[hashcash] Re: Hashcash for Blogs

Mitch Denny wrote:

Hi there,

I've been reading the materials relating to Hashcash over the last few days
and seeing how the technique could be applied to protecting blogs from
comment spam.

I've made a post about it over here:
http://notgartner.com/posts/572.aspx

If any of you have advice/comments please feel free to reply here or in the
comments of the post referenced above.

BTW, I've been reading the archives for this list and there is some really
interesting discussion in there!

interesting application. I had figured out a protocol for using hashcash with sms, IM, and VoIP but never thought about blog comments.

as you suggested, the protocol would do something like:

Comment response delivers stamp resource and required bit size. Since HTTP transactions are stateless, it would be wise to encode the bit size in the resource using some techniques like HMAC. This encoding will protect you against spammers forging their own, smaller bit size. You'll end up with a rather large resource but quite frankly, we really don't care for a variety of reasons. stamp engine starts calculating stamp and on submit, delivers stamp etc.

unlike most other hashcash contexts, there are precious few opportunities for background stamp generation. If you use the "brute force/bloody ignorance" approach and generate stamps on "submit", users will get cranky. If you try to generate stamps on pressing the comment button (or more likely on receipt of the comment page), you have the challenge of delaying submission until the stamp calculation is done. personally, I do not know enough about the Java/browser environment to know whether or not it is possible to run one thread generating a stamp and use the results of that thread on activation of the summit button.

although, as I think about it, as a proof of concept technique, this submit button hook might not be such a bad place to start. Again, I only had very little experience with Java stamp generators and would recommend starting with lapo's stamp engine.

from a human factors perspective, I think you'll need to warn the user that they are doing this work as an antispam technique so that someone making a quick comment (i.e."get your green cards here"), will know that they will need to wait for the stamp to complete before submission. It'll take some careful language to reduce the offense potential.

I would also caution you to try and run as fast a stamp generator as possible because the spammers will and any performance differential between what spammers can run and your customers can run is not in your favor. which raises the ever popular question, is it possible to use a native hashcash from a browser?

I also suggest timing out resources. Somewhere after something like a five-minute limit, the resource becomes invalid. the reason I'm thinking of this is it will force spammers to serialize any attempts to bypass without having too much of an impact on ordinary users.

---eric


Other related posts: