
Show HN: wehatecaptchas – we’ll keep the bots out without annoying your users - 1mbsite
https://wehatecaptchas.com
======
jszymborski
This was submitted yesterday:
[https://news.ycombinator.com/item?id=20910825](https://news.ycombinator.com/item?id=20910825)

------
esnard
The captcha is considered solved if the browser finds N nonces (with 0 < N ≤
10) where a SHA-256 hash starts with 20 bits set to 0 in less than 5 minutes.

A nonce is valid on average every 2 * * 20 hashes computations, which is about
1 million hashes.

A modern GPU can compute several billion SHA-256 hashes per second.

\---

Since this protection is uncommon, it will protect against spam, until someone
creates a dedicated bot to bypass this captcha.

Also, I suspect phone users will have a hard time getting through. My phone
took 30s to validate the captcha used in the demo, which has the N variable
set to 2.

~~~
sebst
> My phone took 30s to validate the captcha used in the demo

I tried it on my phone as well and I thought it did not work, because the
progress bar did not move. I didn't even notice there was a progress bar.

The idea is great, but I would not use it for my apps, because I would expect
a heavy loss of conversions.

Isn't there a mathematical puzzle which cannot be optimizer by GPU usage so
that desktop and phones are on par? Maybe something like scrypt which takes
less computation and more ram? I guess ram is also a very sparse resource for
bots, no?

~~~
derefr
> Isn't there a mathematical puzzle which cannot be optimizer by GPU usage so
> that desktop and phones are on par?

If you can answer that question, you can create a blockchain Proof-of-Work
algorithm that won’t use half the world’s electricity.

~~~
johnmaguire2013
Estimates of Bitcoin's energy consumption are around 73 TWh annually.[1]

The global annual consumption for 2017 was 21,372 TWh. [2]

While Bitcoin's energy consumption is notable, it accounts for nowhere close
to half of the world's electricity usage, but rather about 0.3% of it.

1\. [https://digiconomist.net/bitcoin-energy-
consumption](https://digiconomist.net/bitcoin-energy-consumption)

2\.
[https://www.iea.org/statistics/electricity/](https://www.iea.org/statistics/electricity/)

~~~
eloff
And how much would it use if we used it to replace fiat currency?

~~~
frei
It's not possible to replace fiat currency with bitcoin because the
transaction rate (# of tx/s) of the bitcoin ledger is far too slow (5tx/s).

[https://hackernoon.com/the-blockchain-scalability-problem-
th...](https://hackernoon.com/the-blockchain-scalability-problem-the-race-for-
visa-like-transaction-speed-5cce48f9d44)

~~~
eloff
There are solutions to that, I wouldn't go so far as to say it's not possible.
But I don't advocate for it or think it's in any way going to happen either.

------
daveoflynn
It took about 30s to ‘solve’ the captcha on my iPhone XR, with minimal
feedback as to why it was taking so long.

That was pretty annoying. If I hadn’t been on a site demoing captchas, I would
have assumed the site broken and moved on...

~~~
dylz
After 3 minutes, this just crashed the browser on an old AOSP stock Android
device I have. The last time I implemented something like this as a proof-of-
work (first party) solution, it fell apart instantly when someone wrote a
dedicated bot for it - 5 zeroes were found in sub-0.5s times in non-browser-
JS.

------
jedberg
> It works by requiring your computer to solve complex mathematical equations
> in the background. It's a quick process for legitimate users, but is slow
> and expensive for spammers.

It took my computer 47 seconds and spun my CPU to 100% in the process. This is
in Safari on a 2015 MacBook Pro.

I'm a bit skeptical about the claim.

------
Smithalicious
Sorry to say it but this is a hilariously bad idea. It's a captcha except it
somehow takes _longer_ and won't actually keep bots out once it becomes
widespread, while also doing the same thing as those bitcoin mining scripts
except nobody is actually getting paid.

Still though, props to anyone who tries to come up with a way to kill
captchas.

------
ddtaylor
This is _not_ a CAPTCHA:

> Completely Automated Public Turing test to tell Computers and Humans Apart

The scheme presented here proves that a certain amount of hashing work was
done, but doesn't prove that a human did that work. Oddly enough, no human can
complete this task by hand.

~~~
patrickmcnamara
In fairness, it explicitly says that it isn't. It says that it is an
alternative. It's name is even "wehatecaptchas".

------
lexs
This concept has been proposed by Dwork and Naor in 1992 to fight email spam.
[0]

[0] Dwork, Cynthia, and Moni Naor. "Pricing via processing or combatting junk
mail." Annual International Cryptology Conference. Springer, Berlin,
Heidelberg, 1992.

~~~
aabbcc1241
And it's proven that proof-of-work doesn't work to stop spam

[https://www.semanticscholar.org/paper/%E2%80%9C-Proof-of-
Wor...](https://www.semanticscholar.org/paper/%E2%80%9C-Proof-of-
Work-%E2%80%9D-Proves-Not-to-Work-version-0-.-2-Laurie-
Clayton/7a58abc92dbe41c9e5b3c7b0a358ab9096880f25)

------
buildzr
Okay, so you do PoW in browser on CPUs - but that's likely much slower than a
simple C implementation of the same algorithm and miles slower than a GPU, or
worse, if it becomes really popular, dedicated ASIC.

Not to mention with the current parameters it barely works on mobile devices
so in practice it'd have to be weakened even farther.

If your spam target has any decent value, this simply won't work. Spammers
will pay milliseconds while regular users pay minutes.

You could at least try to make some money on this by solving work on a mining
pool, but I just can't see it being a good general strategy.

~~~
icebraining
> miles slower than a GPU

With WebGL, a website can run a program (shader) on the GPU [1]. Whether
that's a good idea is another issue, but it's already available on current
browsers.

ASICs would be harder, but supposedly some PoW algorithms are harder to
optimize that way.

[1] [https://developer.mozilla.org/en-
US/docs/Web/API/WebGL_API/B...](https://developer.mozilla.org/en-
US/docs/Web/API/WebGL_API/By_example/Hello_GLSL)

------
DethNinja
Seems like an implementation of puzzle protocol. I love puzzle protocols and
use it on all my servers with external client connections but this is hardly
suitable for mobile users as they will have disproportionally lower computing
power than desktop users, this is why I don’t use it on my websites.

For those of you who are interested about puzzle protocols, this is a good
paper:
[https://eprint.iacr.org/2010/649.pdf](https://eprint.iacr.org/2010/649.pdf)

------
jimnotgym
Ihatecaptchas too. I hate the way they work better in Chrome rather than
Firefox. I think it is disgusting that Google uses it to promote their browser
like that.

Trouble is, I don't think this is a better solution.

~~~
aabbcc1241
You can set the difficulty to be as low as 2 to 5 seconds on average phone.
Spammer will find easier place to go unless your site is really that
attractive

------
ocdtrekkie
On the "are you mining crypto" question, my thought was: Why aren't they?
wehatecaptchas paid API sevice could be free if the math problem being solved
was profitable...

~~~
thexa4
Because if the computations you are doing are valuable spammers would use the
results of those computations to offset the cost.

It's basically the same reason why cryptocurrencies cannot do meaningful work
or it would be possible to do 'free' 51% attacks.

~~~
ocdtrekkie
The value from the computations would go to wehatecaptchas, not to the person
completing the captcha.

~~~
aabbcc1241
The person completing the captcha is rewarded to access the service provided
by the website

------
rolltiide
> How's this work? (detailed) We send your browser a unique string. It must be
> "solved" within 5 minutes. You browser is told to hash that unique string
> over and over, each time adding a new number. Your browser starts at 1 and
> counts up. Doing this until the outputted hash starts with 5 zeros (this is
> the solution to the captcha and is needed to submit the form).

and why couldn't a bot do this again?

~~~
Jernik
It can easily do it, the point is that doing this makes it more expensive to
spam your site. Let's say normally, it takes 1 second to post, now it might
take 10 secs. Now you're spending 10x as much to post a comment or form, etc

~~~
yellowapple
Wouldn't it be more effective to throttle on the server side? You could have
the server just artificially take 10 seconds to respond to the request and get
the same effect.

~~~
1mbsite
Not necessarily. Somebody can spam your form from multiple hosts. If you
enforce a proof of work they will all need to work for it.

~~~
yellowapple
But somebody can also do the proof of work from multiple hosts (or
parallelized on the same host, e.g. with GPU computation). How does a proof-
of-work in this case actually do more than just throttling the server's
responses?

~~~
1mbsite
Because there’s more work involved.

~~~
yellowapple
Okay, but that's kinda like saying eating healthy is good because you get to
deprive oneself of donuts: that is, I feel like it's mixing up the cost and
benefit. The point of the work is (from what I'm understanding here) to make
it less feasible for bots to flood a server with requests, but doing the
throttling server-side would have the exact same effect more consistently
(i.e. in a way that's not easily evaded by GPU/FPGA/ASIC acceleration and
doesn't punish normal users).

------
kabacha
A lot of "bot protection" systems have javascript proof of work (like
cloudflare) which is just laughable. It has come to the point where you have
to add a delay on proof of work solution since your bot solves it much faster
than an average user would.

The anti bot bullshit needs to stop. Put some verification or hard captchas
around sentive pages like login but don't fucking blanket everything under
recaptchas and proof of work nonsens - your website turns into hot garbage
that no one enjoys using.

Here in SEA captchas and anti-bot protections pretty much ruin the web in PC
bangs. reCaptcha is the fucking worst and renders the web completely unusable.
If I go play some video-games I play more of "find that storefront" than a
video-game that I came to play. Some places are wising up and installing bunch
of browser extensions to prevent/solve captchas automatically but those don't
work for program embedded captchas.

------
psychometry
I'd strongly recommend switching to a more standard typeface for your
site/page. One with better letter spacing.

------
camgunz
Great idea, down with captchas!

Can you do this asynchronously? It does take a long time, but I only noticed
because I clicked on something and waited for something to happen. If you
start PoW on page load (perhaps save success result in localstorage) then
probably even 30 seconds of processing isn't bad at all.

------
herpderperator
I just tried it. I noticed the CPU on my i9 MBP went from 65C (idle) to 99C
for at least 20 seconds. The fan turned on. It felt like it was mining
bitcoins in my browser. I'm not sure I like this solution due to how long it
takes and how many resources it consumes, wasting battery life.

------
surds
About 12-13 seconds on a top-of-the-line Mac. I'd say that is slow. Besides, I
don't really have much of a problem with Google's CAPTCHA.

~~~
t0astbread
But other people have. Privacy-minded individuals seem to be _mostly_ okay
with v2 but v3 crosses the line in terms of tracking for many.

------
diegoperini
There is nothing wrong with captchas.

There is something wrong with the fact that you can't host one as easily as
consuming a black box API from Google.

------
ape4
Should tell them that their thing is also a CAPTCHA.

~~~
jszymborski
Not really... it's more of a rate-limiting mechanism than a Turing test.

It's only really efficient for computers to solve hash functions, and not
humans.

------
tptacek
POW schemes make sense as an anti-abuse mechanism, triggered on rate limits.
They don't make much sense as captcha replacements.

------
badrabbit
I like recaptcha...if only they made it less annoying. Like a quick
interactive webgl game instead of picking out pics.

------
1mbsite
I’ve tweaked difficulty to be easier. Start the difficulty off at 1 and
increase when necessary. It should be faster now as a result. It also starts
the process on page load now so it’s (hopefully) done by the time somebody is
done filling out the form.

------
joobus
You should target a class, not an id. What if there is more than 1 form on the
page?

------
nailer
It didn't work three times, then I realised the button shaped green thing with
high contrast under 'click here to blah' wasn't the actual button and the low
contrast paragraph was the button.

------
pulkitsh1234
basically hashcash
([https://en.wikipedia.org/wiki/Hashcash#How_it_works](https://en.wikipedia.org/wiki/Hashcash#How_it_works))?

------
pictur
Is it really hard to make a good alternative to recaptcha?

~~~
hn_throwaway_99
Yes.

There have been other analyses of recaptcha before, but it is an _incredibly_
detailed, complex piece of software.

"Old school" captchas (i.e. have a human do something that is difficult for a
computer) are getting more and more useless because there aren't many quick,
easy tasks left that almost all humans can do that few computers can do, and
they are vulnerable to mechanical turk farms.

So Google's approach now is basically they know so much about your average
user (especially your average Chrome user) that it is very difficult for a bot
to affordably "replicate" this user behavior over time. The downside is, of
course, that Google knows so much about you.

Any proof-of-work scenario like this is pretty much doomed to fail, because is
will be slowest on consumer devices (i.e. phones) and fastest on dedicated bot
farms with rows of GPUs/ASICs designed to solve the problems.

~~~
aabbcc1241
If you have incentive for the hacker to control a farm of bots to send you
some coins, it's not too bad hu?

------
jonas21
This seems like an excellent way to guarantee that all of your users will be
bots.

------
VMG
tl;dr they use a POW (with low difficulty)

