Steve Atkins via mailop <mailop@mailop.org> writes: >> On May 10, 2019, at 10:50 AM, Leo Gaspard via mailop <mailop@mailop.org> >> wrote: >> Laura Atkins via mailop <mailop@mailop.org> writes: >>> For victims of listbombing, COI isn’t an answer. In fact, much of the >>> problem with listbombing is COI mail. >>> >>> How do you propose to address that issue? >> >> Captchas are a way to force the malicious subscriber to spend human or >> computer time breaking it (if captchas can be broken). >> >> As a consequence, it might make sense to just accept it is the case and >> require a javascript-generated proof of work before accepting the >> subscription. >> >> This way the amount of computer time required can be more easily >> modulated, and the human is not faced with a hard-to-answer captcha -- I >> don't know how you feel, but as a user I'd much rather have my computer >> spin for a few tens of seconds before sending the form (especially as it >> can happen at the same time as I fill it) than have to fill in a >> captcha. > > Bad people have access to much more, and much cheaper, compute resource > than good people. > > There are other things wrong with your suggestion but that's > a simple thing to think about first. It also generalizes to many other > poorly thought through "just use proof of work to solve email problems!" > ramblings.
I hope you didn't assume I was saying it's a good idea. I was *only* saying it was a better idea than captchas, as an answer to Laura's question. And I stand by this statement: the effect on bad people is approximately the same as the one captchas have (well… maybe a bit less efficient when the captcha is strong enough for requiring a captcha relaying attack? but I'm used to failing answering those captchas as a human too anyway, so might as well have a 10min proof of work…), and the effects on good people are much, much less painful than the ones captcha have. Basically, captchas are a POW for malicious actors, and a dice the user rolls for the normal user. When computers were unable to do basic OCR, they were a good idea. Nowadays, the user gets more pain than the malicious actors, for whom even 1/10 success rate is enough to get lots of forms through without questions. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
