Cap: Lightweight, modern open-source CAPTCHA alternative using proof-of-work

Original Article ↗ Hacker News Discussion ↗

Concept & Background

  • Cap uses client-side proof-of-work (PoW) as a “CAPTCHA alternative,” but many commenters stress it’s really a rate limiter, not a human/bot discriminator.
  • The idea predates cryptocurrencies (Hashcash is cited) and inspired Bitcoin; this is seen as a return to that original PoW-for-abuse-control concept.

Threat Model & Effectiveness

  • Intended benefit: add small per-request cost that’s negligible for humans but ruinous at scale for large crawlers, spam, or bot farms.
  • Supporters note that even small extra costs or delays can kill the economics of large scraping operations.
  • Critics argue:
    • It doesn’t stop targeted attacks or low-volume bots; it only hurts generic large-scale abuse.
    • The real cost per challenge is likely tiny (far less than cents), making many abuse categories still profitable.
    • Attackers can use GPUs/ASICs/FPGAs to solve SHA-256 PoW far faster and cheaper than user devices, repeating crypto’s hardware-inequality problems.

PoW vs Traditional CAPTCHA

  • Several comments stress that PoW doesn’t determine “human vs bot,” so branding it as a CAPTCHA is seen as misleading.
  • For protecting single endpoints (e.g., “curl to CreatePost”), critics say this “lets all traffic through, just slower,” unlike CAPTCHAs that can outright block.
  • Some suggest simple delays or standard rate limiting might address similar abuses without client CPU work.

Energy, UX, and Accessibility

  • Concerns raised about battery drain, CO₂ impact, and “invisible mode” feeling like covert cryptomining.
  • Others argue the per-challenge energy is extremely small, dwarfed by normal browsing.
  • Accessibility critique: requires JavaScript; no provision for JS-disabled users, unlike some alternatives.

Law-Enforcement / Password-Cracking Paper Controversy

  • A linked white paper describes using PoW CAPTCHA-like systems to harness web users’ CPUs for law-enforcement password cracking.
  • Commenters find this “botnet for the feds” angle disturbing; some assume association with Cap, given the link from its site.
  • The project’s author responds that Cap does not send hashes anywhere, isn’t cracking passwords, and the paper was shared only as background; a clarification note was added.
  • Some remain uneasy, citing bundled WASM binaries and optics (logo, lack of initial disclosure), others accept the open-source code as sufficient reassurance.

Alternatives & Ecosystem

  • Other PoW CAPTCHA tools (Altcha, Anubis, Checkpoint) are discussed; some prefer them, especially for privacy or no-script support.
  • General frustration with Cloudflare CAPTCHAs motivates interest in PoW approaches.
  • Broader ideas include account systems tied to phone numbers or hardware attestation to solve Sybil problems, but these raise major privacy and usability concerns.