<metaname="description"content="Introducing mCaptcha, a kickass CAPTCHA systems that gives (DDoS) attackers a run for their money. Oh and UX is great too!">
<metaname="twitter:title"content="Say hello to mCaptcha">
<metaname="twitter:description"content="Introducing mCaptcha, a kickass CAPTCHA systems that gives (DDoS) attackers a run for their money. Oh and UX is great too!">
<metaname="twitter:site"content="@">
<metaname="twitter:creator"content="@">
<metaproperty="og:title"content="Say hello to mCaptcha">
<metaproperty="og:description"content="Introducing mCaptcha, a kickass CAPTCHA systems that gives (DDoS) attackers a run for their money. Oh and UX is great too!">
<p><small>Posted May 26, 2021 by <aclass="stretched-link position-relative"href="/contributors/aravinth-manivannan/">Aravinth Manivannan</a> ‐ <strong>2 min read</strong></small><p>
<pclass="lead">We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?</p>
<p>At mCaptcha, we believe in digital freedom and privacy and so we built a
<ahref="https://en.wikipedia.org/wiki/Proof_of_work">proof-of-work</a> based
CAPTCHA system that doesn’t track. Seriously, no tracking. But that
isn’t the killer feature, our system doesn’t require the user to
pick cars or ID sidewalks — our system does it’s thing(usually
at the click of a button) and gets out of the way.</p>
<h2id="how-does-it-work">How does it work?</h2>
<p>mCaptcha uses SHA256 based proof-of-work(PoW) to rate limit users.</p>
<p>When a user wants to do something on an mCaptcha-protected website,</p>
<ol>
<li>
<p>they will have to generate proof-of-work(a bunch of math that will
takes time to compute) and submit it to mCaptcha.</p>
</li>
<li>
<p>We’ll validate the proof:</p>
</li>
</ol>
<ul>
<li>if validation is unsuccessful, they will be prevented from accessing
the destination website</li>
<li>if validation is successful, read on,</li>
</ul>
<olstart="3">
<li>
<p>They will be issued a token that should be submit along with the
request/form to the destination website.</p>
</li>
<li>
<p>The destination website validates the submitted token with
mCaptcha before processing the request.</p>
</li>
</ol>
<p>The whole process is automated from the user’s point of view. All they
have to do is click on a button to initiate the process.</p>
<h2id="okay-but-what-about-bad-actors">Okay, but what about bad actors?</h2>
<p>mCaptcha makes interacting with websites (computationally)expensive for
the user. A well-behaving user will experience a slight delay(no delay
when under moderate load to 2-3 seconds when under attack; PoW difficulty is
variable) but if someone wants to hammer your site, they will have to do
more work to send requests than your server you will have to do to respond
<li><strong>Resistant to replay attacks:</strong> proof-of-work configurations have short lifetimes(30s) and can be used only once. If a user submits a PoW to an already used configuration or an expired one, their proof will be rejected.</li>
</ul>
<h2id="how-to-migrate">How to migrate?</h2>
<p>Our client libraries are mostly compatible with reCAPTCHA and hCaptcha.
A detailed guide will be published soon.</p>
<h2id="our-philosophy">Our Philosophy</h2>
<p>Man has has come so far only because our ancestors chose to
share their knowledge with others. If everything was labeled
intellectual property, we might still be stuck in Stone Age. The idea of
intellectual property is alien to us. For this reason, all of our source
code is freely available(both as in freedom and beers) at <ahref="https://github.com/mCaptcha/">our