I know blockchain and PoW is the thing to talk about right now, but if you think about it, client-side PoW is kind of a bad system. the whole point of such a system -PoW or captcha- is to increase the cost for the attacker to do the attack, so rather than $0.00000001/request (if you're renting a russian botnet or something), it costs a bit more, hopefully more enough that it's not worth it for the attacker to continue. a quick search on google says that recaptcha2 solvers can be obtained for $0.003/solve, which makes the cost per attack $0.003. on the other hand, the PoW is much lower. let's assume most of your visitors have a dual core system, and you require 30 seconds of PoW to log in. a dual core ec2 instance (c5.large) can be rented for $0.096/hour. at 30 seconds per solve, it can generate 120 solutions, for a final cost of $0.0008 per attempt. so in this case, going with the captcha solution is clearly the better solution as it costs almost 4x as much per attempt. there's a bunch of other factors not accounted for that makes PoW worse:

* native code can almost certainly run faster than javascript code, even if you're using webassembly. in my experience js cryptominers operate at around half the speed compared to their native counterpart on the same machine

* the attacker can leverage GPUs to compute solutions hundreds of times faster than what your users can

* users have to wait 30 seconds before they can login. you can generate the key while the user's filling in the form to shave off a few perceived seconds, but that will result in a sluggish login form

* users with slow CPUs (ie. anything slower than what's in a c5.large) will take even longer to generate a solution. this is especially problematic for people on smartphones

* users might think that your site's high CPU usage is because you're running a cryptominer on your site!

> which makes the cost per attack $0.003. on the other hand, the PoW is much lower.

If your attacker isn't even paying for the resources they use, such as from botnets or borrowed, then your attack value has gone out of the window. If the indivdual attack is free to the attacker, then you're left with time. PoW guarantees a time value. If a single PoW is too cheap, then ask for more values.

> Someone who wishes to abuse your API by sending large numbers of requests would then need to spend large amounts of time computing the work tokens.

Someone who wishes just to abuse your API with no intention to actually log in will just flood you with reams of requests to obtain new work tokens without executing any of them.

So you're back to regular rate limiting, etc.

How does it solve this problem? A single SHA-256 isn’t a significant amount of work.

You can just loop it to require more CPU. Dynamically even!

So it solves this problem AND it's secure! No brainer.

But you can keep using HTTPS if you want.

Does this actually run fast enough in browsers to be useful?