top | item 37403104

(no title)

For this style or abuse mitigation I’m always surprised that HashCash [1] or similar simple, locally implemented proof of work mechanisms aren’t more common.

This can be implemented in a way that remains transparent (albeit via JS), poses little impact on ‘good’ users, but protects against a lot of traffic patterns that may be undesirable. The cost can be scaled to match infra capability and the challenge can be a combo of the request data and time. Valid windows for that time can then be synced with cache validity which removes the need to keep tabs on any state.

For those deeper in this space. What am I missing here that prevents this from being the norm?

[1]: http://www.hashcash.org/

discuss

michaelt|2 years ago

It turns out some of the abusers are using 'botnets' of thousands of virus-infected home PCs. So they've got thousands of CPU cores available for proof-of-work challenges, legitimate residential IP addresses, and so on.

Meanwhile, plenty of the legitimate users are using 5 year old budget android devices, so you'd better not make that challenge too hard.

nijave|2 years ago

Yeah, there's lots of these floating around sometimes called "scraper service" or "residential proxy". Not sure if it's still around, but one of them enlisted machines by paying users to install a browser extension.

didntcheck|2 years ago

The quote in the article says Turnstile does have proof-of-work (and space) challenges. But yes I've similarly wondered years ago why people weren't more aware of this idea for spam control. Instead people now invariably associate the term with cryptocurrency