Files
cap/docs/guide/effectiveness.md
T

25 lines
2.2 KiB
Markdown
Raw Normal View History

2025-01-11 17:35:53 +00:00
# Effectiveness
2025-05-02 11:35:22 +01:00
Cap significantly reduces spam and abuse on websites and web apps. It won't stop _everything_ (no CAPTCHA is foolproof), however, it minimizes the potential for abuse by making it expensive. The main principle behind implementing a proof-of-work CAPTCHA like Cap includes **proving effort** instead of basic fingerprinting or solving puzzles to verify whether someone is human.
2025-01-11 17:35:53 +00:00
2025-04-27 11:39:35 +01:00
## Privacy & security
2025-01-11 17:35:53 +00:00
2025-05-02 11:07:29 +01:00
Cap doesn't use cookies or telemetry by default. No data is collected or stored in our servers.
2025-01-11 17:35:53 +00:00
2025-05-02 11:07:29 +01:00
By default, Cap's server library uses the following defaults:
- **Challenge storage:** Challenges are only stored in memory on the server to prevent tampering and expire after 10 mins
- **Token storage:** Only hashed tokens are stored persistently (in `.data/tokensList.json` by default) to validate user sessions, and they also expire (20 minutes by default).
2025-01-11 17:35:53 +00:00
2025-04-27 11:39:35 +01:00
## Why Proof-of-work?
2025-04-12 14:53:27 +01:00
2025-05-30 17:52:07 +01:00
Every CAPTCHA can eventually be solved, whether by AIs, algorithms or humans paid via CAPTCHA farms — this results in an endless cat-and-mouse game between attackers and defenders. The crucial difference lies in the _cost_ imposed on attackers.
2025-04-12 14:53:27 +01:00
2025-05-02 11:07:29 +01:00
Cap's goal is to make automated abuse expensive while keeping the experience fast and virtually invisible for real users. PoW is a perfect balance for this issue, stopping abuse by requiring computational effort rather than relying solely on human verification methods that bots continuously learn to mimic.
2025-04-12 14:53:27 +01:00
2025-05-02 11:07:29 +01:00
Imagine sending 10,000 spam messages costs $1, potentially earning $10 a profitable venture. If Cap increases the computational cost so that sending those messages now costs $100, the spammer loses $90. This eliminates the financial incentive.
2025-04-27 11:39:35 +01:00
For a deeper dive into the technical aspects, you might find [this research paper](https://www.researchgate.net/publication/374638786_Proof-of-Work_CAPTCHA_with_password_cracking_functionality) useful (note that cap doesn't send **any** hashes to any external servers and cap is not used by law enforcement, the whitepaper is more about the technical background).
2025-05-31 14:13:02 +01:00
You can also look into [Hashcash](https://www.researchgate.net/publication/2482110_Hashcash_-_A_Denial_of_Service_Counter-Measure), the original proof-of-work system that inspired Cap and that powers Bitcoin.