Oddbean new post about login | logout @utxo the webmaster 🧑💻, a proposal for the WoT-Relays, to allow for newbies: CAPTCHA. The idea should be, we add a page with a captcha and a place for the user to paste their npub. If they answer the captcha correctly, user gets added to a whitelist for a limited time (say 24h). If user tries to access the relay and is not in the whitelist, nor in the WoT, relay responds with both an "auth" request and a private message pointing to the url of the captcha page. When validating events, check for both WoT and whitelist. If user tries to abuse the captcha page (3 bad captchas in a minute, or 10 bac captchas in an hour), blacklist them and their IP address.
Might be on to something here
why not "whitelist" the user by following them with a separate npub that is already in the wot, like a wot proxy npub?
I've actually considered doing that with my current relay, but ultimately haven't because I don't want to have to maintain a second contact list and not doing it is easier.
What does nostr think of this idea? nostr:nevent1qqs8yu4puxn06vs8dmrv5mdp0wrfgkq00acj28chl3ta3hru3fljewgpzdmhxue69uhhwmm59e6hg7r09ehkuef0qgsrl7kr5my9n6423nwaktrsq2nwzzenal4e95p9k9826mu294jkv4crqsqqqqqpcj7lrd
Replace the captcha with a difficult PoW, make it programmer friendly still. The PoW will be the means to disincentivize use.
it's easier for a spammer/scammer to hire PoW (an asic or a bunch of GPUs) to post his scams than to the regular user on a mobile phone. With the same PoW a user can generate in his phone in a feasible time, the spamer can post thousands or even millions of messages using a GPU or ASIC
Yeah, no. You waaay underestimate how powerful modern devices are. And, they have GPUs, too, you know. The difficulty will adjust. The goal isn’t to wholly block the attempts - that’s impossible on an open server. It’s to impose costs and make the ROI not worth it. The PoW need not just be a hash - there are a ton of techniques: url relay races, guided tours, factoring… each impose their own limitations. Just good old internet latency can reduce time-to-post with the guided tours. And then, PoW necessarily requires that it be dynamic. The whole point is to monitor both connections to the relay AND server resources. If an attack may be occurring, the difficulty (or difficulties if doing a combo of techniques) goes up. If what you say is true, then PoW is effectively obsolete in all use-cases outside of consensus. Clearly, that’s not true - as evident by numerous papers and their math showing otherwise. And besides, the real goal isn’t to block it, but to no longer be the low-hanging fruit. If everyone had to pay some sats to post, the spammers number of posts WILL be reduced. If the spammer can be temporarily identified, the difficulty just for them can require a higher cost to post. If they can’t be identified, everyone’s costs go up. Rinse, repeat until the spammer finds a better target/platform/protocol. I will submit that PoW is not a panacea and shouldn’t be used on its own, but it’s too powerful of a tool to dismiss with such obtuse statements. “Millions” of times before a single phone can run a PoW? Really??? Have you even tried it? I have. Implemented in a large media application with 100s of millions of users that you might even use yourself.
i was thinking about CAPTCHA. Would that work? nostr:note1wfe2rcdxl5eqwmkxefk6z7uxj3vq7lm3y5030lzhmrw8eznl9jus7rxnc6