The point of a Hashcash implementation is to prevent form spam. I'm not sure what the benefit of spammers would be to use self-destructing notes, but nonetheless, I'm not really interested in entertaining it. Implementaning Hashcash as a proof-of-work system is simple enough to deter most spammers.
The format of the token is as follows:
1:16:$date:$fingerprint::$nonce:$counter
- 1: The version of the Hashcash token format.
- 16: The number of bits that should be validated.
- $date: The date the page was loaded.
- $fingerprint: A hash representing the uniqueness of your browser.
- $nonce: A randomly generated number.
- $counter: A base36 number incremented until the token is valid.
Once the token is generated, the following steps take place:
- The token is embedded invisibly into the form.
- The client submits the form with the minted token.
- Server verifies if the token is valid.
- If valid, the form submits.
- If not valid, the user is notified submission failed.
- Tokens are stored server-side to prevent double-spending.
A minted Hashcash token generated by the client would then need to look something like this:
1:16:20140104:501550863::lefpClHgfZmo+RP+:1h7v
This is valid, because the SHA1 hash of the above token is:
000041cf0569217ec3e5f70cbefb7994837a8afb
which starts with 16-bits of leading zeros. The work is forced on the client, which inserts the token into the form. Even on modern hardware, this should be computationally difficult for the client CPU, and could take up to a second or two to create a valid token string. However, verification of the token is computationally easy for the server to verify.
The minting of the token should be done in the background while the user is typing the note in the form. Thus, when the submit button is pressed, no additional waiting is needed.
More info can be found at http://hashcash.org.
The sha1.js code is copyright Jeff Mott, and the code can be found upstream at his Google Code page.
Browser fingerprinting is unique enough to anonymously identify a browser with 94% accuracy. This is a JavaScript implementation of the research done by the Electronic Frontier Foundation. The browser is queried for many things:
- User agent string
- Screen color depth
- Language
- Installed plugins with supported MIME types
- Timezone offset
- Local storage
- Session storage
- ... and more
Each of these values are passed through a non-cryptographic hashing function to produce a fingerprint that represents your browser. The hash is MurmurHash3 with a 32-bit output.
The fingerprint.js code is copyright Valentin Vasilyev, and can be found upstream at his Github page.