undefined | Better HN

0 pointsxg154y ago0 comments

No, the purpose of captchas has always been to distinguish bot users, no matter what kind of bot. If you don't mind bots but just want to protect against overuse, you can simply set up rate-limiting and be done.

0 comments

2 comments · 1 top-level

ncomplex4y ago· 1 in thread

I could be wrong, but wouldn't this system "front-load" rather than "back-load" the rate limiting? That is to say: if you rate limit requests globally, it affects all users if one user attempts to spam. On the other hand, this system slows each individual user down without affecting others directly.

xg15OP4y ago

Good point. I'm no expert, but I believe rate limiting systems typically use buckets that are partitioned by IP address or network segment or something similar. If there were just a single global bucket, an attacker could exploit the rate-limiter itself to cause a DoS, which is clearly not what the site wants.

But yeah, this seems like a way to archive something similar with potentially less complexity. (If you're willing to tolerate the wastefulness, which is still not cool in the age of climate change).

A challenge could be correctly invalidating a nonce. You don't want an attacker to reuse a previously solved puzzle for multiple requests - on the other hand, it's difficult to set up a good "time to live" for a nonce as you can't know in advance how much time a user would need to solve this nonce.

So I guess some global state to track recently "spent" nonces would be necessary.

j / k navigate · click thread line to collapse