[petu]

> but unless you do PoW (which is also ecologically a nightmare)

Can you expand? I don't see a problem with some napkin math. 5W load for 2 seconds is 0.002Wh (we have to let smartphones pass and not by doing PoW for 10s of seconds). 8 billion checks a day for a year = 8GWh.

[denysvitali]

I stand corrected. It's not a nightmare scenario (as for Bitcoins) - but I'm still of the idea that "useless" computations should be avoided (as we should avoid having 10MB websites).

In any case, according to some napkin math done by Kimi 2.6 (which by itself is probably already consuming more than all of my PoW challenges for the upcoming 5 years) - the situation looks incredibly in favor of PoW: https://www.kimi.com/share/19e7ef40-a432-8912-8000-0000b4a71...

Which makes me wonder why CloudFlare isn't switching to this already

[tarpitt]

There's a saying that if an idea is stupid, but it works, it's not stupid.

If some computation is "useless" but it serves it's purpose, it's not useless.

The reason why bitcoin network expends so much energy is down to tokenomics, not the system of PoW itself. At equilibrium we expect the power usage to be (blocks/hr) x (BTC/block) x ($/BTC) x (kWh/$), so it's a function of the BTC price and emission rate.

PoW in other context has way different driving factors. In this case, the marginal improvement of fetching the site again for AI bots isn't enough to cover the PoW cost. The PoW cost is outweighed by the net bandwidth cost of all the parties.

[brookst]

I mean coal power plants work, so building new ones is not stupid by that standard.

I think we have to expand the definition of stupid to include things that work but have net negative externalities. Not sure where PoW falls in that way of looking at things, but we should at least consider it.

(Thinking about it, Captcha is PoW, just theoretically work by the human)

[tarpitt]

Necroing this, but perhaps you might be interested in some sort of BOINC-like PoW scheme for websites. This was a distributed computing project originially known as Seti@Home. It's not really practical for cryptocurrency PoW applications (despite its use in Gridcoin) due to the centralized nature of the challenge-response, but certainly more useful than captchas or hashes!

[dcrazy]

Because it doesn’t solve the problem of residential botnets.

[Velocifyer]

The botnet operators will be incentivized to mine bitcoin instead of whatever they are doing.

[dotancohen]

Neither does fingerprinting.

[dcrazy]

The goal of Cloudflare’s fingerprinting is to detect whether a user agent appears to be a legitimate human. It’s not to identify human users across websites.

[zzo38computer]

That is not a good excuse for requiring overly complicated and overly specific software.

[Catloafdev]

It actually is. And to think it's not, means you don't understand what the benefit is.

Just because you've never been in a situation to care about the benefit they are offering, does not mean it's not valuable.

And the position "you need a good excuse to have overly specific software" is extremely strange.

[dcrazy]

Every HN thread is full of people who think webmasters should just pay through the nose to handle bot traffic to preserve the sacred rights of turbonerds to visit their website using Lynx on their toaster.

[GoblinSlayer]

Why not? PoW challenge doesn't whitelist botnets. If the dumb scraper makes only get requests and doesn't solve the challenge, it doesn't matter how it connects, even if it's a perfectly hidden tor exit node.

[brookst]

Because the work would be done by the compromised residential device. No bothnet owner is going to care if their 100,000 rooted routers have to do a little more work. It’s still “free” from their perspective.

[GoblinSlayer]

If botnet owner allows RCE, the botnet will just change the owner.

[charcircuit]

Because you can't have both a difficulty with a reasonable page load time and a difficulty that stops bad actors. Attackers have stronger machines and are willing to wait as long as they need to.

[geysersam]

8 billion checks per day sounds on the low end. I can imagine it being ten or hundred times more. That still seem pretty fine though. On the other hand, it's hard to see that such a modest energy cost would dissuade any attacks.

[petu]

> I can imagine it being ten or hundred times more

I don't think I average even 2 captchas a day being terminally online, so 10 across every soul in the world sounds way too much for me. (we're ignoring bots it's meant to deter?)

> it's hard to see that such a modest energy cost would dissuade any attacks.

It's not against targeted attacks, but scrapping.

And not about energy cost, but available compute power -- it requires scrapper to use browser with JS (or time commitment to reimplement PoW outside of JS), limits their request rate by CPU core count.

[HumanOstrich]

> I don't think I average even 2 captchas a day being terminally online, so 10 across every soul in the world sounds way too much for me. (we're ignoring bots it's meant to deter?)

You're mixing up checks, fingerprinting, and PoW with a captcha being triggered because those didn't pass. The less abnormal your setup is, the fewer captchas you'll get.

I agree with the rest of what you said.

Also I think you mean "scraper" and not "scrapper".