hashcash for account verification

[slingamn]

Email verification is a useful brake on DoS attacks, but it's not terribly hard to script a system where an attacker generates arbitrarily many distinct e-mail addresses from the same domain, then automatically submits the verification codes.

It would be interesting to use Hashcash or some more modern proof-of-work algorithm for verification codes. The problem would be of the form, "given your account name and registration time, compute additional bits to concatenate to them such that the memory-hard hash of the total string starts with n zeroes", where n is the configurable cost parameter.

[slingamn]

Users would have to either download oragono and run oragono hashcash to compute the proof of work, or go to oragono.io and run a JS implementation (that does the work on the client side).

[slingamn]

I think this would be a cool feature. E-mail verification is extremely painful to set up.

[slingamn]

A question here is whether to use the standard hashcash algorithm/conventions (allowing clients to use, e.g., the regular Debian/Ubuntu hashcash package), or do our own (so we could use a better hash function than SHA-1).

[slingamn]

Proof-of-work systems have the familiar problem that an attacker can get their hands on much more computational power than a legitimate user. For example, even with scrypt as the hash function, it seems that a GPU can do at least an order of magnitude more hashes per second than a CPU.

The goal here is just to control the number of abusive registrations that are possible before an administrator has time to intervene --- so why not just do that, add a throttle? (Let's also make it so that a client can't issue multiple NS REGISTER commands without disconnecting in between.)

[DanielOaks]

Makes sense, that throttle will be global yeah? Would make sense to be able to enable/disable/configure it in the config, for example if you're launching a brand-new net that's expected to have a lot of incoming users it'd be good to turn down/disable the global throttle.

[slingamn]

Deprioritizing in favor of #913.