customers of Mollom are not required to change their passwords or API keys. Although if you are reusing your Mollom password (not recommended) for other services, it is recommended to change your password, in case those other services were affected.

We are constantly looking for vulnerabilities like this, and encourage everyone to report any that we've missed so that we can fix them before they are exploited.

Big Accessibility Improvements for Mollom's CAPTCHAs on Drupal

As everyone who has been presented with a squiggly, impossible-to-read CAPTCHA test knows, solving CAPTCHA tests can be frustrating. For users with visual impairment, this frustration can be multiplied tenfold. In order to support these kinds of users, Mollom provides an audio version of our CAPTCHA, available by default for all Mollom installations that utilize the Drupal or WordPress modules.

However, there were some aspects of our audio CAPTCHAs that we’ve been wanting to improve. For example, users could not use keyboard navigation to tab into the audio player or control audio playback. Also, our instructions led some users to become confused and believe that they had to type in several words of text rather than just a few characters. Many of our problems were due to the usage of an old Flash player for audio that had been put in place to ensure consistent playback of MP3 audio files in the browsers of the day.

Along came HTML5 audio and eventually consistent support for MP3 playback natively. We still investigated a number of existing third party audio libraries, but in the end, decided to keep it simple! Each browser already implements its own audio controls natively. Taking advantage of this allows sites using Mollom to easily apply any existing HTML5 media solution or simply to benefit from browser accessibility enhancements. It also allows users playing the CAPTCHAs to take full advantage of existing accessibility tools that they already use for Internet browsing. We still use an improved Flash player fallback in cases where HTML5 MP3 playback is not supported, but now that player can be accessed and controlled with standard keyboard controls. For those users who still have difficulties, or prefer their own tools, we provide a direct link to the MP3 file for users to play in whatever player they choose.

We understand that despite our best efforts to use an internationalized approach to audio CAPTCHAs, our audio CAPTCHAs may not be appropriate for some non-English language sites. As a result, we have added a new configuration option within the Mollom settings advanced configuration section to disable audio CAPTCHAs altogether. For site owners who simply wish to change the presentation, we have moved the image and audio CAPTCHA displays into overridable Drupal theme templates.

Finally, we now provide a better explanation of how to use the NATO alphabet-based audio CAPTCHAs and ensure that the appropriate instructions are displayed in both image and audio CAPTCHA situations.

We’re happy to provide these updates that will make websites within the Mollom network more accessible and more compliant with modern web standards. Update your Drupal module to version 7.29 (or 6.27 for Drupal 6 sites) to take advantage of the new and improved CAPTCHA presentations. Your site visitors will thank you.

The Future of CAPTCHAs?

It was Halloween last week, and a company called Vicarious has indeed come up with something scary, for those of us who care about content quality: they announced that they’ve developed a tool that can solve 90% of all CAPTCHAs displayed by Google's reCAPTCHA service.

Why is this so scary? According to this academic paper, a good rule of thumb is to consider a CAPTCHA system to be broken if an automated attacker can reach a precision of 1%. Vicarious is claiming 90% precision. If their claims hold up, it means that reCAPTCHA has been broken pretty severely.

The good news: the team at Vicarious says they are not planning to release this technology into the wild.

The bad news: if Vicarious can do it today, the bad guys will also be able to do it soon.

If CAPTCHA-breaking technology like this became widely available, the results would be disastrous for the hundreds of thousands of websites that rely on a CAPTCHA system to fend off content spammers. Sites with user engagement components would be so overrun with spammy comments and fake registrations that they would likely have to resort to shutting off user engagement altogether, unless they came up with an alternate security system.

A New CAPTCHA?

Anti-CAPTCHA tech is advancing, but so are attempts to build a better “are you really a human?” tests. A team at Carnegie Mellon is working on a new test they are calling a GOTCHA test, which asks users to describe patterns seen in inkblots.

It’s great to have technology like this in the queue, but it’s not ready for primetime yet, so what can sites do today to proactively protect themselves?

Text Analysis + CAPTCHA

If you’re familiar with how Mollom works, you know that CAPTCHA is part of the solution. So where does Mollom fit in a post-CAPTCHA world? CAPTCHA is just part of our approach to content quality, and in fact, it’s actually the backup plan.

Mollom’s primary tool in fighting bad content is sophisticated Text Analysis. Mollom’s Text analysis utilizes Artificial Intelligence to classify each piece of content based on its quality, not on whether it was submitted by a human or a bot. 92.5% of the time, Mollom can do this without needing to show any CAPTCHA at all (which is nice for all the humans out there). It’s only when Mollom is unsure that it will trouble anyone with a CAPTCHA. Most users never have to bother with a CAPTCHA on sites protected by Mollom.

But what about that 7.5% of the time Mollom uses CAPTCHA? In a post-CAPTCHA world, Mollom would have to adapt new techniques. The Mollom team is always working to tune Mollom’s Text Analysis to block a larger percentage of bad content. But there will always be some uncertainty. For those cases, without CAPTCHA, Mollom could possibly implement effective (but burdensome solutions) like email or SMS user verification. These solutions generally lead to a much lower completion rate, and if you were relying on them all the time you’d probably see a big dip in usage on your site, but as a fallback option they may be workable.

Key Points

  • A new technology seems to have broken the Internet’s most prominent CAPTCHA solution
  • Sites that rely strictly on CAPTCHA are going to need to prepare for a post-CAPTCHA future
  • AI-based Text Analysis is one way to avoid the need for CAPTCHA altogether in many cases

Readers, do you think CAPTCHA in its present form will still be playing an important role three years from now? If not, what will replace it? We’d love to hear your thoughts.