Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome The Internet IT

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 189

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

This discussion has been archived. No new comments can be posted.

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome

Comments Filter:
  • by Baron_Yam ( 643147 ) on Thursday October 19, 2017 @11:25AM (#55397217)

    Most web surfing involves text, images, and perhaps video in a well-defined box. Anything else is generally crap that doesn't benefit the surfer.

    I'd say rather than a percentage of total CPU utilization, they ought to be measuring against a percentage of the browser's CPU usage. Any non-whitelisted script that is taking more juice than it would take to render a straight text-and-image page can be throttled to zero, in my opinion.

    • > Anything else is generally crap that doesn't benefit the surfer

      Not always --there are valid use cases:

      * Notch prototyped Minecraft procedural textures [jsfiddle.net]
      * Us graphic geeks using WebGL "hang out" on shadertoy [shadertoy.com] (Warning: Space Audio)

      As long the default is opt-out and we need to whitelist our favorite sites, while being a minor inconvenience, that is the right way to do it.

    • I like going to Newegg and browsing through the specials in an image carousel. I like clicking 'reply' on slashdot and getting a box to reply in. I like thumbnail previews. I like menus I can browse without reloading an whole page. I like web mail that feels like a mail client. Heck, I like a responsive and modern web.

      If you don't go run Lynx in X11. The rest of us will carry on living in 2017 and even 2018 when it comes along.
      • Nice that you like all that stuff. If you weren't being such an ass with your final statement, I would have been nicer in my reply.

        You're an idiot. Not because you like those things, but because you think limiting script CPU as I described would make them all fail.

    • Most web surfing involves text, images, and perhaps video in a well-defined box.

      WTF? Did you stop using the browser in 2002 and then time travel 15 years? The internet hasn't been that in a LONG time. Hell if that is your definition of the internet we wouldn't be having this conversation because even Slashdot requires far more complexity than that, and it is incredibly frigging simple compared to most of the internet.

    • If my cpu fan starts to accelerate, it is a sure sign that my system is being exploited. Ergo, I shut it down and strart a different browser.

  • by Anonymous Coward

    Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.

    Big surprise.

    • by Bruce Perens ( 3872 ) <bruce@perens.com> on Thursday October 19, 2017 @12:09PM (#55397623) Homepage Journal

      Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.

      Not really. Running a miner is not a way that legitimate content sites recover their cost of operation. It's a way to grab some of the viewer's cycles for mining without their knowing it. If you want viewers to pay for use of your site in CPU cycles, design a protocol for that which will tell the user what they're paying, and allow them to pay it fairly or inform their decision to stay off your site.

      • by spire3661 ( 1038968 ) on Thursday October 19, 2017 @12:35PM (#55397851) Journal
        >Running a miner is not a way that legitimate content sites recover their cost of operation

        You could make the exact same argument for third-party ads.
        • yup.
          I could see a cookie that turned mining on and off for a site that would be legitimate:
          Hey help fund the site you have three options:
          * buy a sub and we'll hide all ads and mining operations
          * show ads and don't mine
          * mine BTC and don't show ads

          Default to showing ads and have a link for selecting what the user wants to do.

      • by Dogtanian ( 588974 ) on Thursday October 19, 2017 @01:06PM (#55398065) Homepage
        How honest would you expect them to be, given that mining via JavaScript is going to be horrendously inefficient and likely to use many, many times the value mined in increased electricity used by the client?

        They'd also have to be clear that using the website is likely to run down the user's battery significantly faster on a laptop.

        Then again- maybe that was your point. You can't do something like that honestly without highlighting what a bad idea it is, and that it'd be far better if someone finally got micropayments to work for random websites.
  • The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.

    • The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.

      Also, this already basically exists. Multiple times I've seen a popup saying "javascript taking too long" with an option to continue or abort.
      Presumably the bitcoin miners are already doing something to not trigger this condition and any condition you come up with, the bitcoin
      miner could be modified to stay under that threshold.

  • by zippo01 ( 688802 ) on Thursday October 19, 2017 @11:42AM (#55397385)
    This would be a brilliant business strategy! No ads, clean uninterrupted browsing, they just get some CPU cycles from you. Most people wouldn't even notice the difference or the cost. I would do it not to have to look at ads. This could destroy googles hold on ads and the new revenue stream for the internet. They should just let the user know whats going on and BAM!
    • Then MS can tell that Edge is saving battery compared to Chrome as it does not support cryptocurrency mining.
    • Re: (Score:2, Interesting)

      by AmiMoJo ( 196126 )

      Not so great on battery powered devices though.

    • by tepples ( 727027 )

      Most people wouldn't even notice the difference or the cost.

      Not even when the device's battery runs out twice as fast as it used to? Or were you operating under the assumption that "Most people" use a desktop PC as opposed to a laptop, tablet, or smartphone?

    • This could destroy googles hold on ads and the new revenue stream for the internet

      Perhaps Google is more afraid that this distributed computing model might compete with their fledgling Google Cloud computing offering. AWS already makes more money for Amazon than their retail sales business. If Google is going to compete, they are going to have to stifle distributed computing so that crypto miners will perceive a greater value in the Google Cloud.

    • No ads, clean uninterrupted browsing,

      Yeah finally we can have a clean internet. The only problem would be battery li

  • I've been manually accomplishing the same thing with Quick Javascript Switcher [google.com] to turn off JS on sites which abuse it, and The Great Suspender [google.com] to freeze background tabs.

    I also keep Windows Task Manager's CPU graph in the notifications bar so I can see if my computer isn't dropping to idle. That's what originally led me to start using The Great Suspender. Although in my case it wasn't crytocurrency mining scripts, it was poor coding on Google's Photos and Drive websites which kept chewing up CPU cycles
  • Chrome is a browser. We live in an age where some people (notoriously Google) think browsers needs to run full fledged apps in a sense they must take advantage of modern processing power. That is just wrong - websites are nowadays supposed to be much more technically sophisticated, and yet, consequentially much LESS demanding with things like the quai-extinction of flash and the advent of HTML5. In any case, 100%, or even 20% is not uncommon on "harmless" websites and this would induce in many false positiv

  • Chrome will be the new IE6

    • Chrome will be the new IE6

      Yes! my css code will work, at last!

    • It already kind of is. On the desktop, Microsoft was actually their main competitor. But then Microsoft launched Edge and like most new Microsoft products it was a crushing blow to Microsoft:

      2 Years ago, MS still held an incredible 50% of desktop browser share:
      https://www.netmarketshare.com... [netmarketshare.com]

      Now, they are down to 20%
      https://www.netmarketshare.com... [netmarketshare.com]

      Despite being literally shoved into users faces, the introduction of Edge didn't draw users away from Chrome. No, it seemed to send IE users running to it inste

      • e've already seen Google start to flex their muscle a bit in the same way Microsoft did

        It's not desktop muscles they're flexing (yet). It's search. How fast websites render in Chrome (okay, according to rules that totally happen to randomly perfectly align with Chrome) influences pagerank

      • How does Edge go for downloading Firefox and Chrome? I used Internet Explorer for that on my current computer. (I can't think of a better use for a Microsoft browser.)

  • by pgn674 ( 995941 ) on Thursday October 19, 2017 @11:51AM (#55397455) Homepage
    There's a documentation hub for a service out there that I noticed using 100% of one CPU core on my laptop, whenever I had a page open on it. Didn't matter whether the tab or Chrome window was foreground or not. I dug into it, and found a CSS spinner sitting underneath a Google translate button. I'm thinking the page designers wanted a spinner to show if that button took a while to load. But they designed it in CSS; it kept running forever, even after the button loaded; and it used 100% CPU. Having a built in defense against this kind of stupidity or malice would be awesome.
  • How about blocking autoplay video? That shit is way worse than a miner.

    • There is an ext for that.
      • Which doesn't always work. It stops about 80% of them but some videos find their way through somehow.

    • There is absolutely ZERO need for autoplay video if you're not an advertiser looking to force something into someone else's eyeballs.

      Every browser should, by default, put a placeholder in for video and require user interaction just to start loading it, never mind actually play it.

      Back when most video was Flash and Firefox was king of the alternate browsers, I used the FlashBlock extension and it was glorious.

  • This is exactly the kind of thing I told you was going to happen yesterday [slashdot.org] and yet, only +3 Insightful.

  • This is actually an excellent solution even for "valid" websites which misuse shady ad networks and contain otherwise bad JS code (for rendering/user interaction/ajax/etc). I just want these variables to be configurable, i.e. >=5 seconds of more than 70% 1 CPU core usage and the tab gets throttled.
    • This.
      Set conservative default for the majority of users:
      95% by single js page for over 60 sec.
      in about:config allow the thresholds to be set.
      Also allow whitelisting of sites.

  • The massive pegging of CPU is hardly new. There have always been terrible websites - many of them video ones - which for various reasons, such up as much CPU as they're able to, bringing the machine to a crawl. Most of them are video related, including flash (it was notorious), and - in its early days - YouTube. The worst are those that call functions of code you had to install natively.

    The problem is that most browsers give absolutely no indication that this is happening, leaving the user to wonder why hi

    • Yes, you can do a top/task-manager/activity monitor to figure out what is going wrong, but even if you're that sophisticated, you often end up having to kill the entire process simply to stop one errant thread. This never works for unsophisticated users.

      In chrome you can right click an empty part of the tab area (or shift+escape), and start the built in thread manager, it will show you what tabs/extensions/scripts are using with regard to cpu utilization and allows you to kill specific ones. But yea, most users won't even be able to do that.

  • Let a hundred extensions bloom!

    Let extension developers deal with the problem.

    Once a great approach is identified, bake it in all browsers.

    A monolytic company (and specially one like google, which lives of adds) is not the best blace to come with a solution, let alone a great overall solution

  • by Vektuz ( 886618 ) on Thursday October 19, 2017 @02:05PM (#55398487)
    While I actually like the idea of being allowed to choose whether to donate a few cycles or to watch ads - I would always choose to donate cycles (no privacy problem, no malware problem, no security problem, no tracking problem...).

    HOWEVER, this will end poorly
    This is because websites tend to be greedy. They won't go "either ads or cryptomining". They will go ads AND cryptomining. Just like cable TV.
  • >"If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and..."

    We should have already HAD this in ALL browsers. I suggested it for Firefox years and years ago. It isn't just cryptomining, but some sites have HORRIBLE programming with endless animation and crap moving and changing and calculating and re-loading things all the time. And who knows what is next.

    If the browser IS the next OS, then regardless of the

  • 60 seconds at 100% won't work. They'll just write the code to sleep for 1 second every 59 seconds.

  • Many web sites are loading thousands of Javascript modules which they often load from untrusted sites. What happens when someone starts sending patches adding a bit miner for their own account into existing code? That is happening right now.

  • This would be great. I could throttle down Facebook from burning all my CPU and give the rest to The Pirate Bay to pay them back for all they've done for us.

Trap full -- please empty.

Working...