[denysvitali]

I stand corrected. It's not a nightmare scenario (as for Bitcoins) - but I'm still of the idea that "useless" computations should be avoided (as we should avoid having 10MB websites).

In any case, according to some napkin math done by Kimi 2.6 (which by itself is probably already consuming more than all of my PoW challenges for the upcoming 5 years) - the situation looks incredibly in favor of PoW: https://www.kimi.com/share/19e7ef40-a432-8912-8000-0000b4a71...

Which makes me wonder why CloudFlare isn't switching to this already

[tarpitt]

There's a saying that if an idea is stupid, but it works, it's not stupid.

If some computation is "useless" but it serves it's purpose, it's not useless.

The reason why bitcoin network expends so much energy is down to tokenomics, not the system of PoW itself. At equilibrium we expect the power usage to be (blocks/hr) x (BTC/block) x ($/BTC) x (kWh/$), so it's a function of the BTC price and emission rate.

PoW in other context has way different driving factors. In this case, the marginal improvement of fetching the site again for AI bots isn't enough to cover the PoW cost. The PoW cost is outweighed by the net bandwidth cost of all the parties.

[brookst]

I mean coal power plants work, so building new ones is not stupid by that standard.

I think we have to expand the definition of stupid to include things that work but have net negative externalities. Not sure where PoW falls in that way of looking at things, but we should at least consider it.

(Thinking about it, Captcha is PoW, just theoretically work by the human)

[tarpitt]

Necroing this, but perhaps you might be interested in some sort of BOINC-like PoW scheme for websites. This was a distributed computing project originially known as Seti@Home. It's not really practical for cryptocurrency PoW applications (despite its use in Gridcoin) due to the centralized nature of the challenge-response, but certainly more useful than captchas or hashes!

[dcrazy]

Because it doesn’t solve the problem of residential botnets.

[Velocifyer]

The botnet operators will be incentivized to mine bitcoin instead of whatever they are doing.

[dotancohen]

Neither does fingerprinting.

[dcrazy]

The goal of Cloudflare’s fingerprinting is to detect whether a user agent appears to be a legitimate human. It’s not to identify human users across websites.

[zzo38computer]

That is not a good excuse for requiring overly complicated and overly specific software.

[Catloafdev]

It actually is. And to think it's not, means you don't understand what the benefit is.

Just because you've never been in a situation to care about the benefit they are offering, does not mean it's not valuable.

And the position "you need a good excuse to have overly specific software" is extremely strange.

[dcrazy]

Every HN thread is full of people who think webmasters should just pay through the nose to handle bot traffic to preserve the sacred rights of turbonerds to visit their website using Lynx on their toaster.

[zzo38computer]

I should think that there should be a better way (e.g. port knocking, instructions for manually correcting the URL that cannot easily be automated, additionally supporting alternative protocols, etc).

[GoblinSlayer]

Why not? PoW challenge doesn't whitelist botnets. If the dumb scraper makes only get requests and doesn't solve the challenge, it doesn't matter how it connects, even if it's a perfectly hidden tor exit node.

[brookst]

Because the work would be done by the compromised residential device. No bothnet owner is going to care if their 100,000 rooted routers have to do a little more work. It’s still “free” from their perspective.

[GoblinSlayer]

If botnet owner allows RCE, the botnet will just change the owner.

[charcircuit]

Because you can't have both a difficulty with a reasonable page load time and a difficulty that stops bad actors. Attackers have stronger machines and are willing to wait as long as they need to.