[HN Gopher] Cap: Lightweight, modern open-source CAPTCHA alterna...
___________________________________________________________________
Cap: Lightweight, modern open-source CAPTCHA alternative using
proof-of-work
Author : tiagorangel
Score : 106 points
Date : 2025-05-30 16:36 UTC (6 hours ago)
(HTM) web link (capjs.js.org)
(TXT) w3m dump (capjs.js.org)
| timmb wrote:
| How did we end up with bitcoin before this?
| jsheard wrote:
| PoW rate limiting actually pre-dates PoW cryptocurrency, the
| former has just had a resurgence recently in response to AI
| scrapers pissing in everyone's pools.
|
| https://en.wikipedia.org/wiki/Hashcash
|
| The original Bitcoin paper even cited Hashcash as inspiration.
| robbles wrote:
| This is a neat idea.
|
| I don't know enough about the underlying proof-of-work stuff to
| comment on how effective this could be, but I think it's pretty
| funny that the UI examples say "I'm a human".
|
| I guess "there's only a few of me at most" or "I could allocate
| enough computation to this that I'm probably not up to no good"
| don't read as clearly.
| mgrandl wrote:
| What does proof-of-work mean here and what makes it easy for
| humans and hard for bots?
| pixl97 wrote:
| I think it's only more expensive for bots, though just as easy
| for bots.
|
| The problem with bots is they quite often farm this out to
| stolen resources. It makes sending whatever they are sending
| slower, but doesn't stop it.
| prisenco wrote:
| It will make server hijacking more noticeable and harder to
| hide.
| stephantul wrote:
| Think of crawlers: a crawler typically makes hundreds or
| thousands of requests per second. The owners of the crawler
| then sell this data for X$, or gain X$ profit.
|
| Proof of work adds a very small cost to each individual
| request, increasing the cost of crawling to a number higher
| than X. Because actual humans make very few requests, we don't
| notice the increase in cost.
| timtom123 wrote:
| This exactly, having ran very large scraping operations, it
| only takes a slight increase in cost to make it unprofitable
| for many use cases.
| SV_BubbleTime wrote:
| Right, scale is solved... but not at all targeted
| "attacks".
|
| If some site uses this and I only want that site as an
| attacker or as a personal scraper or etc, this is keenly
| ineffective at proving human vs bot.
| hombre_fatal wrote:
| When you use a captcha, you presumably want to defeat someone
| curling your CreatePost endpoint, not just make it more
| annoying to do it at only botnet scale.
|
| This captcha still lets all traffic through. Except now you
| waste the battery of honest users.
|
| Even HN proponents of the idea don't use it on their own
| sites.
| krior wrote:
| I rather see something like anubis than some unsolveable
| captcha. I never understood the battery-argument, I recon
| my screen uses more energy during pow-solving than it takes
| my phone to solve these pows.
| hombre_fatal wrote:
| > I rather see something like anubis than some
| unsolveable captcha.
|
| So would bad actors. Which is why everyone uses normal
| captchas and not mere PoW.
|
| PoW is the easiest captcha to beat.
| Tijdreiziger wrote:
| [citation needed]
| hombre_fatal wrote:
| For which part?
|
| Every time a new submission is created on HN, you have a
| curl script that posts a comment on it shilling your
| product. (According to the /newest tab there seems to be
| one submission every few minutes.)
|
| What's harder for you to automate: the comment always
| posts successfully after 500ms, or you get a Cloudflare
| Turnstile captcha every time?
| yodon wrote:
| PoW is for a completely different threat model than
| CAPTCHA. If you're trying to decide which is better,
| you're doing it wrong.
| skydhash wrote:
| It's equally easy for both. But people using broswers only do
| it a few times, while bots need to do it many times. A second
| for a human every X pages is not much, but it's a death-knell
| for the general practice of bots (and they can't store the
| cookies because you can rate-limit them that way).
|
| Imagine scrapping thousands of page, but with a X>1 second wait
| for each. There wouldn't be a need to use such solution if
| crawlers were rate-limiting themselves, but they don't.
| reaperducer wrote:
| So is the solution to stymying bots to just add a page load
| delay of a second or two? Enough that people won't care, but
| it doesn't scale for bots?
| jsheard wrote:
| Just adding a delay wouldn't achieve anything because bots
| can just do something else while they wait, whereas PoW
| requires them to actively spend their finite resources
| before they can continue doing whatever they want to do.
| tiagorangel wrote:
| i wrote a bit about it here:
| https://capjs.js.org/guide/effectiveness.html
| jbellis wrote:
| ahh, that makes sense, thanks
|
| I do think that calling this a CAPTCHA when it's not actually
| intended to distinguish humans from computers is a bit
| misleading, but I can see why you would do that
| detaro wrote:
| So why does this make the user still click something?
| prisenco wrote:
| Probably to demonstrate. Attaching to a form submission or any
| modifying action would work.
| tiagorangel wrote:
| yeah i also recommend trying out the invisible mode
| dogman123 wrote:
| can someone ELI5 how these proof-of-work captchas work under the
| hood to detect whether i'm a bot or not?
| prisenco wrote:
| They don't detect if you're a human exactly. What they do is
| they create a calculation expense that is negligible if there's
| one of you but adds up quickly if you're running a bot farm
| that needs to send out 10,000 requests a second.
|
| So I click the button, my browser does a quick proof-of-work,
| no big deal.
|
| But an automated script will have to complete that proof-of-
| work every time it encounters it, skyrocketing the cpu costs
| for the server.
| arp242 wrote:
| They don't detect if you're a bot or not; it just makes it more
| expensive, the idea being that doing $action 10,000 (or more)
| times becomes much more costly for the attacker, preferably to
| the point where doing $action (posting spam, creating accounts,
| etc.) is no longer profitable. It's probably more useful to see
| it as a ratelimiter than a bot detection mechanism.
| nout wrote:
| They make it expensive to run large scale bots, so that deters
| the bots.
|
| And they (probably?) use the computation power to crack
| passwords from people to let the government agencies access
| their accounts...
| wild_pointer wrote:
| So each spam message will take an extra second and 2 additional
| cents for electricity? I'm not sure what's the use case here.
| timtom123 wrote:
| Better suited for discouraging scraping. 2 cents * 300 scrapes
| = $6 although 2 cents is huge over estimation and you would
| probably not show this every time. Only when there is unusual
| traffic.
| jsnell wrote:
| If it actually cost 2 cents, it'd be tremendously useful. There
| are huge tranches of abuse that would become unviable with that
| resource cost.
|
| In reality passing the PoW will cost more like 1/10000th of a
| cent, and you can't make it cost significantly more (let alone
| 2 cents) without making access totally impractical for real
| users. Proof of work challenges for abuse are basically
| snakeoil, it's impossible to make the economics work.
| aurumque wrote:
| Why not make this contribute to something greater, like
| scientific grid computing, or a charitable bitcoin donation?
| Instead we're just burning a few watts to slow down crawlers.
| internetter wrote:
| I like the citizen science idea, the bitcoin one is so shitty.
| There was an epedemic of websites covertly mining in browsers a
| while back and this is a dangerous road to go down.
| woah wrote:
| The entire purpose of this library is to covertly mine in
| browsers
| internetter wrote:
| Only for the protection of the service. With a financial
| incentive all of the sudden it's deployed unnecessarily to
| every static site in existence, just like ads all those
| years ago. And the enshittificstion continues.
| tiagorangel wrote:
| no, it's not mining crypto.
| idiotsecant wrote:
| Do you have an example of scientific grid computing that is
| expensive to compute but cheap to verify? Those are the
| properties this needs.
| jonas21 wrote:
| Because the overhead of orchestrating and distributing the
| problem would be much larger than the amount of work you can do
| in 1 second?
| wewxjfq wrote:
| I don't mind captchas to protect forms and such, but given that
| so many sites want captchas solved for the first GET request, I
| really wonder how much more CO2 this is going to produce. And
| when I see "invisible mode", I'd really like to ask the authors
| if they think their work is a net-positive for the world.
| internetter wrote:
| "invisible mode" in CAPTCHAs are great for login forms. In the
| background the captcha runs. If it passes, the user doesn't
| need to be bothered with it. If it doesn't, the user is
| presented the standard captcha.
|
| I agree I hate the CF captcha popups, but I think this is a
| result of AI scraping. GET requests can be expensive on dynamic
| sites with infinite paths -- like a git host.
| warkdarrior wrote:
| "Invisible mode" is also great for cryptomining in the
| browser.
| tiagorangel wrote:
| > how much more CO2 this is going to produce extremely minimal
| emissions, you're only solving a small cryptographic challenge
| after all.
| internetter wrote:
| > @cap.js/solver is a standalone library that can be used to
| solve Cap challenges from the server. Doesn't this defeat the
| purpose of Cap? Not really. Server-side solving is a core use
| case of proof-of-work CAPTCHAs like Cap or altcha. It's about
| proving effort, not necessarily involving a human.
|
| I like this. Allows for reasonable bots like IA without the
| mindless wasteful AI scrappers.
| aiiotnoodle wrote:
| Sorry what is IA?
| underyx wrote:
| Internet Archive
| landl0rd wrote:
| Isn't IA's architecture pretty strained already without this?
| idiotsecant wrote:
| I hate to say it because this kind of sentiment is now wildly
| unfashionable, but this is an actual example of where we should
| be using crypto. We need the ability to time-lock a very small
| amount of money that we get back later in order to access a
| resource.
| jeffhuys wrote:
| What would that solve? A scraper could just have a wallet with
| 10$?
| idiotsecant wrote:
| The same solution a proof of work provides: make it expensive
| to execute millions of commands, and cheap to execute one.
| HideousKojima wrote:
| KiwiFarms has had a similar captcha system since they got dropped
| by Cloudflare
| dmazin wrote:
| How do you know?
| HideousKojima wrote:
| It's the most reliable place to get the latest news on
| certain internet grifters and scammers (SVSeeker, a project
| to build a crowdfunded "scientific research vessel" being one
| of the ones I follow out of morbid curiousity).
| marinmania wrote:
| I was wondering if more sites will start to drift to a system
| where they require you to be logged in to an account attached to
| a SIM card in some ways.
|
| I feel like accounts that require phone verification are already
| similar in that they require a some cost to access. It obviously
| wouldn't stop a large corporation from buying up thousands of
| numbers if they needed it for a specific purpose, but it would be
| prohibitively expensive for most to try this.
|
| The benefit of the SIM system is it actually costs zero for
| people since they already have a cell phone.
| theamk wrote:
| Such site is better provide some unique service no one else
| can.
|
| There is no way I am sharing my phone number with random sites
| unless I absolutely have to, I get enough spam & scam already,
| and tracking potential is enormous.
| nailer wrote:
| > I was wondering if more sites will start to drift to a system
| where they require you to be logged in to an account attached
| to a SIM card in some ways.
|
| I hope we move away from SIM cards - they'll require SIM based
| auth checks and low paid staff at cell phone companies will
| happily give away my SIM card to another phone to get a
| kickback from robbing people.
| downrightmike wrote:
| Yes because having an account gets around adblockers, anti
| tracking, age verification and section 230 removal issues. ToS
| is already weaponized.
| jeroenhd wrote:
| > a SIM card
|
| That's basically what remote attestation is. But it's using
| TPMs (or similar) rather than SIM cards. The TPM has a key
| signed by the manufacturer, and that key can be used to sign
| tokens to prove that you possess a physical TPM and have it in
| a mode that provides access to that key.
|
| The problem with either is that the system doesn't work if you
| can get access to the keys behind the system. That means
| banning everyone who uses a vulnerable model of SIM card/TPM
| implementation. SIMs are cheaper to replace, but you'd have to
| replace millions of them every time someone manages to voltage
| glitch a SIM card.
|
| If you own an iPhone or Macbook, you have access to a browser
| you already does this:
| https://developer.apple.com/news/?id=huqjyh7k
| landl0rd wrote:
| Phone number is also good because you can be reasonably sure as
| to whether it's voip or not. It is literally the one non-awful
| solution to the sybil problem we have discovered (the awful
| ones being things like gov id).
| asnyder wrote:
| What about integrating Altcha (altcha.org) is hard? Seems pretty
| straightforward.
| pkkkzip wrote:
| How does this compare to Anubis, another similar PoW based
| CAPTCHA?
|
| Paired with this, and if there is a way to block out DDOS https
| traffic then we might be able to stop dependence on Cloudflare
| altogether.
| throitallaway wrote:
| I'd be so happy if the Internet moved away from Cloudflare for
| Captcha. I got on their "bad list" at one point (for who knows
| why), and no matter how many times I checked the "I am a human"
| box their Captcha wouldn't let me through for a few days. I was
| unable to login to the portal of a product that we pay for. It
| was such a frustrating experience.
| tiagorangel wrote:
| anubis is more like Cap's checkpoint, but still the
| implementation is very different.
| Alifatisk wrote:
| Reminds me a lot of wehatecaptchas.com, very similar concept
| Y_Y wrote:
| Cap is a very bad product name, no cap.
| Tijdreiziger wrote:
| I think it's great. It tries to catch bots, which are capping
| that they're human. :)
| qqqult wrote:
| frfr?
| tiagorangel wrote:
| too late to change now :)
|
| also i like how it's a reference to both CAPtcha and "no cap"
| darknoon wrote:
| If you were doing a lot of scraping, you could just solve this on
| a GPU in 1/10 or less of the time it takes a human's phone to do
| it. Generally you need a decent computer to render a webpage
| while scraping it these days, so I don't see what this is
| solving.
| tiagorangel wrote:
| scrapers usually _don 't_ render a webpage, else their scraping
| wouldn't be efficient at all.
| hathawsh wrote:
| Is that still true? There are so many SPAs out there now that
| if I were to create a web spider today, I would plan to just
| render a lot of the pages in a browser rather than fight the
| status quo. Efficiency wouldn't be my top concern.
| nicwolff wrote:
| Did no-one click through to the technical white paper?
|
| https://www.researchgate.net/publication/374638786_Proof-of-...
|
| "Proof-of-Work CAPTCHA with password cracking functionality"
|
| The "work" is "to use the distributed power of webusers'
| computers" to "obtain suspects' passwords in order to access
| encrypted evidence" and "support law enforcement activities".
|
| Funny how that isn't mentioned anywhere in the linked site.
| mcpar-land wrote:
| > Normally, it is undesirable for users' passwords to be
| cracked. However, in the case of law enforcement, we often need
| to obtain suspects' passwords in order to access encrypted
| evidence. The obvious solution is to build powerful (and
| expensive) dictionary cryptanalysis computers. A less obvious
| approach is to use the distributed power of web users'
| computers, as has been done in the Seti@Home
| (https://setiathome.berkeley.edu/ -- suspended project) or
| Folding@Home projects (https://foldingathome.org/). The
| proposed approach can therefore support law enforcement
| activities while providing the desired functionality to the web
| community
|
| "You're not allowed to visit this website unless you submit
| your computer to being part of the fed's password cracking
| botnet" that's a whole fresh hell. A better use case is right
| there in their own description! I'd love my captchas to be
| little Folding@Home problems.
| ronsor wrote:
| Can't we just submit bogus hashes?
| downrightmike wrote:
| That is shady as hell. Welp this is dead on the vine
| hathawsh wrote:
| Interesting discovery. This research sounds creepy and ill-
| advised, but my intuition suggests to me this is an innocent
| attempt to do something useful rather than waste energy on a
| PoW algorithm. My intuition also tells me that if this project
| became popular enough, attackers would break the algorithm
| fairly easily and the project would just revert to a more
| conventional PoW algorithm that doesn't try to be smart.
| SparkyMcUnicorn wrote:
| Definitely concerning, although I'm having trouble finding
| anything in the codebase to support this.
|
| This paper even seems to contradict aspects of the project's no
| tracking stance. If someone told me this paper was for a
| different (but similar) project, I'd believe it after looking
| at the two side by side.
|
| Would definitely want this to be addressed before I'd consider
| using it.
| prophesi wrote:
| There are two binaries commited to the repo
| (cap_wasm_bg.wasm) but from what I can tell, it doesn't seem
| to be making any network calls or what have you. They still
| should get rid of them and add a Rust build step for their
| browser/node packages.
| __natty__ wrote:
| I like the simplicity of this project. I created my own open-
| source, no tracking captcha using both proof-of-work and image
| puzzle challenges 4 years ago as a side project for my studies
| and my former employer's internal hackathon [0].
|
| At the time, it was an idea based on spam prevention active
| systems. However, for the browser, there are many issues with
| such solutions--if you can solve it, then bots can too. It slows
| them down a little, but that's about it.
|
| [0] https://github.com/pilotpirxie/devcaptcha
| kethinov wrote:
| Other critiques aside, I wish there was more effort put into
| developing accessible CAPTCHAs that do not require JavaScript.
| Whatever its merits or flaws are, this CAPTCHA is yet another
| CAPTCHA that requires JS.
| satellite2 wrote:
| It's just going to make low battery devices with consumer grade
| compute drain faster while bot farm with access to to ASICs will
| have a negligible increase in cost. This approach is going to
| have all the same problem to distribute work democratically as
| cryptocurrencies had. And as far as I know crypto didn't solve
| this.
___________________________________________________________________
(page generated 2025-05-30 23:00 UTC)