Prevent form spam using in-browser proof-of-work

30-8-2014

Automated bots abuse comment forms to put advertisements on websites. Traditional CAPTCHAs prevent spam by exploiting the fact that computers cannot solve a particular problem easily, and that humans that can solve them are scarce/expensive/slow (but available in the regular use case). Proof of work, by contrast, exploits the fact that computational resources are scarce. While non-spamming users will typically have the resources to perform the computation once in reasonable time, spammers will have difficulty finding the resources to compute many proofs of work required to submit their spam to many different places. By requiring a ‘proof of work’ from the client before accepting any data, spammers are thus effectively blocked.

WebPoW page is a proof of concept of using Web Workers to calculate a so-called ‘proof of work’. A proof of work is a solution to a mathematical problem that can only be solved using trial-and-error; showing that you have found the solution is proof that you have performed a certain amount of computation (in reality, sometimes you ‘get lucky’ and find a solution fast, and sometimes it takes much longer; the average amount of work required however can be decided upon in advance). In this case, the mathematical problem is to find a value that, when hashed with a cryptographically strong hash, ends in a predefined number of zeroes. Because of the properties of cryptographic hashes, it is only possible to find the value using brute-force, which requires calculating a hash for each value that is tried.

After a client has generated a proof of work, it is submitted to the server along with the request (e.g. comment to be posted). The server then verifies whether the proof of work is valid by calculating a hash of the proof of work, and checking whether the hash ends in the required number of zeroes. If the proof is valid, the server allows the request to move forward.

Proof of works can be used to combat form spam and (generally) in any scenario that requires limiting or equally distributing a scarce resource of a large group of (possibly malign) users. For instance, it can be used to prevent crawling of a website (by requiring an increasingly difficult proof of work for each page requested).

Technical details

The WebPoW proof of concept is written in JavaScript and runs in all modern browsers. By using Web Workers, the proof of work computation is be performed in standard browsers in the background, while efficiently utilizing available computing power. This demo will attempt to spawn four worker threads (most browsers seem to be able to saturate four cores with this).

Get the code: WebPoW on GitHub