mCaptcha: Open-source proof-of-work captcha for websites

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
proof-of-work cuckoo-cycle 2captcha Crypto Bounties

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • 2captcha-php

    PHP package for easy integration with the API of 2captcha captcha solving service to bypass recaptcha, hcaptcha, funcaptcha, geetest and solve any other captchas.

    • PoW captchas are usually stupid ideas. You have to set the work factor low enough that low powered devices can do it without significant latency, but high enough that it actually stops attackers. Typically robots, unlike humans, dont care about doing things in real time.

    It might stop the really low effort attacks of people who are spamming billions of pages where the cpu time becomes expensive, but i don't think the ecconomics work for most scenarios.

    The current price for solving a js captcha is $3/1000 https://2captcha.com/ . The cost of cpu time for your PoW captcha is probably much lower. If people are willing to pay the $0.003 for a human to do it, they are going to be ok with buying the much cheaper compute.

  • crypto-puzzle

    A time-lock puzzle generator.

    • Funnily enough I've recently implemented [0] a little proof-of-work generator (or more specifically a time-lock puzzle [1] generator), which is the base building block on top which something like this can be built.

    It's a very cool idea imo, you generate a cryptographic puzzle that's cheap for you to make, cheap for you to verify if its solved, and potentially cheap-enough for legitimate users to solve, but expensive-enough that users making too many requests would find solving them prohibitively expensive.

    I wish something like this was bolted onto email protocols, it would just cost more to be a spammer than it'd be worth it.

    Interesting how mCaptcha seems based on sha256, I don't know enough but it would be worth checking how much the algorithm can be sped up with (already existing) dedicated ASICs, if the attacker can solve the puzzle like 10000x faster than normal users you just can't crank the difficulty of the puzzle high enough and for motivated attackers this becomes basically useless. Basing this of on repeated squarings, like the RSW paper on time-lock puzzles did, seems potentially better.

    [0]: https://github.com/fabiospampinato/crypto-puzzle

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • cuckoo

    a memory-bound graph-theoretic proof-of-work system (by tromp)

    • Asymmetric PoW algorithms, such as Cuckoo Cycle [1] or the poorly named Equihash [2] (which is not a hash function) do not lend themselves to password hashing, since a given instance can have 0 or 1 or many solutions.

    [1] https://github.com/tromp/cuckoo

    [2] https://en.wikipedia.org/wiki/Equihash

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts