- From: Paul Vixie <paul@redbarn.org>
- Date: Fri, 03 Sep 2021 15:41:20 +0000
- To: "Erik Aronesty" <erik@q32.com>, "Nick Harper" <ietf@nharper.org>
- Cc: "Erik Nygren" <erik@nygren.org>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Martin Thomson" <mt@lowentropy.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Fri Sep 3, 2021 at 11:54 AM UTC, Erik Aronesty wrote: > > Proof of work ... i pronounce the acronym PoW differently, "proof of waste". perhaps it's not as wasteful if the computations are in the goldilocks zone, easy for actual clients, difficult for malicious or fake clients. but we'd be arguing matters of degree (how wasteful?) not kind (it's always wasteful.) > assuming the attacker has non-infinite resources, a 10x increase in > computation on the client during an attack results in a 10% increase > in overall computation attackers have elastic resources, they'll steal as much as they need. if we try to stop them with proof of waste, they will use botnets as necessary to waste as much as we demand. computation is not a rare or valuable asset. i do not predict a goldilocks zone in the latency requirements for PoW such that we can distinguish distributed vs. local computation by a client. consider captcha, which tries to rely on human "computation". attackers have at various times screen-scraped the captcha demand and shown it to a user of some "free porn" site they operate, and then copy out the clicks from that proxy-human, and use them to enter the original protected site. security engineering is not the same as theory or whiteboarding. at a minimum, it's necessary to understand the attacker's motives and alternatives before targeting them for a cost you hope is "too high". vixie
Received on Friday, 3 September 2021 15:41:35 UTC