Proof of Work Is Everywhere

Most people associate "proof of work" with cryptocurrency. Bitcoin miners burning electricity to solve meaningless hash puzzles. But the concept is older and more widespread than that, and it keeps showing up in places you would not expect.

The latest example is Anubis, a reverse proxy that weighs the soul of incoming HTTP requests using SHA-256 proof-of-work challenges. When a browser hits a site protected by Anubis, it has to solve a computational puzzle before the request is forwarded to the origin server. Legitimate browsers solve it instantly. Bots scraping at scale cannot, because the cost of solving millions of challenges outweighs the value of the scraped content. It is elegant, simple, and has gathered over 18'000 stars on GitHub in a short time.[1]

But there is an older, less flashy version of this idea running inside Debian's archive infrastructure. Debian's FTP master system uses DAK (Debian Archive Kit) to verify every package upload before it enters the archive. Uploads must be signed with GPG keys listed in dm.txt, an access control list mapping maintainer fingerprints to the packages they are authorized to upload. The system checks signatures, validates policy compliance, and runs a full verification pipeline before accepting anything. It is proof of work in the authentication sense: you prove you have the right key and have done the work of building a conforming package, and only then does your upload get accepted.[2]

The parallel is interesting. Anubis makes clients prove computational effort to stop scrapers. DAK makes uploaders prove cryptographic authorization to stop unauthorized package modifications. Both systems enforce a gate by requiring proof before access is granted. The difference is the threat model: Anubis fights botnets, DAK fights supply chain attacks.

This pattern is not new. Email has had proof-of-work-adjacent systems for decades. Hashcash, proposed in 1997, required senders to compute hash collisions to prove they spent CPU time on each email. The idea was that spamming millions of emails would become computationally prohibitive while individual senders would barely notice. It never saw widespread adoption in email, but the concept directly inspired Bitcoin's mining algorithm.[3]

CAPTCHAs are another form. Google's reCAPTCHA makes you identify crosswalks and traffic lights, which is essentially proving you are human (and doing Google's image labeling work for free). It is proof of work where the work itself is useful to someone else.

What makes Anubis different from CAPTCHAs and Hashcash is that it is purely computational, no human involvement needed. The browser solves a hash challenge automatically, the server verifies it, and the request goes through. It is the cleanest implementation of the concept yet for web traffic: invisible to users, expensive to abusers.

Proof of work keeps reappearing because the underlying problem is universal: how do you make it cheap for legitimate actors and expensive for bad ones? Whether you are protecting an archive, a website, or a blockchain, the answer keeps coming back to the same idea. Make them work for it.