proof of work really doesn't work well in practice. spammers have huge farms of compute, often on residential ips, and legit users are accessing the service from a device that is often power-constrained (like a phone). you end up either hugely penalizing legitimate users, or having to employ many of the standard antispam techniques (IP/ISP reputation, captcha, rate limiting etc) on top, so the proof of work adds a lot less incremental value.
It's not perfect, and you are right about the downsides. These resources that spammers have can be applied as easily to re/hcaptcha (either through ML or clickfarms). No CAPTCHA will actually lock out targeted attacks.
The difficulty increase per IP can be seen as a form of soft rate limiting, it's shared between all websites (which is where it's different from ordinary rate limiting). In the future we may use IP reputation lists to guide the initial difficulty too - but we haven't implemented that yet.
I think that no perfect captcha can exist, which is inherent to the problem. Proof of work makes different fradeoffs, and perhaps it is cheaper to attack still - I think it's a much more friendly solution for users though (accessibility, privacy, simplicity, fairness, UX).
Maybe in the future the solution would be something like this: a long PoW-based captcha that runs in the background as well as a vision task for the user, whichever gets solved first.
That's why I have even stopped using google services. If I literally have to get another browser to use your snowflake site, then why would I use your service anyway?
This reminds me of a similar solution I saw on PH last year, I think it's a great alternative for smaller websites that are less likely to be targets for spams/bots
But say, there's a website and it's a likely target, you implement IP protection, fine, the user uses residential proxies. Now your best bet is to go off fingerprinting, but there are marketplaces which sell those too in bulk.
Maybe I'm wrong, but wouldn't the best approach be to stick to human interaction puzzles, which are hard and don't have a set way to solve by a machine(for now)?
bangladeshi click farms[0] are cheaper to use to bypass captcha than renting residential proxies to solve PoW. Also image captcha cannot scale automatally in difficulty (as an incident response) but PoW can (see how bitcoin adjusts with the miners)
Just did the math from the numbers on their site and on average a "worker" doing captchas for them gets paid 0.2$/hour.
Adjusting based on average monthly salary in Bangladesh (157$) [1] and the US (4056$) [2] that would be similar to an American making 5.2$/hour which is surprisingly close to the current minimum wage in the US (7.25$/hour) [3]
So I guess this must be a fairly decent way to earn money if you're young/poor in Bangladesh...
5.2 is not close to 7.25. That's like 30% less than the minimum wage. Minimum wage itself is a massive struggle but 30% less is just plain offensive and dehumanising.
> So I guess this must be a fairly decent way to earn money if you're young/poor in Bangladesh...
Solving dumb captchas is never a fair or decent way to earn money, not when you are poor and definitely not when you are young. Creating living conditions for other human beings where they can be easily exploited and used for mindless degrading work such as solving dumb captchas is one of the most grotesque things of the 21st century.
It's a bit like locking your bike. That doesn't work against targeted attacks, but the presumptive thief is more likely to choose another bike that has a smaller or no lock.
The arms race is bad for everyone, in both examples, but the underlying problem is a fundamental one of misaligned incentives.
