"Proof-of-Work CAPTCHA with password cracking functionality"
The "work" is "to use the distributed power of webusers’ computers" to "obtain suspects’ passwords in order to access encrypted evidence" and "support law enforcement activities".
Funny how that isn't mentioned anywhere in the linked site.
mcpar-land · 18h ago
> Normally, it is undesirable for users’ passwords to be cracked. However, in the case of law enforcement, we often need to obtain suspects’ passwords in order to access encrypted evidence. The obvious solution is to build powerful (and expensive) dictionary cryptanalysis computers. A less obvious approach is to use the distributed power of web users’ computers, as has been done in the Seti@Home (https://setiathome.berkeley.edu/ — suspended project) or Folding@Home projects (https://foldingathome.org/). The proposed approach can therefore support law enforcement activities while providing the desired functionality to the web community
"You're not allowed to visit this website unless you submit your computer to being part of the fed's password cracking botnet" that's a whole fresh hell. A better use case is right there in their own description! I'd love my captchas to be little Folding@Home problems.
p0w3n3d · 8m ago
2030: to enter the site you must allow us to mine few ethereal on your pc...
tiagorangel · 1h ago
btw no, cap does not contribute to any "fed botnet". you can build the WASM binaries yourself and compare the hashes. added a clarification about that to the docs.
GoblinSlayer · 4h ago
Bitcoin network used to bruteforce 85 bits per year, which is slightly bigger than capacity of [a-z0-9]{16}
downrightmike · 18h ago
That is shady as hell. Welp this is dead on the vine
ronsor · 18h ago
Can't we just submit bogus hashes?
ethersteeds · 5h ago
Generally that is countered by asking for a mix of known and unknown solutions; your accuracy on the unknown is assessed through your accuracy on the known.
VladVladikoff · 2h ago
Is it possible to do some other sort of cryptographic trick than simply seeding the mix with known and knowns. Some sort of sum of many answers combined? Maybe it isn’t possible in this use case though (brute forcing passwords).
For example is crypto POW really just doing a mix of known and unknowns or is there more cryptographic magic to it than that?
GoblinSlayer · 5h ago
But there are only a few suspect passwords, you can just know all of them, and thus reliably differentiate.
tiagorangel · 1h ago
Cap does not send any of the calculated hashes ANYWHERE, the white paper just details a bit how proof-of-work works and I thought that it would be interesting to share.
tiagorangel · 1h ago
added a note saying that to the docs, should hopefully clarify stuff a bit!
bogwog · 5m ago
In case you weren't aware, a blue hat is typically associated with law enforcement in the US. On its own it'd be no problem, but the logo, the paper, and the comment above correctly pointing out concerns/lack of acknowledgement on your site (until now) really comes off as suspicious.
FWIW, I do believe you just made a few unintentional awkward choices instead of being malicious... But a product associated with something like this is a hard sell.
SparkyMcUnicorn · 18h ago
Definitely concerning, although I'm having trouble finding anything in the codebase to support this.
This paper even seems to contradict aspects of the project's no tracking stance. If someone told me this paper was for a different (but similar) project, I'd believe it after looking at the two side by side.
Would definitely want this to be addressed before I'd consider using it.
prophesi · 17h ago
There are two binaries commited to the repo (cap_wasm_bg.wasm) but from what I can tell, it doesn't seem to be making any network calls or what have you. They still should get rid of them and add a Rust build step for their browser/node packages.
HumanOstrich · 11h ago
Can you elaborate on why you would want this? You can run their build script[1] if you're trying to compare outputs and behavior.
you can compare the hashes of the wasm lmao the build script is very much public
hathawsh · 18h ago
Interesting discovery. This research sounds creepy and ill-advised, but my intuition suggests to me this is an innocent attempt to do something useful rather than waste energy on a PoW algorithm. My intuition also tells me that if this project became popular enough, attackers would break the algorithm fairly easily and the project would just revert to a more conventional PoW algorithm that doesn't try to be smart.
powgpu · 7h ago
Wasn't there a crypto that use GPU to solve LLM computation as PoW. Wouldn't that be better approach?
Cyphase · 13h ago
I think there's a good chance they just linked to the paper for technical background, unrelated to the paper's mention of law enforcement usage. The website mentions self-hosted, no third-party requests, etc. Unless they're flat-out lying.
tiagorangel · 1h ago
Yes, the code is open-source for you to check
internetter · 20h ago
> @cap.js/solver is a standalone library that can be used to solve Cap challenges from the server. Doesn't this defeat the purpose of Cap? Not really. Server-side solving is a core use case of proof-of-work CAPTCHAs like Cap or altcha. It's about proving effort, not necessarily involving a human.
I like this. Allows for reasonable bots like IA without the mindless wasteful AI scrappers.
landl0rd · 17h ago
Isn't IA's architecture pretty strained already without this?
areyourllySorry · 7h ago
for manual saves, it might be able to offload the challenge to the saver's computer (but that means adding explicit support for this particular library, which might or might not happen...)
aiiotnoodle · 19h ago
Sorry what is IA?
underyx · 19h ago
Internet Archive
satellite2 · 15h ago
It's just going to make low battery devices with consumer grade compute drain faster while bot farm with access to to ASICs will have a negligible increase in cost. This approach is going to have all the same problem to distribute work democratically as cryptocurrencies had. And as far as I know crypto didn't solve this.
coppsilgold · 14h ago
SHA-256 PoW will probably work until it doesn't (if bots choose to invest in ASICs, or services that offer this pop up). Also users may be at a disadvantage as JS crypto would not be optimized for PoW (for example lack parallel crypto capabilities or context switching between calls).
One advantage a PoW "CAPTCHA" system holds is that the service operator can change the algorithm whenever they want. This may make an ASIC approach too risky to bother with. The JS<>ASM crypto bridge would nevertheless require some optimization from the browser developers.
Some cryptocurrencies which aim for ASIC resistance create PoW algorithms that would require re-implementation of a significant fraction of the the CPU die to be a viable ASIC attack vector. An example of that would be randomx[1]. Using it for in-browser PoW would require native support as it will not be competitive against the bots with just a JS or WASM implementation. A modification would need to be made to not be abused for crypto mining. This will also link the cost of the PoW solution to the opportunity cost of mining the respective cryptocurrency which is well understood.
> Also users may be at a disadvantage as JS crypto would not be optimized for PoW (for example lack parallel crypto capabilities or context switching between calls).
JS crypto is only used as a fallback, Rust WASM is used for solving.
marinmania · 20h ago
I was wondering if more sites will start to drift to a system where they require you to be logged in to an account attached to a SIM card in some ways.
I feel like accounts that require phone verification are already similar in that they require a some cost to access. It obviously wouldn't stop a large corporation from buying up thousands of numbers if they needed it for a specific purpose, but it would be prohibitively expensive for most to try this.
The benefit of the SIM system is it actually costs zero for people since they already have a cell phone.
theamk · 19h ago
Such site is better provide some unique service no one else can.
There is no way I am sharing my phone number with random sites unless I absolutely have to, I get enough spam & scam already, and tracking potential is enormous.
jeroenhd · 18h ago
> a SIM card
That's basically what remote attestation is. But it's using TPMs (or similar) rather than SIM cards. The TPM has a key signed by the manufacturer, and that key can be used to sign tokens to prove that you possess a physical TPM and have it in a mode that provides access to that key.
The problem with either is that the system doesn't work if you can get access to the keys behind the system. That means banning everyone who uses a vulnerable model of SIM card/TPM implementation. SIMs are cheaper to replace, but you'd have to replace millions of them every time someone manages to voltage glitch a SIM card.
No need for the SIM, just being logged in to something will probably be enough to stop most crawlers.
Then, if someone is logged in, you can throw TOS their way, and make it a legal problem.
landl0rd · 17h ago
Phone number is also good because you can be reasonably sure as to whether it's voip or not. It is literally the one non-awful solution to the sybil problem we have discovered (the awful ones being things like gov id).
subscribed · 4h ago
Thank you, I hate it.
There's no way in he'll I'm going to create an account on every site I want to read, and absolutely I'm not submitting my number for the eternal, unrelenting spam.
I have enough crap from the legitimate companies selling/leaking my number, to now deal with _that_.
nailer · 19h ago
> I was wondering if more sites will start to drift to a system where they require you to be logged in to an account attached to a SIM card in some ways.
I hope we move away from SIM cards - they'll require SIM based auth checks and low paid staff at cell phone companies will happily give away my SIM card to another phone to get a kickback from robbing people.
downrightmike · 18h ago
Yes because having an account gets around adblockers, anti tracking, age verification and section 230 removal issues. ToS is already weaponized.
mgrandl · 21h ago
What does proof-of-work mean here and what makes it easy for humans and hard for bots?
stephantul · 20h ago
Think of crawlers: a crawler typically makes hundreds or thousands of requests per second. The owners of the crawler then sell this data for X$, or gain X$ profit.
Proof of work adds a very small cost to each individual request, increasing the cost of crawling to a number higher than X. Because actual humans make very few requests, we don’t notice the increase in cost.
timtom123 · 20h ago
This exactly, having ran very large scraping operations, it only takes a slight increase in cost to make it unprofitable for many use cases.
SV_BubbleTime · 18h ago
Right, scale is solved… but not at all targeted “attacks”.
If some site uses this and I only want that site as an attacker or as a personal scraper or etc, this is keenly ineffective at proving human vs bot.
hombre_fatal · 20h ago
When you use a captcha, you presumably want to defeat someone curling your CreatePost endpoint, not just make it more annoying to do it at only botnet scale.
This captcha still lets all traffic through. Except now you waste the battery of honest users.
Even HN proponents of the idea don't use it on their own sites.
krior · 20h ago
I rather see something like anubis than some unsolveable captcha. I never understood the battery-argument, I recon my screen uses more energy during pow-solving than it takes my phone to solve these pows.
hombre_fatal · 19h ago
> I rather see something like anubis than some unsolveable captcha.
So would bad actors. Which is why everyone uses normal captchas and not mere PoW.
PoW is the easiest captcha to beat.
Tijdreiziger · 19h ago
[citation needed]
hombre_fatal · 19h ago
For which part?
Every time a new submission is created on HN, you have a curl script that posts a comment on it shilling your product. (According to the /newest tab there seems to be one submission every few minutes.)
What's harder for you to automate: the comment always posts successfully after 500ms, or you get a Cloudflare Turnstile captcha every time?
yodon · 18h ago
PoW is for a completely different threat model than CAPTCHA. If you're trying to decide which is better, you're doing it wrong.
Tadpole9181 · 1h ago
The title of the submission, the project README, and the project homepage repeats:
> CAPTCHA alternative
skydhash · 20h ago
It's equally easy for both. But people using broswers only do it a few times, while bots need to do it many times. A second for a human every X pages is not much, but it's a death-knell for the general practice of bots (and they can't store the cookies because you can rate-limit them that way).
Imagine scrapping thousands of page, but with a X>1 second wait for each. There wouldn't be a need to use such solution if crawlers were rate-limiting themselves, but they don't.
GoblinSlayer · 3h ago
So if you rate limited to one request per second, then use 100 cookies to make 100 requests per second, 1 request per second per cookie.
reaperducer · 20h ago
So is the solution to stymying bots to just add a page load delay of a second or two? Enough that people won't care, but it doesn't scale for bots?
jsheard · 20h ago
Just adding a delay wouldn't achieve anything because bots can just do something else while they wait, whereas PoW requires them to actively spend their finite resources before they can continue doing whatever they want to do.
pixl97 · 20h ago
I think it's only more expensive for bots, though just as easy for bots.
The problem with bots is they quite often farm this out to stolen resources. It makes sending whatever they are sending slower, but doesn't stop it.
prisenco · 20h ago
It will make server hijacking more noticeable and harder to hide.
I do think that calling this a CAPTCHA when it's not actually intended to distinguish humans from computers is a bit misleading, but I can see why you would do that
__natty__ · 19h ago
I like the simplicity of this project. I created my own open-source, no tracking captcha using both proof-of-work and image puzzle challenges 4 years ago as a side project for my studies and my former employer's internal hackathon [0].
At the time, it was an idea based on spam prevention active systems. However, for the browser, there are many issues with such solutions—if you can solve it, then bots can too. It slows them down a little, but that's about it.
I don't know enough about the underlying proof-of-work stuff to comment on how effective this could be, but I think it's pretty funny that the UI examples say "I'm a human".
I guess "there's only a few of me at most" or "I could allocate enough computation to this that I'm probably not up to no good" don't read as clearly.
I think it’s great. It tries to catch bots, which are capping that they’re human. :)
tiagorangel · 19h ago
too late to change now :)
also i like how it's a reference to both CAPtcha and "no cap"
qqqult · 19h ago
frfr?
aurumque · 20h ago
Why not make this contribute to something greater, like scientific grid computing, or a charitable bitcoin donation? Instead we're just burning a few watts to slow down crawlers.
jonas21 · 20h ago
Because the overhead of orchestrating and distributing the problem would be much larger than the amount of work you can do in 1 second?
idiotsecant · 20h ago
Do you have an example of scientific grid computing that is expensive to compute but cheap to verify? Those are the properties this needs.
internetter · 20h ago
I like the citizen science idea, the bitcoin one is so shitty. There was an epedemic of websites covertly mining in browsers a while back and this is a dangerous road to go down.
woah · 19h ago
The entire purpose of this library is to covertly mine in browsers
internetter · 19h ago
Only for the protection of the service. With a financial incentive all of the sudden it’s deployed unnecessarily to every static site in existence, just like ads all those years ago. And the enshittificstion continues.
tiagorangel · 19h ago
no, it's not mining crypto.
darknoon · 19h ago
If you were doing a lot of scraping, you could just solve this on a GPU in 1/10 or less of the time it takes a human's phone to do it. Generally you need a decent computer to render a webpage while scraping it these days, so I don't see what this is solving.
tiagorangel · 19h ago
scrapers usually don't render a webpage, else their scraping wouldn't be efficient at all.
hathawsh · 18h ago
Is that still true? There are so many SPAs out there now that if I were to create a web spider today, I would plan to just render a lot of the pages in a browser rather than fight the status quo. Efficiency wouldn't be my top concern.
boredhacker3 · 2h ago
That’s bullshit
dogman123 · 20h ago
can someone ELI5 how these proof-of-work captchas work under the hood to detect whether i'm a bot or not?
arp242 · 20h ago
They don't detect if you're a bot or not; it just makes it more expensive, the idea being that doing $action 10,000 (or more) times becomes much more costly for the attacker, preferably to the point where doing $action (posting spam, creating accounts, etc.) is no longer profitable. It's probably more useful to see it as a ratelimiter than a bot detection mechanism.
Tadpole9181 · 1h ago
Until, of course, the attackers reprogram their FPGAs and can solve challenges 10,000 times faster than a legitimate user. And since you can't request a user to have their phone toast itself at 100% load for 10 seconds, the attackers can solve it in micro/milliseconds for a sip of power.
Actually, this just uses SHA-256 hashing, which already has specialized CPU instructions (that browser WASM can't use) and ASICs.
I can't see how this isn't DOA?
prisenco · 20h ago
They don't detect if you're a human exactly. What they do is they create a calculation expense that is negligible if there's one of you but adds up quickly if you're running a bot farm that needs to send out 10,000 requests a second.
So I click the button, my browser does a quick proof-of-work, no big deal.
But an automated script will have to complete that proof-of-work every time it encounters it, skyrocketing the cpu costs for the server.
nout · 18h ago
They make it expensive to run large scale bots, so that deters the bots.
And they (probably?) use the computation power to crack passwords from people to let the government agencies access their accounts...
wild_pointer · 20h ago
So each spam message will take an extra second and 2 additional cents for electricity? I'm not sure what's the use case here.
timtom123 · 20h ago
Better suited for discouraging scraping. 2 cents * 300 scrapes = $6 although 2 cents is huge over estimation and you would probably not show this every time. Only when there is unusual traffic.
jsnell · 19h ago
If it actually cost 2 cents, it'd be tremendously useful. There are huge tranches of abuse that would become unviable with that resource cost.
In reality passing the PoW will cost more like 1/10000th of a cent, and you can't make it cost significantly more (let alone 2 cents) without making access totally impractical for real users. Proof of work challenges for abuse are basically snakeoil, it's impossible to make the economics work.
kethinov · 16h ago
Other critiques aside, I wish there was more effort put into developing accessible CAPTCHAs that do not require JavaScript. Whatever its merits or flaws are, this CAPTCHA is yet another CAPTCHA that requires JS.
What about integrating Altcha (altcha.org) is hard? Seems pretty straightforward.
marvinblum · 3h ago
Yup, I've been running Altcha on pirsch.io for a while now, and it was super easy to set up, is free, and open-source.
One of the main reasons we've switched from hCaptcha is privacy. The server-side stuff can be self-hosted and there is a Golang integration. Really nice.
Here is the link for anyone who would like to take a look: https://altcha.org/
pkkkzip · 19h ago
How does this compare to Anubis, another similar PoW based CAPTCHA?
Paired with this, and if there is a way to block out DDOS https traffic then we might be able to stop dependence on Cloudflare altogether.
throitallaway · 19h ago
I'd be so happy if the Internet moved away from Cloudflare for Captcha. I got on their "bad list" at one point (for who knows why), and no matter how many times I checked the "I am a human" box their Captcha wouldn't let me through for a few days. I was unable to login to the portal of a product that we pay for. It was such a frustrating experience.
p0w3n3d · 4m ago
In my case the harsh firewall settings made by my company on our laptops were showing a red flag on captchas WAFs etc
tiagorangel · 19h ago
anubis is more like Cap's checkpoint, but still the implementation is very different.
Alifatisk · 19h ago
Reminds me a lot of wehatecaptchas.com, very similar concept
mkfs · 6h ago
Kiwiflare uses something like this.
detaro · 20h ago
So why does this make the user still click something?
prisenco · 20h ago
Probably to demonstrate. Attaching to a form submission or any modifying action would work.
tiagorangel · 19h ago
yeah i also recommend trying out the invisible mode
HideousKojima · 20h ago
KiwiFarms has had a similar captcha system since they got dropped by Cloudflare
dmazin · 20h ago
How do you know?
HideousKojima · 19h ago
It's the most reliable place to get the latest news on certain internet grifters and scammers (SVSeeker, a project to build a crowdfunded "scientific research vessel" being one of the ones I follow out of morbid curiousity).
idiotsecant · 20h ago
I hate to say it because this kind of sentiment is now wildly unfashionable, but this is an actual example of where we should be using crypto. We need the ability to time-lock a very small amount of money that we get back later in order to access a resource.
jeffhuys · 16h ago
What would that solve? A scraper could just have a wallet with 10$?
idiotsecant · 15h ago
The same solution a proof of work provides: make it expensive to execute millions of commands, and cheap to execute one.
timmb · 21h ago
How did we end up with bitcoin before this?
jsheard · 20h ago
PoW rate limiting actually pre-dates PoW cryptocurrency, the former has just had a resurgence recently in response to AI scrapers pissing in everyone's pools.
The original Bitcoin paper even cited Hashcash as inspiration.
wewxjfq · 20h ago
I don't mind captchas to protect forms and such, but given that so many sites want captchas solved for the first GET request, I really wonder how much more CO2 this is going to produce. And when I see "invisible mode", I'd really like to ask the authors if they think their work is a net-positive for the world.
internetter · 20h ago
"invisible mode" in CAPTCHAs are great for login forms. In the background the captcha runs. If it passes, the user doesn't need to be bothered with it. If it doesn't, the user is presented the standard captcha.
I agree I hate the CF captcha popups, but I think this is a result of AI scraping. GET requests can be expensive on dynamic sites with infinite paths — like a git host.
warkdarrior · 18h ago
"Invisible mode" is also great for cryptomining in the browser.
tiagorangel · 19h ago
> how much more CO2 this is going to produce
extremely minimal emissions, you're only solving a small cryptographic challenge after all.
userbinator · 4h ago
Not at scale, however. Like another comment said, this is going to turn out like cryptocurrencies.
(I really couldn't care less about the climate debate, but waste is waste.)
tiagorangel · 1h ago
even at a huge scale the emissions are still extremely small.
GoblinSlayer · 3h ago
Just wait until you see how much energy your browser consumes in idle mode.
https://www.researchgate.net/publication/374638786_Proof-of-...
"Proof-of-Work CAPTCHA with password cracking functionality"
The "work" is "to use the distributed power of webusers’ computers" to "obtain suspects’ passwords in order to access encrypted evidence" and "support law enforcement activities".
Funny how that isn't mentioned anywhere in the linked site.
"You're not allowed to visit this website unless you submit your computer to being part of the fed's password cracking botnet" that's a whole fresh hell. A better use case is right there in their own description! I'd love my captchas to be little Folding@Home problems.
FWIW, I do believe you just made a few unintentional awkward choices instead of being malicious... But a product associated with something like this is a hard sell.
This paper even seems to contradict aspects of the project's no tracking stance. If someone told me this paper was for a different (but similar) project, I'd believe it after looking at the two side by side.
Would definitely want this to be addressed before I'd consider using it.
[1]: https://github.com/tiagorangel1/cap/blob/main/wasm/build.js
I like this. Allows for reasonable bots like IA without the mindless wasteful AI scrappers.
One advantage a PoW "CAPTCHA" system holds is that the service operator can change the algorithm whenever they want. This may make an ASIC approach too risky to bother with. The JS<>ASM crypto bridge would nevertheless require some optimization from the browser developers.
Some cryptocurrencies which aim for ASIC resistance create PoW algorithms that would require re-implementation of a significant fraction of the the CPU die to be a viable ASIC attack vector. An example of that would be randomx[1]. Using it for in-browser PoW would require native support as it will not be competitive against the bots with just a JS or WASM implementation. A modification would need to be made to not be abused for crypto mining. This will also link the cost of the PoW solution to the opportunity cost of mining the respective cryptocurrency which is well understood.
[1] <https://github.com/tevador/RandomX>
JS crypto is only used as a fallback, Rust WASM is used for solving.
I feel like accounts that require phone verification are already similar in that they require a some cost to access. It obviously wouldn't stop a large corporation from buying up thousands of numbers if they needed it for a specific purpose, but it would be prohibitively expensive for most to try this.
The benefit of the SIM system is it actually costs zero for people since they already have a cell phone.
There is no way I am sharing my phone number with random sites unless I absolutely have to, I get enough spam & scam already, and tracking potential is enormous.
That's basically what remote attestation is. But it's using TPMs (or similar) rather than SIM cards. The TPM has a key signed by the manufacturer, and that key can be used to sign tokens to prove that you possess a physical TPM and have it in a mode that provides access to that key.
The problem with either is that the system doesn't work if you can get access to the keys behind the system. That means banning everyone who uses a vulnerable model of SIM card/TPM implementation. SIMs are cheaper to replace, but you'd have to replace millions of them every time someone manages to voltage glitch a SIM card.
If you own an iPhone or Macbook, you have access to a browser you already does this: https://developer.apple.com/news/?id=huqjyh7k
Then, if someone is logged in, you can throw TOS their way, and make it a legal problem.
There's no way in he'll I'm going to create an account on every site I want to read, and absolutely I'm not submitting my number for the eternal, unrelenting spam.
I have enough crap from the legitimate companies selling/leaking my number, to now deal with _that_.
I hope we move away from SIM cards - they'll require SIM based auth checks and low paid staff at cell phone companies will happily give away my SIM card to another phone to get a kickback from robbing people.
Proof of work adds a very small cost to each individual request, increasing the cost of crawling to a number higher than X. Because actual humans make very few requests, we don’t notice the increase in cost.
If some site uses this and I only want that site as an attacker or as a personal scraper or etc, this is keenly ineffective at proving human vs bot.
This captcha still lets all traffic through. Except now you waste the battery of honest users.
Even HN proponents of the idea don't use it on their own sites.
So would bad actors. Which is why everyone uses normal captchas and not mere PoW.
PoW is the easiest captcha to beat.
Every time a new submission is created on HN, you have a curl script that posts a comment on it shilling your product. (According to the /newest tab there seems to be one submission every few minutes.)
What's harder for you to automate: the comment always posts successfully after 500ms, or you get a Cloudflare Turnstile captcha every time?
> CAPTCHA alternative
Imagine scrapping thousands of page, but with a X>1 second wait for each. There wouldn't be a need to use such solution if crawlers were rate-limiting themselves, but they don't.
The problem with bots is they quite often farm this out to stolen resources. It makes sending whatever they are sending slower, but doesn't stop it.
I do think that calling this a CAPTCHA when it's not actually intended to distinguish humans from computers is a bit misleading, but I can see why you would do that
At the time, it was an idea based on spam prevention active systems. However, for the browser, there are many issues with such solutions—if you can solve it, then bots can too. It slows them down a little, but that's about it.
[0] https://github.com/pilotpirxie/devcaptcha
I don't know enough about the underlying proof-of-work stuff to comment on how effective this could be, but I think it's pretty funny that the UI examples say "I'm a human".
I guess "there's only a few of me at most" or "I could allocate enough computation to this that I'm probably not up to no good" don't read as clearly.
also i like how it's a reference to both CAPtcha and "no cap"
Actually, this just uses SHA-256 hashing, which already has specialized CPU instructions (that browser WASM can't use) and ASICs.
I can't see how this isn't DOA?
So I click the button, my browser does a quick proof-of-work, no big deal.
But an automated script will have to complete that proof-of-work every time it encounters it, skyrocketing the cpu costs for the server.
And they (probably?) use the computation power to crack passwords from people to let the government agencies access their accounts...
In reality passing the PoW will cost more like 1/10000th of a cent, and you can't make it cost significantly more (let alone 2 cents) without making access totally impractical for real users. Proof of work challenges for abuse are basically snakeoil, it's impossible to make the economics work.
One of the main reasons we've switched from hCaptcha is privacy. The server-side stuff can be self-hosted and there is a Golang integration. Really nice.
Here is the link for anyone who would like to take a look: https://altcha.org/
Paired with this, and if there is a way to block out DDOS https traffic then we might be able to stop dependence on Cloudflare altogether.
https://en.wikipedia.org/wiki/Hashcash
The original Bitcoin paper even cited Hashcash as inspiration.
I agree I hate the CF captcha popups, but I think this is a result of AI scraping. GET requests can be expensive on dynamic sites with infinite paths — like a git host.
(I really couldn't care less about the climate debate, but waste is waste.)