Closed php4fan closed 4 weeks ago
Hi, thanks for reaching out!
You can find a technical explanation of how the puzzles work here: https://github.com/FriendlyCaptcha/friendly-pow
You are right that these puzzles alone don't stop bots but are a way to slow them down. To make it harder for bots we scale the puzzle difficulty based on a number of risk signals that take many factors into account. This way users will usually be able to pass the puzzle in a few seconds while bots will need a lot more time and resources.
So basically all the puzzle does is make sure a certain amount of time has to pass. It has no role whatsoever in distinguishing humans from bots (because both will run javascript and eventually solve the puzzle). Other factors distinguish humans from bots and give easier (i.e. faster) puzzles to supoosed humans, and harder (i.e. slower) puzzles to supposed bots. Am I correct?
So what one really wants to know to decide whether the library is worth using, is how you distinguish bots from humans in the first place.
I'm looking at the documentation at https://docs.friendlycaptcha.com/ and, before I try it out, I wanted to understand how it works.
The only explanation I found is - wait, now I can't even find it anymore - oh, here it is:
That explains nothing, that's just using the "crypto" buzzword to make it sound like magic.
How does solving a crypto puzzle help verifying that the user is human? Why can't a bot solve the crypto puzzle the same way as the user's browser does? What stops the piece of code that runs on the client side that solves the crypto puzzle from running on a bot's javascript engine?