PoW captchas are usually stupid ideas. You have to set the work factor low enough that low powered devices can do it without significant latency, but high enough that it actually stops attackers. Typically robots, unlike humans, dont care about doing things in real time.
It might stop the really low effort attacks of people who are spamming billions of pages where the cpu time becomes expensive, but i don't think the ecconomics work for most scenarios.
The current price for solving a js captcha is $3/1000 https://2captcha.com/ . The cost of cpu time for your PoW captcha is probably much lower. If people are willing to pay the $0.003 for a human to do it, they are going to be ok with buying the much cheaper compute.
> It might stop the really low effort attacks of people who are spamming billions of pages where the cpu time becomes expensive, but i don't think the ecconomics work for most scenarios.
FWIW this is already where captchas are primarily effective and afaik this is 99% of why people use a captcha at all.
One advantage of PoW captchas is that they don’t require the user to click anything. Assuming all captchas are borderline useless (so blocking stuff doesn’t actually matter) that’s a big improvement!
However, that doesn’t apply here, since, for some reason, mCaptcha’s dialog box contains a check box.
> The current price for solving a js captcha is $3/1000 https://2captcha.com/ . The cost of cpu time for your PoW captcha is probably much lower.
The cheapest AWS instance I can find with a dedicated CPU costs $0.000565 per second. So running four cores for two seconds already makes it more expensive — and much less effort and time for a human to solve than a traditional CAPTCHA.
> It might stop the really low effort attacks of people who are spamming billions of pages where the cpu time becomes expensive, but i don't think the ecconomics work for most scenarios.
How are regular CAPTCHAs any different if they cost $0.003 for an attacker to solve?
Because obviously there's no middle ground between 0 and 20min…
If your user need to wait for 1s, then it will probably not affect traffic top much (especially if you do it concurrently to loading your bloated webpage that already take a few seconds to load), but you've effectively lowered your spammer's throughput to 1qps (if you're using a memory-hard PoW scheme using Argon-2 or equivalent, the attacker cannot really speed things up by using a beeffier machine, by design of the cryptographic protocol)
Not with memory-hard schemes, that's the point of it actually! And that's because you don't have a 1200x increase in memory latency between your grandma's laptop and a server, you barely have an order of magnitude in the most extreme scenario.
The whole point of this system is that the difficulty is set to automatically increase when it detects it's under attack. That's why expected traffic and likely failure traffic are configurable options - when the server is experiencing a higher than normal load the difficulty is ramped up to dissuade those attacks. Yes, when this is happening a real user will also have a slower experience, but they would anyway if the server was being kept busy by the DDoS.
It might stop the really low effort attacks of people who are spamming billions of pages where the cpu time becomes expensive, but i don't think the ecconomics work for most scenarios.
The current price for solving a js captcha is $3/1000 https://2captcha.com/ . The cost of cpu time for your PoW captcha is probably much lower. If people are willing to pay the $0.003 for a human to do it, they are going to be ok with buying the much cheaper compute.