Implement proof-of-work CPU altcoin mining instead of CAPTCHA

[CPUCoinFan]

There is captcha on login. It is here to protect the site from bots and bruteforcing. But it is annoying.

1. There is an option to replace it with proof-of-work mining of CPU-only altcoins. It will not be a trouble to normal users for one-time confirmation but will make DDOS/bruteforcing hard and expensive for attackers making many queries.

2. There should be an option to complete traditional captcha instead of mining if, for example, users have very weak hardware. But most users with good CPUs would better mine a bit than deal with annoying captcha.

3. Users should be able to set POW difficulty for their login. If a user uses a weak mobile device, has strong password and does not fear bruteforce, he needs to set low difficulty. If a user wants to disable POW at all and login with captcha only, he could set difficulty, impossible for all of the modern supercomputers, and always use captcha.

3. Mining difficulty for a specific user (not all the forum) should increase on every failed attempt by failed-login multiplier (FLM). User should also be able to set FLM themselves. Say, initial difficulty is 1 second on an average PC and FLM is 2. 2nd attempt will take 2 seconds, 8th will take a minute and 100 attempts will take 2^100 seconds - ages.

4. If user's account appears "locked" by increased POW difficulty after bruteforce, he should be able to use captcha alternative, see failed attempt list and (if wants) reset the difficulty.

5. Note that all login attempts will give coins to the forum. Pity bruteforce attempts will give even more coins (remember FLM).

Main thread for the idea:
https://bitcointalk.org/index.php?topic=3240247.0

I hope admins will take it seriously.

[1715557141]

1715557141

[1715557141]

1715557141

[1715557141]

1715557141

[1715557141]

1715557141

[1715557141]

1715557141

[1715557141]

1715557141

[jackg]

1. https://bitcointalk.org/index.php?topic=3240247.0 - Don't make multiple threads with the same issue.

2. That idea's bad. What if I want to log in on my phone? 1 minute of CPU mining on a good computer is about 10-60 on a good phone.

Also, you'd just get people putting more cpu power behind these attacks. AND, you get that ddos isn't don't by pepole logging in right? It's just a large amount of network traffic, they're not all trying to login.

If you're gonig to try to get everyone's login data, that is mainly something that is done offline (obviously not going into specifics).

[CPUCoinFan]

1. https://bitcointalk.org/index.php?topic=3240247.0 - Don't make multiple threads with the same issue.

2. That idea's bad. What if I want to log in on my phone? 1 minute of CPU mining on a good computer is about 10-60 on a good phone.

1. This thread is not about the proof-of-work confirmation mining idea itself (as the linked thread) but about implementing it on bitcointalk forum.

2. Yes, there should be option to complete CAPTCHA instead of mining for weak hardware. Yes, 1 minute confirmation mining is too long, this difficulty should be set only if there is DDOS/bruteforcer activity spike. Usually confirmation mining should take no more than a few seconds.

Also, you'd just get people putting more cpu power behind these attacks. AND, you get that ddos isn't don't by pepole logging in right? It's just a large amount of network traffic, they're not all trying to login.

If you're gonig to try to get everyone's login data, that is mainly something that is done offline (obviously not going into specifics).

Yes, but there is CAPTCHA on login/sign up. The question is about giving an option of proof-of-work mining confirmation instead of completing it.

It will not only get more CPU power for attacks. It will make attackers mine coins for the forum!!!

[Slava79]

There is CAPTCHA on login. It is here to protect the site from bots and bruteforcing. But it is annoying.

There is an option to replace it with proof-of-work mining of CPU-only altcoins

Why would anyone open it's login for bots just because captcha is annoying for people? Do you imagine how high the hash-rate for the CPU-only coins, because the bot farms? And not everyone is using really strong password, because humans etc.

I think switching to PoW instead of captcha would introduce huge vulnerability.

[CPUCoinFan]

There is CAPTCHA on login. It is here to protect the site from bots and bruteforcing. But it is annoying.

There is an option to replace it with proof-of-work mining of CPU-only altcoins

Why would anyone open it's login for bots just because captcha is annoying for people? Do you imagine how high the hash-rate for the CPU-only coins, because the bot farms? And not everyone is using really strong password, because humans etc.

I think switching to PoW instead of captcha would introduce huge vulnerability.

Every failed login attempt should increase difficulty. Say, the difficulty-increase multiplier is 2 (per one nickname). If first attempt takes 1 CPU-second (default difficulty), 8th will take minute and 100 attempts will take ages (imagine 2^100 seconds). Meanwhile the attacker's hashrate will work to fund Bitcointalk forum

Cryptocurrencies themselves are based on similar principle. They can theoretically be bruteforced (wallet's master key, cancel confirmed payment etc) but modern hardware can't do this in reasonable time.

I mentioned above that captcha should be preserved as a second option so that it could be used by legitimate user if the difficulty increased after bruteforce attempts. Then the user should see how many failed attempts did he have, what the password guesses were and be able to reset the difficulty.

Users should be able to set POW difficulty and difficulty increase multiplier (for failed attempts) by themselves. If a user does not like POW confirmation and wants to be logged in by captcha only, he should set difficulty impossible for all supercomputers of the world.

[Joel_Jantsen]

I agree with you,captcha is quite annoying and there has to be a better solution.However,don't think CPU mining is the one.

There are a large number of people who access forum through their mobile devices.Does your mining idea works well with them ? Being someone who is very very considerate about their privacy,why would I want any script on the website to utilise my CPU power ? That opens to a lot of vulnerabilities.

[Slava79]

There is CAPTCHA on login. It is here to protect the site from bots and bruteforcing. But it is annoying.

There is an option to replace it with proof-of-work mining of CPU-only altcoins

Why would anyone open it's login for bots just because captcha is annoying for people? Do you imagine how high the hash-rate for the CPU-only coins, because the bot farms? And not everyone is using really strong password, because humans etc.

I think switching to PoW instead of captcha would introduce huge vulnerability.

Every failed login attempt should increase difficulty. Say, the difficulty-increase multiplier is 2 (per one nickname). If first attempt takes 1 CPU-second (default difficulty), 8th will take minute and 100 attempts will take ages (imagine 2^100 seconds). Meanwhile the attacker's hashrate will work to fund Bitcointalk forum

What if someone else with malicious intents increases difficulty for your nickname, intentionally making wrong attempts ? Ooops,  and in order to login you need to do  a couple of giga-hashes.  Or, if you wish, we can do it for you, for a small amount of ether... See how it works?

[CPUCoinFan]

I agree with you,captcha is quite annoying and there has to be a better solution.However,don't think CPU mining is the one.

There are a large number of people who access forum through their mobile devices.Does your mining idea works well with them ? Being someone who is very very considerate about their privacy,why would I want any script on the website to utilise my CPU power ? That opens to a lot of vulnerabilities.

1. Yes, users should be able to choose Captcha as alternative to POW mining for some cases like too slow devices. And they should be able to adjust
2. If you respect your privacy you should be concerned about Google's Cloudfare (collecting your IP at least), not about mining script "collecting" nothing but roughly estimated CPU power. BTW, captcha also works on scripts.

What if someone else with malicious intents increases difficulty for your nickname, intentionally making wrong attempts ? Ooops,  and in order to login you need to do  a couple of giga-hashes.  Or, if you wish, we can do it for you, for a small amount of ether... See how it works?

Again: users should be able to choose captcha as alternative to POW. They could do this in such cases.

[jackg]

What if someone else with malicious intents increases difficulty for your nickname, intentionally making wrong attempts ? Ooops,  and in order to login you need to do  a couple of giga-hashes.  Or, if you wish, we can do it for you, for a small amount of ether... See how it works?

Again: users should be able to choose captcha as alternative to POW. They could do this in such cases.

That doesn't fix the issue though. They're then still going to have to use the captcha?
What if, at some point, the user who was using 50000 IP addresses returns to try to bruteforce the forum again and attack everyone's user accounts and makes it extremely difficult for everyone to log-in without the captcha. Also, it'd use a lot of unnecessary CPU power to try to mine it - especially if they don't know how long they'd have to wait first.

[Welsh]

We wouldn't want a rush of environmentalists that start to complain about how this forum is contributing to the decline of the environment now would we?

Again: users should be able to choose captcha as alternative to POW. They could do this in such cases.

Defeats the point then. They'll just continue using the very system they are using now and allowing people to login with their CPU would be a nothing less than a gimmick.

[CPUCoinFan]

What if someone else with malicious intents increases difficulty for your nickname, intentionally making wrong attempts ? Ooops,  and in order to login you need to do  a couple of giga-hashes.  Or, if you wish, we can do it for you, for a small amount of ether... See how it works?

Again: users should be able to choose captcha as alternative to POW. They could do this in such cases.

That doesn't fix the issue though. They're then still going to have to use the captcha?
What if, at some point, the user who was using 50000 IP addresses returns to try to bruteforce the forum again and attack everyone's user accounts and makes it extremely difficult for everyone to log-in without the captcha. Also, it'd use a lot of unnecessary CPU power to try to mine it - especially if they don't know how long they'd have to wait first.

Attacking thousands users and making it impossible for all of them to log in without captcha? This will give much coins to the forum!

Users will just log in with captcha and reset difficulty. They should be able to see what were the failed password attempts and laugh at how far they were from their real passwords (increasing difficulty will not allow many attempts, remember FLM).

We wouldn't want a rush of environmentalists that start to complain about how this forum is contributing to the decline of the environment now would we?

Aren't those environmentalists already okay with ASICs and GPU farms consuming electricity more than a middle-sized state? CPU-mined altcoins will save us from this.

Again: users should be able to choose captcha as alternative to POW. They could do this in such cases.

Defeats the point then. They'll just continue using the very system they are using now and allowing people to login with their CPU would be a nothing less than a gimmick.

Spending CPU-time mining coins for the forum... is it not a charity? And what is the purpose? Just to make users use captcha again?

[theymos]

Using a PoW is something that I've thought about as an optional alternative to the captcha, though there's no need for it to actually do any altcoin mining.

Captcha-solving services charge about $0.003 per reCaptcha solve currently, so the computation cost to an attacker (not an average user) would have to be comparable to that. Certainly this makes SHA-x PoW impractical, as it would be far cheaper for an attacker using GPUs/ASICs and special code vs an ordinary user solving it via JavaScript on a CPU. Maybe cuckoo would work.

Another thing I've thought about is selling transferable blinded bearer certificates which could each be burned to solve 1 captcha.

But both of those would require significant development. If someone codes up the necessary libraries and end-user utilities, I would be very keen to use it on the forum, but I'm not going to create them (at least not anytime soon).

More realistically, I might sell one-time-use captcha-bypass codes at $3 per 1000 or something like that. This wouldn't be as flexible as blinded bearer certificates, but it might be sufficient.

Someone could right now write a userscript which integrates the forum captcha with a captcha-solving site. Some of them allow you to purchase captcha solves, solve captchas in exchange for credits (eg. solve on your computer and then use the credits on a mobile device), or transfer credits between accounts (eg. buy credits from other users). This is still not ideal from a privacy standpoint, of course.

[CPUCoinFan]

Captcha-solving services charge about $0.003 per reCaptcha solve currently, so the computation cost to an attacker (not an average user) would have to be comparable to that. Certainly this makes SHA-x PoW impractical, as it would be far cheaper for an attacker using GPUs/ASICs and special code vs an ordinary user solving it via JavaScript on a CPU

Oh, really? If a thousand users logs in, you pay $3 to Google. There are many users, you pay too much!

This thread is about POW-mining of new ASIC/GPU-resistant coins, not Bitcoin! Algos like yescrypt, yescryptr16, yescryptr32 are mineable by CPU only. No way for attackers to use ASICs.

Futhermore, POW with mining coins like Koto, Yenten, WAVI will give the forum some coins! With my idea implemented you will yield coins instead of spending them.

Someone could right now write a userscript which integrates the forum captcha with a captcha-solving site. Some of them allow you to purchase captcha solves, solve captchas in exchange for credits (eg. solve on your computer and then use the credits on a mobile device), or transfer credits between accounts (eg. buy credits from other users). This is still not ideal from a privacy standpoint, of course.

So we need:
1. Javascript client-side miner for CPU-only algos. This depends mostly on coins' developers and communities.
2. Server-side scripts. This depends on server-side software.

I am not a professional Javascript or PHP coder but I hope this idea will attract the proper specialists.

[gawer33]

I disagree it's easier to mine with bots than to solve with captcha, this will make  Bitcointalk more susceptible to bots. they will just buy a more powerful hardware and they "can more easily" do whatever they want. captcha is more complicated and can easily upgrade in case bots can do it.