Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 14-Apr-2025 22:30:34 JST Ryan Castellucci :nonbinary_flag:

   Proposals for using zero knowledge proofs computed by client executed JavaScript that determine if a website visitor is a bot have been made. Seems like known-good data could be replayed with minor perturbations to the proving function?

   Am I just having "salary depends on not understanding" issues?

   • Embed this notice
     bo0tzz (bo0tzz@fosstodon.org)'s status on Tuesday, 15-Apr-2025 00:10:19 JST bo0tzz

     in reply to

     @ryanc I believe you're talking about tools like Anubis - the challenge depends on a nonce set by the server, right?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 15-Apr-2025 00:10:19 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • bo0tzz

     @bo0tzz no, not like Anubis - proof of work is different

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 15-Apr-2025 01:26:25 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Luna R
     • bo0tzz

     @lunarood @bo0tzz yes, that sort of thing

   • Embed this notice
     Luna R (lunarood@mastodon.gamedev.place)'s status on Tuesday, 15-Apr-2025 01:26:26 JST Luna R

     in reply to

     • bo0tzz

     @ryanc @bo0tzz Do you mean stuff like zkSENSE or Cloudflare CAP?

     The former explicitly leaves data authenticity outside the threat model, making it pretty much entirely useless, as you pointed out (it's not even a secret... the paper says as much).

     The latter seems to rely on hardware authentication.

     Though I didn't look into the details much, because tbh I'm not particularly interested in these approaches, as they are either entirely useless or tied to specific trusted OEMs.