Re: PoW (Re: Attack research on HTTP/2 implementations)

On Fri Sep 3, 2021 at 11:54 AM UTC, Erik Aronesty wrote:
> > Proof of work ...

i pronounce the acronym PoW differently, "proof of waste". perhaps it's
not as wasteful if the computations are in the goldilocks zone, easy for
actual clients, difficult for malicious or fake clients. but we'd be
arguing matters of degree (how wasteful?) not kind (it's always wasteful.)

> assuming the attacker has non-infinite resources, a 10x increase in
> computation on the client during an attack results in a 10% increase
> in overall computation

attackers have elastic resources, they'll steal as much as they need. if
we try to stop them with proof of waste, they will use botnets as necessary
to waste as much as we demand. computation is not a rare or valuable asset.
i do not predict a goldilocks zone in the latency requirements for PoW
such that we can distinguish distributed vs. local computation by a client.

consider captcha, which tries to rely on human "computation". attackers
have at various times screen-scraped the captcha demand and shown it to a
user of some "free porn" site they operate, and then copy out the clicks
from that proxy-human, and use them to enter the original protected site.

security engineering is not the same as theory or whiteboarding. at a
minimum, it's necessary to understand the attacker's motives and
alternatives before targeting them for a cost you hope is "too high".

vixie

Received on Friday, 3 September 2021 15:41:35 UTC