[potamic]

I think in future servers will ask clients to solve a small computation. It can be theoretically incorporated into the handshake and if it takes something like 100ms, human users would not notice but botfarms will feel the pinch. An additional benefit is that servers can monetise the computation offsetting some of their costs.

[EvanAnderson]

Wouldn't bot farms just incorporate that as a "cost of doing business" and expand to absorb the computational load? After all, it's not like the bot farmers are paying to add more hardware.

[tg180]

Bot farms exist because they are cheap. You don't need to be perfect, ultimately one needs to adjust the cost of the handshake to ensure that it's higher than the average earning of the farmer.

E.g.: the handshake can be made more expensive choosing a "harder" function for the handshake and giving clients that behaves "good" the possibility to reuse the connections. Bots are penalised because they constantly have to make new handshakes.

But the economic incentives of a botnet are very different from those of a bot farm.

[gkop]

This was a mainstream idea when I was in CS school 12 years ago. There are creative alternatives too, eg. by requiring the client to complete a network scavenger hunt: https://people.cs.pitt.edu/~adamlee/pubs/2012/abliz2012ijas....

[toast0]

How much server resources are used before asking the client to do work? If they've got 100k clients, and each opens 100 TCP connections to your server, is your TCP stack or your load balancer going to fall over before you even start to do a TLS handshake?

Can you manage as many TLS handshakes as they can throw at you?

[remram]

This does not help one bit with botnets. The problem of defending against botnets is not blocking many requests coming from each IP address, it's blocking requests coming all those compromised devices. Those devices are perfectly capable of doing that computation.

[dimitrios1]

we need something like anonymized identity. Something that can prove you are human being, but without requiring your personal data.

[pope_meat]

Thumb print reader that pricks you to make sure you bleed.