mCaptcha

Introducing mCaptcha net

Posted October 19, 2023 by Aravinth Manivannan ‐ 2 min read

Last Edited October 21, 2023

mCaptcha uses a Proof-of-Work (PoW) based algorithm to offer Denial-of-Service protection, because of its excellent accessibility characteristics. PoW within mCaptcha is configuration — webmasters can configure difficulty factors for their installations, which determines waiting time for visitors. But PoW can become inaccessible if webmasters choose a very high difficulty factor. So they have to maintain a balance which imposes sufficient load on DDoS attackers while also being accessible to common folk.

To help webmasters correctly configure difficult factors, we are building a feedback loop which would gather performance statistics from voluntary mCaptcha installations and make them available to other mCaptcha installations. The performance statistics can be used by all mCaptcha instances to automatically optimize an installation. We are calling this the mCaptcha net.

Participation is optional

Participation in the mCaptcha net is disabled by default and is optional as it has privacy implications: it will reveal the existence of an mCaptcha instance.

The admins of mCaptcha instances can choose to upload truly anonymous PoW performance statistics to a number of mCaptcha/survey instances. The data uploaded is public and so is accessible to all mCaptcha instances.

We also offer opt-in controls at installation level:

A screenshot of the 'add sitekey' form on the mCaptcha dashboard with a checkbox for anonymously publishing performance statistics. It is not checked by default.
Add sitekey form on the mCaptcha dashboard with a checkbox for anonymously publishing performance statistics. It is not checked by default.

Ensuring anonymity

mCaptcha doesn’t fingerprint its users. Performance parameters include:

  1. Time taken to generate PoW
  2. The difficulty factor for which the PoW was computed
  3. Type of client library used.
1"time":14,
2"difficulty_factor":50000,
3"worker_type":"wasm"

This doesn’t include the usual fingerprinting parameters like User-Agent, cookies, and IP address. Additionally, we use pseudo IDs at both mCaptcha/mCaptcha and mCaptcha/survey to avoid exposing installations.

A screenshot of a tmux window with logs of mCaptcha/mCaptcha and mCapctha/survey showing both of them talking to eachother
mCaptcha/mCaptcha uploading performance statistics to a mCaptcha/survey instance

Status

We now have performance statistics uploads to mCaptcha/survey instances working. Pull request mCaptcha/mCaptcha#92 added abilities to mCaptcha to upload statistics to mCaptcha/survey instances and mCaptcha/survey#40 enable survey to process the uploaded data. We will soon build a self-tuning algorithm within mCaptcha to use this data and optimize installations automatically.

← Testing on screenreaders
February, 2023: Monthly Report →

Edit this page on git.batsense.net