Anubis Works

Original Article ↗ Hacker News Discussion ↗

User experience and comparison to Cloudflare

  • People report proof-of-work times from ~0.5s to ~8s on modern phones, some much slower; most prefer this to interactive CAPTCHAs.
  • Several contrast it favorably with Cloudflare’s infinite CAPTCHA loops, though others note CF problems often come from strict tracking protection or third‑party cookie blocking.
  • Some users are blocked entirely if they disable JS, which for static sites feels like needless “enshittification.”

Purpose: AI/bot scraping and abuse

  • Anubis is framed as defense against abusive, high‑volume scraping (especially LLM crawlers and poorly written bots), not against all bots or AI training per se.
  • Core argument: serving a page is cheap for the scraper and relatively expensive for the origin; PoW shifts some cost back to clients and deters “free‑riding at scale.”

Mechanics and claimed effectiveness

  • Browser solves a SHA‑256 PoW in JS, gets a JWT cookie bound to IP and time, valid about a week; sites can additionally rate‑limit per token.
  • Residential botnets and IP carousels defeat simple IP rate limiting; PoW + per‑token limits force either slower crawling or much higher compute spend.
  • Deployed examples (GNOME GitLab, SourceHut, private forge instances) report 90–97% bot traffic reduction.

Limitations, bypasses, and arms race

  • Commenters note big scrapers can already or will soon solve PoW at scale (full browsers, GPU implementations, cookie farms); this is viewed as a cost‑raising deterrent, not a hard block.
  • Some see it as “DRM for HTTP”: determined, well‑funded actors get through while ordinary users pay the UX and energy cost.
  • Current design hinders search engine indexing; maintainers treat that as an acceptable trade‑off.

JS, accessibility, and protocol-level ideas

  • JS requirement excludes no‑JS users, older browsers, niche setups, and some accessibility scenarios; a no‑JS mode is promised but not ready.
  • Several argue PoW should eventually move into the protocol stack (HTTP/TLS‑level challenges, GPU‑friendly formats) rather than per‑site JS hacks.

Alternative and complementary defenses

  • Other strategies discussed: classic rate limiting, ASN/IP‑range blocking, abuse reporting, requiring logins, or even telling bots to use BitTorrent.
  • Some propose human‑only schemes (custom questions, obfuscated fonts) but others point out accessibility, cryptanalysis, and OCR would still be issues.