XEP-0158 has not been updated (in a major way) since late 2008, and ever since then, all of the challenge types can be easily broken with a neural network or ASICs/FPGAs/GPUs (for Hashcash). This makes out-of-band CAPTCHA sites the only feasible method of fending off bots. But requiring a user to visit a site to send a message or join a MUC doesn't make it as seamless for them, Therefore the XEP should be revamped in a way to still provide a seamless experience while also providing security against modern attackers.
These are my suggestions in regards to this: 1) Deprecate OCR and recongition-based challenges and switch to more interactive challenges (such as: pointing to parts of a picture that matches a specified condition) 2) Add more Proof-of-Work algorithms and possibly deprecate Hashcash. There should be a requirement for choosing candidate algorithms, we can use Tor's requirements (from Equi-X's design notes) as an example: 1. The solution proof must be smaller than about 200 bytes. 2. Solution verification must be fast. 3. GPUs and FPGAs should not provide a large advantage for solving the puzzle - https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/ext/equix/devlog.md Unfortunately, the second requirement may disqualify Argon2 from being used, due to its symmetry. _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
