ReCaptcha Alternative with Web Monetization

(Re)Captchas are annoying. It would be very nice if you never had to fill out another one if you were using Web Monetization. (The idea being that paying a little bit of money should be sufficient denial of service prevention that the website or CDN doesn’t actually need to know who you are to be confident that you’re not trying to DoS them.)

I can think of at least two (complimentary) ways to build this:

  1. Create a script that automatically wraps the reCaptcha client-side Javascript code and makes it so that code is never called if Web Monetization is detected and the user is paying (note this requires a client-side verifiable receipt, like what is being discussed in the #receipts channel on the Interledger slack). Website owners could insert this script into their pages alongside their reCaptcha code and avoid annoying users who are willing to pay.
  2. Create an anti-reCaptcha browser extension that automatically pays people (via Mechanical Turk or something like that) to fill out the reCaptcha for you. This has the advantage of not requiring anything from website owners but relies on seriously underpaid human work and might be too easily detected by Google.

Thoughts? Anyone interested in working on this?

1 Like

Does web monetization notify the website owner’s backend that the user is paying them? This would be necessary for solution number 1 to work because the way reCaptcha works, the website owner’s backend also checks that the client sent a valid reCaptcha token (which can only be verified once to prevent replay attacks). Otherwise, you could just write a browser extension that removes the reCaptcha JS code from the DOM. If the web monetization solution also sends verification tokens, those would need to be secured against replay attacks.

1 Like

Does web monetization notify the website owner’s backend that the user is paying them?

Currently you would have to self-host your payment pointer and match incoming requests against it. We are currently working on a spec for receipts that would allow websites to check payment status for sessions who have a third party hosting their payment pointer/wallet (Which is pretty much all WM sites today)

@Bradon had some interesting thoughts were you could basically have the receipt act as a mini-account and that any requests to your website could use against the balance paid. Which means you wouldn’t have to worry about replay attacks etc. Again most of the stuff will occur server side and not client side.

@emschwartz
I really like the idea. The only trick would be to ensure that the WM amount received is sufficient to ensure the cost is sufficiently large to deter attacks occurring.

1 Like

Primary option should be the 3rd-party hosted solution since reCaptcha is 3rd party (Google) hosted solution.

I can see a lot of parallels between the two.

reCaptcha:

  • Website Owner (WO) creates an account on Google, configures API key for reCaptcha
  • WO puts javascript on site that makes API call generate a reCaptcha challenge
  • Visitor “pays” Google by solving the reCaptcha challenge and gets a short-lived reCaptcha token
  • Visitor submits recaptcha to WO as part of request
  • WO makes API call to Google to verify token has not already been used nor expired

ILPtcha:

  • Website Owner (WO) creates an account with Web Monetization Provider (WMP)
  • WO puts javascript on site that makes API call to generate ILP invoice
  • Visitor sends ILP payment to WMP gets back a token (maybe the fulfillment condition)
  • Visitor sends token to WO as part of request
  • WO calls WMP to verify the token has not already been used nor expired. WMP sends ILP payment (minus fee) to the WO’s ILP address.

This ends up being a way to gate any API with micropayment tokens. Doesn’t matter if the client is a browser or server.

3 Likes

Ahh it’s been a while, @emschwartz it’s a pretty good idea… here are my thought:

  • The implementation must be interactive maybe! The main reason reCaptcha came into picture is to remove robot calls, isn’t it!. May be a pop-up interaction, like confirm transfer or something would be good! It might help us in determining human interaction.
  • I like the Idea of ILPtcha.