I don't understand the premise. The point of a CAPTCHA is to tell Computers and Humans Apart, that's what the CHA stands for. You cannot hope to do this test using a proof-of-work system where the work is computer work.
Call this a client rate-limiter, or whatever else, but it is obviously not a CAPTCHA and cannot function in this way.
Another obvious problem is that server hardware is vastly more powerful than the average user's device. If you set your challenge to an amount of work that doesn't meaningfully drive users away and/or drain their batteries, you are allowing a malicious server to pass your challenge tens of thousands of times an hour.
Telling computers and humans apart is a wrong goal. Every request comes from a computer that is commanded by some human. And why shouldn't users be allowed to use automated user agents when they don't do it for spamming or anything malicious?
CAPTCHA is essentially a proof-of-work variant where challenges are designed to be solved by humans rather than computers, and same as any PoW it works by means of consuming some limited resource (human time, processor time, energy).
A lot of times the purpose is more on rate limiting than disallowing bot access. The goal to tell apart is on the premise that humans are a lot slower than bots.
For anonymous/free users we have very strict usage limits and the functionality is more limited to only operations that cost us less money. So a very targeted attack would do damage but that is true of basically any system and we could flip on bot blocking in Cloudflare if needed and if that would help
Again, we have rate limits and usage limits in place. You know that you can pay to have Captchas automatically solved, right? It's not the solution to all problems. Obviously if a targeted DDOS happens then some changes would be required.
Also, that is no longer the case that Cloudflare uses Captchas for bot blocking. That's the legacy mode
The fact that you can pay for both doesn't make them equivalent. To have a similar cost for spammers, you would need to request a challenge that takes many minutes to solve, which you just can't do. There is a strict limit on how long a user will wait for your security check and you can't pretend otherwise.
Let's stop pretending that all things are in the same bucket because "you can pay to have it solved". That's such a weird claim. For the right price you can have someone rob a bank for you, that doesn't mean it's as safe as your $2 padlock.
I always figured that CAPTCHAs worked because they limited on a resource that was harder to steal - human attention.
Rate limit by IP, and you get attacked by a botnet that "steals" IP addresses with malware.
Rate limit by PoW and you get people stealing AWS accounts, or using aforementioned botnet. See bitcoin mining.
Rate limit by CAPTCHA and you have to get a lot more clever (see things like setting up porn sites and proxying CAPTCHAs there)
So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
> So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
None of these things you listed above are available for free. They all require either effort to obtain or paying someone to do the work.
I see you don’t understand why people make websites or systems. Or why people make bread.
I don’t make application so that users benefit or to make them happy. I make applications so that I can earn money.
Earning money requires having human on the other side. Just like you are not making bread to make bread and throw it into a shredder.
If someone has scheme where automation is beneficial they will create API for their system. You should use API if I provide one. But when I create UI then I create it for people to use it.
You always have to do software in a way that people will benefit because otherwise they will not pay.
Read again my down voted post and think about the sentence in context of post where "Fice" wrote: "Telling computers and humans apart is a wrong goal.".
Then add to that topic of CAPTCHA and that CAPTCHA is annoying for users so adding CAPTCHA is not beneficial for users so it specific case and discussed in context.
Is server hardware vastly more powerful? If you use a hashing algorithm that isn't easily parallel, then you're dedicating a single CPU core for that exercise. Now a server may have more cores, but they are often slower per-core than a client machine. And dedicating server resources has a cost. You'd slow a brute force attack to a relative crawl, especially if the target has a large volume of pre-defined work and answers.
PBKDF2, as an example on 100k iterations can easily pin a CPU core for a few seconds. This is part of why I always have my authentication services separate from my applications, it reduces the DDoS vector. Now, you can shift work to the client as kind of an inverse-ddos rate limiter.
Combine that with a websocket connection, where the browser is sending user events like mouse movement, touch, scroll, focus/blur and input/paste... the two, combined with event timing analysis can give you a pretty good guess if something is a real user. And if it isn't, definitely slowing down bots.
Even if your server is not vastly more powerful, your 1 second of proof-of-work means a single server can pass your challenge 3600 times an hour.
The point is: a CAPTCHA has to be something that is easy for humans and hard for bots. This is at best the same level of effort from human('s devices) and bots. And realistically, more, because bots aren't battery-powered. It can't work.
I've had this problem a lot when I use a VPN. You're served a captcha that is impossible (I choose all of the correct squares and it still fails), and then I'm given a captcha with the ultra-slow click and reload images. At this point, I think it's more of an IP rate limiter than a human-bot detector.
but then some other services don't degrade like that and still offer you some easy 2-step puzzle "rotate a pic until panda is not upside down" or "find a panda"
Yes, due to the emergence of better bots, traditional CAPTCHAs aren't very good at being CAPTCHAs anymore either. It's a hard problem to solve, and it's a moving target.
> Even if your server is not vastly more powerful, your 1 second of proof-of-work means a single server can pass your challenge 3600 times an hour.
A decentralized CAPTCHA that reduces an attacker to one request per second is a lot better than nothing! Why are you dismissing this as useless?
At the end of the day, all CAPTCHAs can be circumvented by paying humans to solve them. So all CAPTCHAs have a price, and in this case it’s the price of the power used by the CPU as well as renting the CPU (or the depreciation on a CPU you own).
But it does not. It reduces it to 1 request per second, at least, per core, per machine that the attacker control. A single attacker can still send millions of requests per hour at very low cost, limited only by compute resources, which is what CAPTCHA is supposed to work around (by challenging the human not the machine).
Similarly how many security features work, it doesn't have to be 100% (or it may even be impossible to make it 100%), it just has to be good enough/make the attack expensive enough to deter it. There aren't really any easy task left for humans that a suitably trained ML algorithm couldn't do, and anything more complex would just annoy people. Even if there is such a task, the line moves quickly -- back then reading some colored digits from an image was unfeasibly hard/expensive for bots. Nowadays your phone extracts text from your images in the background.
In this vein, anything requiring ML/expensive computation is still a worthwhile addition, as today the primary purpose of a CAPTCHA is to slow down/rate limit bot-activity. Your single server use case is not really realistic -- it can be easily reverted (it won't come from 3600 IP addresses, otherwise the rate would be much lower), and 3600 times an hour is.. not a lot for a computer. So it seems to do its job well.
The average user is on a 3-year-old Android phone with 40% battery. The average server has 32 processors and industrial-grade cooling.
Sure, it is possible that your gaming PC beats the average server in terms of CPU frequency. But that's not what the average website visitor is using, and you can't scale the proof-of-work out of their reach.
That would work for some desktop and very few laptops only... and only if the task cannot be ported to GPU. Other than that Javascript code would be ported to C.
This very case is far worse as it uses SHA-256, all that bitcoin asics love.
It's a semantic expansion. It happens all the time in language. That's not a meme! That's just an image with a caption on it!
CAPTCHA is widely known as a thing that is implemented to prevent spam [0]. This is a thing that is used to prevent spam. It's CAPTCHA now. Here, the concept of preventing spam is communicated through the word CAPTCHA.
"mRateLimiter: Open-source proof-of-work rate limiter for websites"
Huh? What is this thing, what does it do?
[0]: Speaking of the word spam... You're not spamming! Spamming is when you send junk email! You're just pressing a button on your controller over and over again!
It's typical HN: word definitions don't matter and can be tortured to death to mean anything unless one wants to nit-pick then people better use the most academic, agreed-upon and official meaning of a word.
Now back to updating the sophos captcha appliance at work.
> Speaking of the word spam... You're not spamming! Spamming is when you send junk email! You're just pressing a button on your controller over and over again!
The gaming use seems to precede the email use by quite a bit, and be part of the route between the Monty Python sketch and the email use, FWIW.
I'd say you're too pedantic. Given both computer work (calculating hashes) and human labor (filling out reCAPTCHA) have a price point, it is only a matter of making automated actions more expensive to scale. It's only natural then that the word definition has shifted.
Let's just declare that captcha now stands for Completely Automated Public Thingy to Make Spammers And Fraudsters Life A Bit Harder.
Point fo captcha is to make sure that there is a human eg. writing this comment or creating account.
If I used this (admitedly cool and useful) rate limiter instead of real captcha I would have 1000s of ai generated posts and 100s of new accounts. Yes, it would be rate limited and spread over a day or week, and servers would easly handle it, but that's not the point. I don't want this fake activity at all - that's the point!
This seems like a good alternative/addition to cloudflare and their anti ddos features though (?)
But a traditional captcha doesn't solve that either. Even if the captcha really is too hard for a bot, you can pay other humans to solve captchas for you at a click farm. Or even just generate content and automate everything except the captcha, and solve those yourself.
A dead comment thinks you're making a no true Scotsman argument, but you're right. The key is that the workarounds you're listing are very cheap and easy, not just possible.
There are no easy/non-annoying tasks left that could easily differentiate between a human and a bot, and any that may exist will only work for a short time. The only thing left, as mentioned, is to move the price point for an automated attack: I'm sure creating a fake account on your site is not worth, say, 1000$ for those 1000 accounts. Remember, a troll can also register by hand 10-20 accounts, with any kind of captcha, so it's not zero sum either.
The problem is that traditional audio/video captchas are not proof of humanity either. Captchas are a method for increasing the amount of work that an automated client needs to do to access your site. They do not block bots, they just impose a cost.
They're designed to block bots, sure, I agree. But we are burying our heads in the sand if we think that captchas imply humanity. They don't. The tests that they impose are not rigorous or strong enough to do that. What audio/video captchas do in practice is impose a cost in front of automated access.
We'd like them to do more than that, but the tech hasn't really ultimately worked out in that direction so even though we'd like a captcha to prove that a user is a human, what the captcha enforces is just a cost-per-request. Sometimes that involves paying a human pennies to solve the captcha, sometimes it just means turning on accessibility features and piping the captcha into a text-to-speech service. Either way, the final request can still be trivially coming from a bot (and regularly is).
Call this a client rate-limiter, or whatever else, but it is obviously not a CAPTCHA and cannot function in this way.
Another obvious problem is that server hardware is vastly more powerful than the average user's device. If you set your challenge to an amount of work that doesn't meaningfully drive users away and/or drain their batteries, you are allowing a malicious server to pass your challenge tens of thousands of times an hour.