[HN Gopher] POW Captcha: a lightweight, self-hosted proof-of-wor... ___________________________________________________________________ POW Captcha: a lightweight, self-hosted proof-of-work captcha Author : wchar_t Score : 44 points Date : 2021-09-10 21:09 UTC (1 hours ago) (HTM) web link (git.sequentialread.com) (TXT) w3m dump (git.sequentialread.com) | wackget wrote: | So now instead of annoying users with image or audio challenges, | websites can annoy users by running up their electricity bills | (CPU work aint cheap) and/or denying them access if they | [selectively] disable JavaScript and/or block web workers in | their browser. | AlexAndScripts wrote: | I actually much prefer this. Its only a small amount of CPU, | negligible to your electricity bill, but it doesn't involve | clicking every traffic light. | EGreg wrote: | This is practically useless, since desktop computers doing | some work can be easily eclipsed by a specialized hardware | doing it for spammers and sybil attackers. | itake wrote: | I'd be curious how well this performs on an older mobile | device vs new CPU. | | Seems like this might exclude users lower-end electronics | that might be low-income. | sneak wrote: | It fails to be an automated test to tell computers and humans | apart, as computers are more than capable of solving proofs | of work without human intervention. | jacoblambda wrote: | This is true but so are the existing captchas. Existing | captchas are just harvesting training data for Google's | self driving vehicles at this point. | | With a PoW captcha, it doesn't matter how smart you make | your algorithm, it's still going to be slow. With existing | systems I'd argue it's probably a lot slower for people | than for machines, especially since it's people guessing | what a machine thinks people would classify an image as. | | This is an easy solution for rate limiting low trust/high | risk connections and better software isn't going to | magically make it any faster. This has always been what | captchas aim to accomplish. | haliskerbas wrote: | For someone that's tried to identify trains on Craigslist for | 11 failed times in a row, this might be useful to me. | | Turns out when you zoom a picture in far enough, large bus | windows, train windows, and building windows all look very | similar. | xur17 wrote: | I wish I could be given the option to just pay instead of | solving a captcha. At the end of the day that's what bots end | up doing (pay a human to solve the captcha for them), so why | not just cut out the middleman, and let me pay the website. | danillonunes wrote: | Payment forms need captchas too, otherwise they'll get | millions of transactions from card testers making the costs | unsustainable. | xur17 wrote: | Cryptocurrencies would be a good solve for this. | Specifically, a layer 2 network on top of a | cryptocurrency like Bitcoin's lightning network or | payment channels on Ethereum, both of which allow for | subcent transactions with subcent fees. | | There are obviously UX challenges to making it easy to | acquire the crypto, but I could imagine this starting as | an optional alternative to captchas. | mrkramer wrote: | >which allow for subcent transactions with subcent fees. | | Yea micropayments were Satoshi's vision. For example you | could pay like 1/100 of a cent to unlock and bypass | captcha puzzle. | geon wrote: | And draining your phone battery. | spijdar wrote: | I think it's the lesser evil in terms of privacy and self- | hosting if you need anti-spam protection for something. In | today's world spam/not protection is becoming more and more | necessary, and even with JavaScript this is less intrusive than | a service from Google or Cloudflare or something. | | Suboptimal and an inefficient use of resources, yes, but | possibly the only way to combat bots without privacy intrusive | services. I'm open to hearing alternative ideas, though! | zxcvbn4038 wrote: | I'm not sure what the point really is, they pay pennies to | people in Bali to sit around and solve these. Anyone who really | wants to get in is going to get in. At best it keeps honest | people honest. | | Check out this guy on YouTube, he can pretty much open any lock | in thirty seconds without causing any physical damage, will | change your whole perspective on security. | | https://youtube.com/c/lockpickinglawyer | | It's better to plan for people getting in then depend on | preventing it. | Seattle3503 wrote: | PoW should probably be built in to the browser as a standard at | some point if it is going to be in widespread use. If a website | is trying to stop bots, the bots are at an advantage if they | can compute the PoW using optimized C while legitimate | customers are computing it in Javascript. | eurasiantiger wrote: | I can see how this could pay for scalable hosting of several | popular websites. | maxk42 wrote: | I like this - the hash function is memory-based rather than CPU- | based so it's easier on your CPU while being more costly for | attackers to spoof en masse. | | Good thinking! | thinkmassive wrote: | I would prefer to see 2 options in browsers: | | 1. LSAT[1] support for micropayments (recently mentioned on | HN[2]) | | 2. RandomX[3], mining XMR for the site owner | | Both provide something useful, replacing advertising and/or | subscriptions for the site owner, rather than solely wasting | energy. Let's eliminate captchas and advertising together. | | [1]: https://lsat.tech/ [2]: | https://news.ycombinator.com/item?id=28459713 [3]: | https://xmrig.com/docs/miner | wyager wrote: | LSAT looks really cool! Hopefully it can significantly displace | ads as a revenue source. I'm happy to pay 1 cent to read a | recommended blog post or something, and I'm not the sort of | person who would pay for an online news outlet subscription. | | Any mining-based payment will inherently be worse and less | efficient than a money-based payment, especially for mobile. | xur17 wrote: | I would love to have the option of 1 instead of solving a | captcha. Charge me 0.1 - 10 cents worth of bitcoin depending on | the action, and I'd happily pay. | tyingq wrote: | The end user experience isn't too terrible, big improvement over | other captcha's I've had to use. Though I imagine it might get | frustrating for things like logging in, where you might get your | password wrong and have to start over. Or maybe it supports | caching the idea that you've already proved yourself? | edoceo wrote: | I usually solve the remember they've solved a captcha outside | of the captcha solution itself - eg: session state, cookie, | etc. | tyingq wrote: | It mentions on the widget itself that it's accessible. That makes | sense at a high level, since it doesn't require interaction. | | But I'm curious if it might need more work in the 'accessible' | area. Like, for example, is the progress bar percentage-done | exposed in an accessible way? I don't see anything obvious here: | https://git.sequentialread.com/forest/pow-captcha/src/branch... , | seems like it just changes width via css styling, but I could be | missing it. I'm not sure it presents an easily understandable | reason why the submit button is disabled, that you need to wait, | etc, either. | woadwarrior01 wrote: | Reminds me of Adam Back's hashcash[1], which was originally | devised for similar purposes and was cited in Satoshi's Bitcoin | paper[2]. Bitcoin's PoW scheme is a sightly embellished version | of hashcash. I wish this work cited it too. | | [1]: http://www.hashcash.org/papers/hashcash.pdf | | [2]: https://bitcoin.org/bitcoin.pdf | sneak wrote: | The issue with browser based PoW is that browsers are still | fairly slow execution environments. | | Any waiting period for calculation that won't annoy users is not | long enough for an attacker to not still be able to spam, given | that they will be solving them 2-100x faster with an optimized | native implementation vs in a browser. | | It also doesn't work as a turing test, because by their nature | computers are good at batch solving proofs of work. | | I once started an anonymous email service with browser-based PoW | for antispam. It didn't work. | | You'd need users to do like, several hours of in-browser PoW to | make it viable as an anti-abuse measure. Anything less means a | bot farm is posting spam dozens of times per hour. | | Frictionless micropayments are still a pipe dream today, as any | useful technology available to do so has basically been outlawed | in the USA without a multimillion dollar license, and a KYC | department, et c. It's a real shame because we have all of the | technology for cash-based anti-abuse bonds and the like. It's | just illegal to deploy it unless you go full MSB. | faeyanpiraat wrote: | Msb? | d--b wrote: | I don't get this. People can still create 1000s of fake users on | my website just by using CPU time? | jchw wrote: | It puts a price on doing so, a price which you could increase | based on demand. | spijdar wrote: | It's effectively a rate limiter, where before the Bad | Person/People could make 10,000 users per unit of time before, | now they may only make 100 users. It won't fix the problem | entirely, but it's better than nothing. | d--b wrote: | But people can still run several sessions of this. | | So if I have 100 cores available, I can run 100 sessions in | parallel. | spijdar wrote: | Right, but they still will be slower than if there was no | protection at all. 100 slower cores vs 100 cores churning | out requests ASAP. | | For a determined or resourceful attacker, this alone won't | be good enough defense, but I can see it being a layer of | defense in depth. | roywiggins wrote: | Maybe not technically a CAPTCHA if it can't "Tell Computers and | Humans Apart". ___________________________________________________________________ (page generated 2021-09-10 23:00 UTC)