Slashdot Mirror
Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com)
An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
Most web surfing involves text, images, and perhaps video in a well-defined box. Anything else is generally crap that doesn't benefit the surfer.
I'd say rather than a percentage of total CPU utilization, they ought to be measuring against a percentage of the browser's CPU usage. Any non-whitelisted script that is taking more juice than it would take to render a straight text-and-image page can be throttled to zero, in my opinion.
Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.
Big surprise.
Good, I'd never go back to that site.
Your solution of Firefox and NoScript is about to be broken pretty soon.
Disable Javascript. There's no reason not to.
Other than the fact that all but the most ancient website won't work without it anymore... unless its a flash website that is.
Try browsing with scripting summarily disabled and let me know how it works for ya.
This would be a brilliant business strategy! No ads, clean uninterrupted browsing, they just get some CPU cycles from you. Most people wouldn't even notice the difference or the cost. I would do it not to have to look at ads. This could destroy googles hold on ads and the new revenue stream for the internet. They should just let the user know whats going on and BAM!
Even just showing something on the tab to indicate high cpu usage would be a good start, like the way chrome shows a speaker icon for the tab that is playing sounds.
Website Just Down For Me? Find out
There's a documentation hub for a service out there that I noticed using 100% of one CPU core on my laptop, whenever I had a page open on it. Didn't matter whether the tab or Chrome window was foreground or not. I dug into it, and found a CSS spinner sitting underneath a Google translate button. I'm thinking the page designers wanted a spinner to show if that button took a while to load. But they designed it in CSS; it kept running forever, even after the button loaded; and it used 100% CPU. Having a built in defense against this kind of stupidity or malice would be awesome.
LOL....yeah, there's not reason not to. Lets just abandon DHTML and go back to full page reloads on every action, not matter how small. It's been so long, I guess I must've forgotten how much I loved all those full page reloads.
The resulting hashes are pretty much always invalid. It doesn't take forever to calculate a single hash, you will calculate bazillion hashes but only one is correct.
I'd never go back to that site.
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain, but this feature has since been permanently discontinued. I found some promising browser extensions for users of Google Search on select desktop browsers:
Google Chrome for desktop Personal Blocklist Firefox 56 or later Personal Blocklist (not by Google) Firefox 52 ESR or Firefox 56 Hide Unwanted Results of Google SearchBut what works for Chrome for Android, Edge, or Safari? Or for DuckDuckGo or Bing?
Chrome will be the new IE6
Yes! my css code will work, at last!
Slashdot, fix the reply notifications... You won't get away with it...
As I understand it, EME provides a controlled interface to a Content Decryption Module (CDM). A CDM can obfuscate only audio and video decoding and output, not any process whose output the script can directly monitor. If you have a proof of concept of Monero mining in a well-known CDM, such as Widevine, Primetime, or PlayReady, I'd like to see it.
Forum sites such as SoylentNews and Slashdot work without script. The user navigates or submits a form, and the site returns a document. Those web applications for which navigation and form submission are insufficient can be rewritten as a native application.
If there's a website that has a legitimate use for Javascript, then the user can easily enable it for that site. The trivial use cases include Kongregate, Newgrounds, and flash-portal game sites.
In all other cases, the website should maintain basic function in the event the browser doesn't activate Javascript. In fact, both examples I listed above still function without JS enabled, as you can head to the game's page before you need to turn on scripts.
I've done it for quite a long time. Got tired of rogue advertisers redirecting the page to "update java", and I've only enabled sites that actually require Javascript. If it requires Javascript unnecessarily, then I don't need to visit that site as much.
All of my required addons (or new replacement) are working in Firefox 57.
Only thing missing now is, Vertical Toolbar, and Piro's Multiple Tab Handler.
While I actually like the idea of being allowed to choose whether to donate a few cycles or to watch ads - I would always choose to donate cycles (no privacy problem, no malware problem, no security problem, no tracking problem...).
HOWEVER, this will end poorly
This is because websites tend to be greedy. They won't go "either ads or cryptomining". They will go ads AND cryptomining. Just like cable TV.
>LOL....yeah, there's not reason not to. Lets just abandon DHTML and go back to full page reloads on every action, not matter how small. It's been so long, I guess I must've forgotten how much I loved all those full page reloads.
Yes, let's do that. Seriously. In practice these horrible full page reloads are faster than loading megabytes of JS garbage to view a comment or something. Just compare using slashdot to Disgus(t) or whatever it's called.