Hacker News new | past | comments | ask | show | jobs | submit login

This isn't an attestation of personhood. This is attestation of access to a hardware module with certain properties. These are very different things. Obnoxiously different. Do any of the listed manufacturers implement any sort of rate limiting? If not, then it would be quite easy to set up a farm of yubikeys, and solve captchas for an arbitrarily low rate.

Also, what is the cost of a single one of these keys? If it's relatively high (say, $50 each), then this would keep out a large portion of the 4 billion people that cloudflare claims to be seeking to help. If relatively low, then it would enable a farm to be run quite cheaply, even with aggressive rate limiting on each key.

So this does not at all prove personhood, it proves access to money. In that sense, it is nearly identical to a proof of work system. The parallels are actually quite amusing. Recall the slogan "one computer, one vote", which was originally applied to bitcoin, until someone noticed that custom hardware could compute hashes order of magnitude faster than a pc could. I can't see how this system will proceed any differently.

>With our current set of trusted manufacturers, this would be slower than the solving rate of professional CAPTCHA-solving services, while allowing legitimate users to pass through with certainty.

They are only considering speed, not price. Here is a captcha system for you: the site sends you a token. You wait K seconds. The token becomes valid. K is an adjustable parameter, so it can be made longer than whatever the time it takes for captcha solving services to work.

>The very idea that we’re all wasting 500 years per day on the Internet — that nobody had revisited the fundamental assumptions of CAPTCHAs since the turn of the century — seemed absurd to us.

We aren't, and someone has. The majority of people don't fill out any captchas, ever. Google, in its great benevolence and wisdom, monitors their browsing habits. If it determines them to be reflective of a human, then when they click the recaptcha button, it will let them through without a hitch. A very small minority of users behave in ways that are suspect, such as by rejecting cookies, resetting their browsing history, or using tor. These are the users that face frequent captchas. Since they are a heavy minority of users, even if they solve ten captchas a day, it doesn't add up to anything near 500 years per day of captchas.




I use a vpn, so I solve like 5 captchas a day, to the cost of ~300 seconds. "500 years a day" means 500 x 365 x 24 x 3600 : 300 = 52mln vpn users. Totally feasible.


> until someone noticed that custom hardware could compute hashes order of magnitude faster than a pc could. I can't see how this system will proceed any differently.

Bitcoin is an open protocol that anyone can implement, so anyone can build and use faster mining hardware.

This is an open protocol, but with the added restriction that the hardware manufacturer needs to be approved by a trusted authority, and there is a cryptographic chain of trust from the device to the manufacturer to the trusted authority.

Someone could design a "bulk attestation device" which has 10,000 distinct device keys in a single device. But the trusted authority probably won't approve it. And if the hardware manufacturer tries to sneak it past them, they can always revoke the certificate. That's why the "specialised mining hardware" strategy that was so successful with Bitcoin may not work here.


The price of certified keys is relatively high, which acts a de-facto internet license.

Keep in mind the median yearly household income in the world is $9,733 - meaning your average person will have to dedicate two days pay to just bypass Cloudflare.


> Keep in mind the median yearly household income in the world is $9,733 - meaning your average person will have to dedicate two days pay to just bypass Cloudflare.

You just confused households with people (as well as using a figure that is a decade out of date [2013 Gallup based on national data mixed from 2006-2012.])


You are right. I just quickly googled a number. But it is still a substantial price for some people in the US.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: