[kimburgess]

For this style or abuse mitigation I’m always surprised that HashCash [1] or similar simple, locally implemented proof of work mechanisms aren’t more common.

This can be implemented in a way that remains transparent (albeit via JS), poses little impact on ‘good’ users, but protects against a lot of traffic patterns that may be undesirable. The cost can be scaled to match infra capability and the challenge can be a combo of the request data and time. Valid windows for that time can then be synced with cache validity which removes the need to keep tabs on any state.

For those deeper in this space. What am I missing here that prevents this from being the norm?

[1]: http://www.hashcash.org/

[michaelt]

It turns out some of the abusers are using 'botnets' of thousands of virus-infected home PCs. So they've got thousands of CPU cores available for proof-of-work challenges, legitimate residential IP addresses, and so on.

Meanwhile, plenty of the legitimate users are using 5 year old budget android devices, so you'd better not make that challenge too hard.

[nijave]

Yeah, there's lots of these floating around sometimes called "scraper service" or "residential proxy". Not sure if it's still around, but one of them enlisted machines by paying users to install a browser extension.

[jeroenhd]

There was one famous free VPN service that worked like this. You install the addon, get a free VPN for a certain amount of traffic, and while your browser is open other people will be able to browse from your IP (and access your home network, of course!)

Making the browser deal with PoW challenges is only a small price to pay for what is practically a free VPN. It works great, until your entire home IP starts getting CAPTCHAs all the time, and because users don't know any better, they start blaming that darn Google/Cloudflare/Microsoft for claiming they're a bot.

[yomlica8]

I'd be a lot less concerned about more unnecessary captchas and more concerned about what kind of traffic VPN randos are piping in and out of my home ip address.

This could maybe work as a legit region blocking workaround service if the VPN only allowed connecting to popular streaming sites somehow. I don't think I'd trust it though.

[jeroenhd]

That's the thing, most users didn't know they joined a botnet, they just thought they cheated the system by finding a free VPN.

I think there's some merit to the idea, especially for free VPNs, but you'd need a whitelist for things like streaming services and something to prevent abuse. Of course these companies were just interested in building out botnets, but it could be done somewhat okay if the right groups of pirates and streaming customers banded together.

[didntcheck]

The quote in the article says Turnstile does have proof-of-work (and space) challenges. But yes I've similarly wondered years ago why people weren't more aware of this idea for spam control. Instead people now invariably associate the term with cryptocurrency