[HN Gopher] POW Captcha: a lightweight, self-hosted proof-of-wor...
___________________________________________________________________
POW Captcha: a lightweight, self-hosted proof-of-work captcha
Author : wchar_t
Score : 44 points
Date : 2021-09-10 21:09 UTC (1 hours ago)
(HTM) web link (git.sequentialread.com)
(TXT) w3m dump (git.sequentialread.com)
| wackget wrote:
| So now instead of annoying users with image or audio challenges,
| websites can annoy users by running up their electricity bills
| (CPU work aint cheap) and/or denying them access if they
| [selectively] disable JavaScript and/or block web workers in
| their browser.
| AlexAndScripts wrote:
| I actually much prefer this. Its only a small amount of CPU,
| negligible to your electricity bill, but it doesn't involve
| clicking every traffic light.
| EGreg wrote:
| This is practically useless, since desktop computers doing
| some work can be easily eclipsed by a specialized hardware
| doing it for spammers and sybil attackers.
| itake wrote:
| I'd be curious how well this performs on an older mobile
| device vs new CPU.
|
| Seems like this might exclude users lower-end electronics
| that might be low-income.
| sneak wrote:
| It fails to be an automated test to tell computers and humans
| apart, as computers are more than capable of solving proofs
| of work without human intervention.
| jacoblambda wrote:
| This is true but so are the existing captchas. Existing
| captchas are just harvesting training data for Google's
| self driving vehicles at this point.
|
| With a PoW captcha, it doesn't matter how smart you make
| your algorithm, it's still going to be slow. With existing
| systems I'd argue it's probably a lot slower for people
| than for machines, especially since it's people guessing
| what a machine thinks people would classify an image as.
|
| This is an easy solution for rate limiting low trust/high
| risk connections and better software isn't going to
| magically make it any faster. This has always been what
| captchas aim to accomplish.
| haliskerbas wrote:
| For someone that's tried to identify trains on Craigslist for
| 11 failed times in a row, this might be useful to me.
|
| Turns out when you zoom a picture in far enough, large bus
| windows, train windows, and building windows all look very
| similar.
| xur17 wrote:
| I wish I could be given the option to just pay instead of
| solving a captcha. At the end of the day that's what bots end
| up doing (pay a human to solve the captcha for them), so why
| not just cut out the middleman, and let me pay the website.
| danillonunes wrote:
| Payment forms need captchas too, otherwise they'll get
| millions of transactions from card testers making the costs
| unsustainable.
| xur17 wrote:
| Cryptocurrencies would be a good solve for this.
| Specifically, a layer 2 network on top of a
| cryptocurrency like Bitcoin's lightning network or
| payment channels on Ethereum, both of which allow for
| subcent transactions with subcent fees.
|
| There are obviously UX challenges to making it easy to
| acquire the crypto, but I could imagine this starting as
| an optional alternative to captchas.
| mrkramer wrote:
| >which allow for subcent transactions with subcent fees.
|
| Yea micropayments were Satoshi's vision. For example you
| could pay like 1/100 of a cent to unlock and bypass
| captcha puzzle.
| geon wrote:
| And draining your phone battery.
| spijdar wrote:
| I think it's the lesser evil in terms of privacy and self-
| hosting if you need anti-spam protection for something. In
| today's world spam/not protection is becoming more and more
| necessary, and even with JavaScript this is less intrusive than
| a service from Google or Cloudflare or something.
|
| Suboptimal and an inefficient use of resources, yes, but
| possibly the only way to combat bots without privacy intrusive
| services. I'm open to hearing alternative ideas, though!
| zxcvbn4038 wrote:
| I'm not sure what the point really is, they pay pennies to
| people in Bali to sit around and solve these. Anyone who really
| wants to get in is going to get in. At best it keeps honest
| people honest.
|
| Check out this guy on YouTube, he can pretty much open any lock
| in thirty seconds without causing any physical damage, will
| change your whole perspective on security.
|
| https://youtube.com/c/lockpickinglawyer
|
| It's better to plan for people getting in then depend on
| preventing it.
| Seattle3503 wrote:
| PoW should probably be built in to the browser as a standard at
| some point if it is going to be in widespread use. If a website
| is trying to stop bots, the bots are at an advantage if they
| can compute the PoW using optimized C while legitimate
| customers are computing it in Javascript.
| eurasiantiger wrote:
| I can see how this could pay for scalable hosting of several
| popular websites.
| maxk42 wrote:
| I like this - the hash function is memory-based rather than CPU-
| based so it's easier on your CPU while being more costly for
| attackers to spoof en masse.
|
| Good thinking!
| thinkmassive wrote:
| I would prefer to see 2 options in browsers:
|
| 1. LSAT[1] support for micropayments (recently mentioned on
| HN[2])
|
| 2. RandomX[3], mining XMR for the site owner
|
| Both provide something useful, replacing advertising and/or
| subscriptions for the site owner, rather than solely wasting
| energy. Let's eliminate captchas and advertising together.
|
| [1]: https://lsat.tech/ [2]:
| https://news.ycombinator.com/item?id=28459713 [3]:
| https://xmrig.com/docs/miner
| wyager wrote:
| LSAT looks really cool! Hopefully it can significantly displace
| ads as a revenue source. I'm happy to pay 1 cent to read a
| recommended blog post or something, and I'm not the sort of
| person who would pay for an online news outlet subscription.
|
| Any mining-based payment will inherently be worse and less
| efficient than a money-based payment, especially for mobile.
| xur17 wrote:
| I would love to have the option of 1 instead of solving a
| captcha. Charge me 0.1 - 10 cents worth of bitcoin depending on
| the action, and I'd happily pay.
| tyingq wrote:
| The end user experience isn't too terrible, big improvement over
| other captcha's I've had to use. Though I imagine it might get
| frustrating for things like logging in, where you might get your
| password wrong and have to start over. Or maybe it supports
| caching the idea that you've already proved yourself?
| edoceo wrote:
| I usually solve the remember they've solved a captcha outside
| of the captcha solution itself - eg: session state, cookie,
| etc.
| tyingq wrote:
| It mentions on the widget itself that it's accessible. That makes
| sense at a high level, since it doesn't require interaction.
|
| But I'm curious if it might need more work in the 'accessible'
| area. Like, for example, is the progress bar percentage-done
| exposed in an accessible way? I don't see anything obvious here:
| https://git.sequentialread.com/forest/pow-captcha/src/branch... ,
| seems like it just changes width via css styling, but I could be
| missing it. I'm not sure it presents an easily understandable
| reason why the submit button is disabled, that you need to wait,
| etc, either.
| woadwarrior01 wrote:
| Reminds me of Adam Back's hashcash[1], which was originally
| devised for similar purposes and was cited in Satoshi's Bitcoin
| paper[2]. Bitcoin's PoW scheme is a sightly embellished version
| of hashcash. I wish this work cited it too.
|
| [1]: http://www.hashcash.org/papers/hashcash.pdf
|
| [2]: https://bitcoin.org/bitcoin.pdf
| sneak wrote:
| The issue with browser based PoW is that browsers are still
| fairly slow execution environments.
|
| Any waiting period for calculation that won't annoy users is not
| long enough for an attacker to not still be able to spam, given
| that they will be solving them 2-100x faster with an optimized
| native implementation vs in a browser.
|
| It also doesn't work as a turing test, because by their nature
| computers are good at batch solving proofs of work.
|
| I once started an anonymous email service with browser-based PoW
| for antispam. It didn't work.
|
| You'd need users to do like, several hours of in-browser PoW to
| make it viable as an anti-abuse measure. Anything less means a
| bot farm is posting spam dozens of times per hour.
|
| Frictionless micropayments are still a pipe dream today, as any
| useful technology available to do so has basically been outlawed
| in the USA without a multimillion dollar license, and a KYC
| department, et c. It's a real shame because we have all of the
| technology for cash-based anti-abuse bonds and the like. It's
| just illegal to deploy it unless you go full MSB.
| faeyanpiraat wrote:
| Msb?
| d--b wrote:
| I don't get this. People can still create 1000s of fake users on
| my website just by using CPU time?
| jchw wrote:
| It puts a price on doing so, a price which you could increase
| based on demand.
| spijdar wrote:
| It's effectively a rate limiter, where before the Bad
| Person/People could make 10,000 users per unit of time before,
| now they may only make 100 users. It won't fix the problem
| entirely, but it's better than nothing.
| d--b wrote:
| But people can still run several sessions of this.
|
| So if I have 100 cores available, I can run 100 sessions in
| parallel.
| spijdar wrote:
| Right, but they still will be slower than if there was no
| protection at all. 100 slower cores vs 100 cores churning
| out requests ASAP.
|
| For a determined or resourceful attacker, this alone won't
| be good enough defense, but I can see it being a layer of
| defense in depth.
| roywiggins wrote:
| Maybe not technically a CAPTCHA if it can't "Tell Computers and
| Humans Apart".
___________________________________________________________________
(page generated 2021-09-10 23:00 UTC)