Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
<p>This script shows that rate limiting can be passed off to the client. </p>
<p>This is extremely advantageous on a network like TOR where normal rate-limiting and utilities like Fail2Ban will not work as every connection is indistinguishable.</p>
<h2>Proof of work demo</h2>
<p>Once the number is factored into it's constituent primes, the submit button is enabled. The recieving script can use the primes much the same as a captcha.. just stop doing useful work unless the user proves something; in this case, that they spent at least a few seconds factoring a prime</p>
<p>Use admin/password for the demo.</p>
// Never tell the user wether the prime or the password failed. This effectively stops bruteforce attempts and hampers automated signups on hidden services
$error_message = "There was an error.";
//If we've saved primes and they sent primes, check them
if(isset($_POST['prime']) && $_SESSION['primes']){
//If they're valid, great! Keep processing the login.
if($_POST['prime'] == $_SESSION['primes'] ){
//Don't ever do this IRL.
$credentials = array('admin'=>md5('password'));
if(md5($_POST['pass']) === $credentials[$_POST['user']]){
echo 'Welcome! You\'d likely get redirected at this point.';
else echo $error_message;
else echo $error_message;
else {
// Use way more primes. Like, WAY more primes. Ideally save a few million in a db and use a SQL query to get them at random. This is portable and works good enough for a demo.
$primes = array(42920617,42920623,42920641,42920651,42920653,42920681,42920687,42920701,42920741,42920743,42920819,42920827,42920863,42920879,42920887,42920897,42920909,42920929,42920939,42920951,42920953,42920959,42920989,42921001,42921023);
$a = $primes[mt_rand(0,count($primes)-1)];
$b = $primes[mt_rand(0,count($primes)-1)];
$primes = array($a, $b);
$_SESSION['primes'] = $primes[0].','.$primes[1];
// Include a login script. I've included one inline.
<form method="post">
<input type="text" name="user" id="user" value ="" placeholder="Username"><br>
<input type="password" name="pass" id="pass" value ="" placeholder="Password" ><br>
<input type="hidden" name="prime" id="prime" value ="<?php echo $a * $b ?>" >
<input type="submit" id="submit" value="Factoring primes..." disabled></input>
function factors(num)
n_factors = [],
//skip 1...
for (i = 2; i <= Math.floor(Math.sqrt(num)); i += 1)
if (num % i === 0)
if (num / i !== i)
n_factors.push(num / i);
n_factors.sort(function(a, b){return a - b;}); // numeric sort
return n_factors;
// Ideally we'd do this AFTER the DOM is fully loaded.
var result = factors(document.getElementById('prime').value);
document.getElementById('prime').value = result;
document.getElementById('submit').value = 'Submit';
document.getElementById("submit").disabled = false;
<?php } ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.