Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Managed Challenge

Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from one of the following rotating actions:

  * Show a non-interactive challenge page (similar to the current JS Challenge).
  * Present an invisible proof of work challenge to the browser.
  * Show a custom interactive challenge (such as click a button).
  * Show a CAPTCHA challenge.
This doesn't seem like the end of the road. Is this still gonna suck behind my corporate firewall?


I want to know more about

> Present an invisible proof of work challenge to the browser.

Obviously they're not going to be mining bitcoin, but what could they possibly be doing for "proof of work" that proves you're human?


I imagine this would be used in the case where the content doesn't care about human eyeballs, and just needs a semi-hard rate-limit.


Why is proof-of-work the best model for a rate limit? What's wrong with timers?


Not sure what the reasoning is, but off the top of my head: storing a timer per request is a non-trivial (and flat!) burden on the CF server, while proof-of-work puts a burden on the client proportional to how hard they're hitting it.


Do you not have to store the value to check the proof of work against?


Isn't usually verifying that a PoW solution is correct much less resource intensive than calculating the solution? And if the request format includes the challenge along w/ the solution, the server doesn't need to do any calculations until the user finishes the challenge. (A lot of this is implementation dependant of course, but this is my high level understanding)


The client could receive a signed problem to solve and then send it back with the answer. Any server could verify it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: