Silent SHA256 based proof-of-work(PoW) captcha solution

• survey

  2 0 3.4 Rust

  survey to collect mCaptcha's performance on various devices (by mCaptcha)

  

Thank you for your detailed response, you raise some very interesting and valid points!

> JS engines (or even WASM) aren't going to be as fast at this kind of work as native machine code would be

You are right. mCaptcha has a WASM and a JS polyfill implementations. Native code will definitely be faster than WASM but in an experiment I ran for fun[0], I discovered that the WASM was roughly 2s slower than native implementation.

> It's also based on the assumption that proof-of-work is going to increase the cost of doing business

mCaptcha is basically a rate-limiter. If an expensive endpoint(say registration: hashing + other validation is expensive) can handle 4k requests/seconds and has mCaptcha installed, then the webmaster can force the attacker to slow down to 1 request/second, significantly reducing the load on their server. That isn't to say that the webmaster will be able to protect themselves against sufficiently motivated attacker who has botnets. :)

> There's also the risk that any challenge that's sufficiently difficult may also make the user's browser angry that a script is either going unresponsive or eating tons of CPU, which isn't much different from cryptocurrency miner behavior.

Also correct. The trick is in finding optimum difficulty which will work for the majority of the devices. A survey to benchmark PoW performance of devices in the wild is WIP[1], which will help webmasters configure their CAPTCHA better.

[0]: https://mcaptcha.org/blog/pow-performance Benchmarking platforms weren't optimised for running benchmarks, kindly take it with a grain of salt. It was a bored Sunday afternoon experiment.

[1]: https://github.com/mcaptcha/survey

Full disclosure: I'm the author of mCaptcha

• RandomxAudits

  17 12 0.0

  Audit Proposals and Reports for RandomX

The term for describing is memory hard functions. RandomX[0] is one such example where GPU parallelism does not net them a large advantage over CPUs.

[0]: https://github.com/tevador/RandomX

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• mCaptcha

  11 1,569 8.6 Rust

  A no-nonsense CAPTCHA system with seamless UX | Backend component

  

• crypto-puzzle

  2 19 4.9 TypeScript

  A time-lock puzzle generator.

Nice! I had written a little algorithm that one could use to implement something like this (maybe interesting if you want to understand how it could work): https://github.com/fabiospampinato/crypto-puzzle

I think there's something to this, it costs you next to nothing to generate these puzzles and get a guaranteed, tunable, slowdown factor on attackers (or cost increase for them I guess).

Suggest a related project