Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 189
An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
Why isn't this already standard? (Score:3)
Most web surfing involves text, images, and perhaps video in a well-defined box. Anything else is generally crap that doesn't benefit the surfer.
I'd say rather than a percentage of total CPU utilization, they ought to be measuring against a percentage of the browser's CPU usage. Any non-whitelisted script that is taking more juice than it would take to render a straight text-and-image page can be throttled to zero, in my opinion.
Re: (Score:2)
> Anything else is generally crap that doesn't benefit the surfer
Not always --there are valid use cases:
* Notch prototyped Minecraft procedural textures [jsfiddle.net]
* Us graphic geeks using WebGL "hang out" on shadertoy [shadertoy.com] (Warning: Space Audio)
As long the default is opt-out and we need to whitelist our favorite sites, while being a minor inconvenience, that is the right way to do it.
I like JavaScript (Score:2)
If you don't go run Lynx in X11. The rest of us will carry on living in 2017 and even 2018 when it comes along.
Re: (Score:2)
Nice that you like all that stuff. If you weren't being such an ass with your final statement, I would have been nicer in my reply.
You're an idiot. Not because you like those things, but because you think limiting script CPU as I described would make them all fail.
Re: (Score:2)
And what exactly is wrong with Chrome showing a "battery saver mode" popup for badly written sites that use 100% CPU for simple tasks? Sounds like a great idea to me, it'll force the developers to fix their sites to keep their users.
Re: (Score:2)
Yea, is that battery saver mode going to be smart enough to recognize a desktop system that has no fucking battery?
Re: (Score:2)
Unfortunately, whether a site is worth using under Lynx depends on how the site is written, and not what anyone else does. (Hey, I've got a soft spot for Lynx.)
Re: (Score:2)
Most web surfing involves text, images, and perhaps video in a well-defined box.
WTF? Did you stop using the browser in 2002 and then time travel 15 years? The internet hasn't been that in a LONG time. Hell if that is your definition of the internet we wouldn't be having this conversation because even Slashdot requires far more complexity than that, and it is incredibly frigging simple compared to most of the internet.
Re: (Score:2)
If my cpu fan starts to accelerate, it is a sure sign that my system is being exploited. Ergo, I shut it down and strart a different browser.
Re: (Score:2)
Re: (Score:2)
WebASM is a steaming pile of shit. WebGL only slightly less so.
Re: (Score:2)
Ad company defends business model (Score:2, Insightful)
Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.
Big surprise.
Re:Ad company defends business model (Score:5, Insightful)
Not really. Running a miner is not a way that legitimate content sites recover their cost of operation. It's a way to grab some of the viewer's cycles for mining without their knowing it. If you want viewers to pay for use of your site in CPU cycles, design a protocol for that which will tell the user what they're paying, and allow them to pay it fairly or inform their decision to stay off your site.
Re:Ad company defends business model (Score:5, Insightful)
You could make the exact same argument for third-party ads.
Re: (Score:2)
yup.
I could see a cookie that turned mining on and off for a site that would be legitimate:
Hey help fund the site you have three options:
* buy a sub and we'll hide all ads and mining operations
* show ads and don't mine
* mine BTC and don't show ads
Default to showing ads and have a link for selecting what the user wants to do.
Re:Ad company defends business model (Score:5, Insightful)
They'd also have to be clear that using the website is likely to run down the user's battery significantly faster on a laptop.
Then again- maybe that was your point. You can't do something like that honestly without highlighting what a bad idea it is, and that it'd be far better if someone finally got micropayments to work for random websites.
Re: (Score:2)
False positive rate to high (Score:2)
The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.
Re: (Score:2)
The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.
Also, this already basically exists. Multiple times I've seen a popup saying "javascript taking too long" with an option to continue or abort.
Presumably the bitcoin miners are already doing something to not trigger this condition and any condition you come up with, the bitcoin
miner could be modified to stay under that threshold.
Google should see this as a threat!!! (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2, Interesting)
Not so great on battery powered devices though.
Re: (Score:2)
Most people wouldn't even notice the difference or the cost.
Not even when the device's battery runs out twice as fast as it used to? Or were you operating under the assumption that "Most people" use a desktop PC as opposed to a laptop, tablet, or smartphone?
perhaps not about the ads... (Score:2)
Perhaps Google is more afraid that this distributed computing model might compete with their fledgling Google Cloud computing offering. AWS already makes more money for Amazon than their retail sales business. If Google is going to compete, they are going to have to stifle distributed computing so that crypto miners will perceive a greater value in the Google Cloud.
Re: (Score:2)
No ads, clean uninterrupted browsing,
Yeah finally we can have a clean internet. The only problem would be battery li
About time (Score:2)
I also keep Windows Task Manager's CPU graph in the notifications bar so I can see if my computer isn't dropping to idle. That's what originally led me to start using The Great Suspender. Although in my case it wasn't crytocurrency mining scripts, it was poor coding on Google's Photos and Drive websites which kept chewing up CPU cycles
Egregious is bad (Score:2)
Chrome is a browser. We live in an age where some people (notoriously Google) think browsers needs to run full fledged apps in a sense they must take advantage of modern processing power. That is just wrong - websites are nowadays supposed to be much more technically sophisticated, and yet, consequentially much LESS demanding with things like the quai-extinction of flash and the advent of HTML5. In any case, 100%, or even 20% is not uncommon on "harmless" websites and this would induce in many false positiv
Re: (Score:2)
I guess that must be the reason why everybody that doesn't have corporate interests hates stuff like instant apps or the web version of stupid services like Spotify, Gmail and whatever on their phones. And I would argue Apple, Microsoft and everybody that doesn't rely entirely on the cloud for their core have a thing to say about that. But keep fooling yourself on that javascript-based future bubble you think everybody will be living in 10 years from now. I bet by then we will have performance to make javas
Google explores ways to break non-google web apps (Score:1)
Chrome will be the new IE6
Re: (Score:3)
Chrome will be the new IE6
Yes! my css code will work, at last!
Re: (Score:2)
It already kind of is. On the desktop, Microsoft was actually their main competitor. But then Microsoft launched Edge and like most new Microsoft products it was a crushing blow to Microsoft:
2 Years ago, MS still held an incredible 50% of desktop browser share:
https://www.netmarketshare.com... [netmarketshare.com]
Now, they are down to 20%
https://www.netmarketshare.com... [netmarketshare.com]
Despite being literally shoved into users faces, the introduction of Edge didn't draw users away from Chrome. No, it seemed to send IE users running to it inste
Re: (Score:2)
It's not desktop muscles they're flexing (yet). It's search. How fast websites render in Chrome (okay, according to rules that totally happen to randomly perfectly align with Chrome) influences pagerank
Re: (Score:2)
How does Edge go for downloading Firefox and Chrome? I used Internet Explorer for that on my current computer. (I can't think of a better use for a Microsoft browser.)
I like the idea, and not just for miners (Score:5, Insightful)
How about blocking (Score:2)
How about blocking autoplay video? That shit is way worse than a miner.
Re: (Score:2)
Re: (Score:2)
Which doesn't always work. It stops about 80% of them but some videos find their way through somehow.
Re: (Score:2)
There is absolutely ZERO need for autoplay video if you're not an advertiser looking to force something into someone else's eyeballs.
Every browser should, by default, put a placeholder in for video and require user interaction just to start loading it, never mind actually play it.
Back when most video was Flash and Firefox was king of the alternate browsers, I used the FlashBlock extension and it was glorious.
I called it. (Score:2)
This is exactly the kind of thing I told you was going to happen yesterday [slashdot.org] and yet, only +3 Insightful.
Re: (Score:2)
Just a hint, Bucko, you don't have enough other things going on in your life.
Re: (Score:2)
I like it (Score:2)
Re: (Score:2)
This.
Set conservative default for the majority of users:
95% by single js page for over 60 sec.
in about:config allow the thresholds to be set.
Also allow whitelisting of sites.
Browsers desperately need a CPU indicator (Score:2)
The massive pegging of CPU is hardly new. There have always been terrible websites - many of them video ones - which for various reasons, such up as much CPU as they're able to, bringing the machine to a crawl. Most of them are video related, including flash (it was notorious), and - in its early days - YouTube. The worst are those that call functions of code you had to install natively.
The problem is that most browsers give absolutely no indication that this is happening, leaving the user to wonder why hi
Re: (Score:2)
Yes, you can do a top/task-manager/activity monitor to figure out what is going wrong, but even if you're that sophisticated, you often end up having to kill the entire process simply to stop one errant thread. This never works for unsophisticated users.
In chrome you can right click an empty part of the tab area (or shift+escape), and start the built in thread manager, it will show you what tabs/extensions/scripts are using with regard to cpu utilization and allows you to kill specific ones. But yea, most users won't even be able to do that.
Paraphrazing Comrade Mao (Score:2)
Let a hundred extensions bloom!
Let extension developers deal with the problem.
Once a great approach is identified, bake it in all browsers.
A monolytic company (and specially one like google, which lives of adds) is not the best blace to come with a solution, let alone a great overall solution
This will end poorly (Score:5, Insightful)
HOWEVER, this will end poorly
This is because websites tend to be greedy. They won't go "either ads or cryptomining". They will go ads AND cryptomining. Just like cable TV.
years (Score:2)
>"If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and..."
We should have already HAD this in ALL browsers. I suggested it for Firefox years and years ago. It isn't just cryptomining, but some sites have HORRIBLE programming with endless animation and crap moving and changing and calculating and re-loading things all the time. And who knows what is next.
If the browser IS the next OS, then regardless of the
Won't work (Score:2)
60 seconds at 100% won't work. They'll just write the code to sleep for 1 second every 59 seconds.
Bad assumptions about the source of the miner (Score:2)
Many web sites are loading thousands of Javascript modules which they often load from untrusted sites. What happens when someone starts sending patches adding a bit miner for their own account into existing code? That is happening right now.
Throttle Facebook! (Score:2)
This would be great. I could throttle down Facebook from burning all my CPU and give the rest to The Pirate Bay to pay them back for all they've done for us.
Re: Blocker detected (Score:4, Insightful)
Good, I'd never go back to that site.
Once sites like that fill search results (Score:5, Informative)
I'd never go back to that site.
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain [lifehacker.com], but this feature has since been permanently discontinued [google.com]. I found some promising browser extensions for users of Google Search on select desktop browsers:
But what works for Chrome for Android, Edge, or Safari? Or for DuckDuckGo or Bing?
Re: (Score:2)
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain, but this feature has since been permanently discontinued.
Ah yes, like the super-annoying "experts exchange" site that I blacklisted wherever I can. Those assholes should die a slow death.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You're both right. What they actually did was even scummier - they included the actual answers on the page if the referrer was Google.
Re: (Score:2)
What they actually did was even scummier - they included the actual answers on the page if the referrer was Google.
That's called "cloaking", which Google generally forbids [google.com]. But since October 1, Google has officially allowed this specific kind of cloaking [slashdot.org] under the name "flexible sampling", so long as the document contains a JSON-LD block to mark specific CSS class names as being paywalled [google.com].
Re: (Score:2)
User agent switching doesn't work anymore unless you come from a Google IP block.
Not if you don't use Chrome or Search (Score:2)
Why does google get to decide and censor what JavaScript a website can run?
Google doesn't get to do so unless you use the Google Chrome browser or reach the website through Google Search. Both have replacements: Firefox and DuckDuckGo, or Edge/Safari and Bing.
Re: (Score:2)
What do you plan to do once "1-2 sites" where you get your news install cryptocurrency miners? Or your webmail sites?
Re: (Score:2)
Then we're back to the original AC's modal dialog: "Website forbidden. Please disable your adblock and reload the page."
Re: Blocker detected (Score:2)
Re: (Score:2)
Re: Blocker detected (Score:1)
So what about allowing mining, just doing it very slowly, and occasionally doing the calculations incorrectly so that the resulting hash is invalid?
Re: (Score:3)
Mining is googles competition (Score:2)
Google isnâ(TM)t doing you a favor. Mining allows sites to pay for their operations without ads. Google wants to sell ad metrics and placement targeting to advertisers.
I donâ(TM)t care if someone mines when I visit their site. Why not? Itâ(TM)s a free resource for me. I need to hear my house anyway. I can control when it happens. I like it.
Google is afraid
Re: (Score:2)
Except that you're paying dearly for what the site gets. Cryptocurrency mining requires oodles of computation (or everybody would be doing it as a background app on their phone), and is generally done on GPUs or more efficient devices. Doing it in Javascript on your browser is going to be horribly inefficient, so a page that brings your computer to its knees and heats up to machine limits and consumes electricity like it was going out of style will get the site only a teeny bit of value.
I have no probl
Re: (Score:2)
Huh? power is ten cents a KiloWatt Hour. and my computer uses at most 80 watts. If I stayed on the site for 10 hours that would be ten cents.
Re: (Score:2)
Can you mine ten cents of cryptocurrency in ten hours?
Re: (Score:3)
Your solution of Firefox and NoScript is about to be broken pretty soon.
Re: (Score:3)
All of my required addons (or new replacement) are working in Firefox 57.
Only thing missing now is, Vertical Toolbar, and Piro's Multiple Tab Handler.
Re: (Score:2)
But why? FF57 is such a gigantic improvement over previous versions, it's absolutely bonkers to not upgrade.
Just use uMatrix instead of NoScript, it's a lot more powerful.
Re: (Score:2)
Because 90% of my add-ons have a Legacy tag next to them. I'll see what type of push to port or recreate the missing add-ons happens once 57 comes out.
But maybe I'll stick with what I've been doing. Waterfox has been working just fine.
Re: (Score:2)
Personally, I just took a good long look at which add-ons I had installed, and which ones I actually need. Basically only uBlock Origin and Privacy Badger. You should try minimalism. It's fun, and less shit breaks.
Re: (Score:2)
If that works for you great. But I'll continue using a browser that was working great, and add-ons that make it continue to work the way it did before some nut jobs decided to clone the shitty popular browser and remove functionality/choice.
Re: (Score:2)
There are very good reasons for deprecating the old extension format, most noticeably security, stability and performance.
Re: (Score:2, Informative)
Disable Javascript. There's no reason not to.
Other than the fact that all but the most ancient website won't work without it anymore... unless its a flash website that is.
Try browsing with scripting summarily disabled and let me know how it works for ya.
Re: (Score:3)
Forum sites such as SoylentNews and Slashdot work without script. The user navigates or submits a form, and the site returns a document. Those web applications for which navigation and form submission are insufficient can be rewritten as a native application.
Re: (Score:2)
Those web applications for which navigation and form submission are insufficient can be rewritten as a native application.
Then those native applications can have bitcoin miners in them and we've come full circle.
Re: (Score:3)
If there's a website that has a legitimate use for Javascript, then the user can easily enable it for that site. The trivial use cases include Kongregate, Newgrounds, and flash-portal game sites.
In all other cases, the website should maintain basic function in the event the browser doesn't activate Javascript. In fact, both examples I listed above still function without JS enabled, a
Re: (Score:2)
Disabling javascript is the only way to read articles from random sites these days. If you intend a non-interactive experience for the site, disable javascript on it -- if you intend to be interactive, give javascript a chance.
Re: (Score:2)
> Other than the fact that all but the most ancient website won't work without it anymore
They don't work without it any more because they suck. Javascript should be reserved for cases where you legitimately need something to act like an application, which is not any forums, etc. All this remote code running locally has caused serious fucking problems, and continues to do so.
Re: (Score:1, Informative)
Great, except many sites simply don't load right and you can't navigate and are filled with gibberish when you do that. I like that Chrome allows me to control JavaScript on a per-page basis but I wish there was a big button on the toolbar that would allow me to turn it on and off at a whim if I want.
Re: (Score:1)
All the more reason to disable javascript then: we should not be teaching web sites that it is acceptable to depend upon.
Re: (Score:2)
[Without script,] many sites simply don't load right and you can't navigate and are filled with gibberish when you do that.
Then visit the many sites that do work without script instead of the many sites that don't work.
Re:That's easy! (Score:5, Insightful)
LOL....yeah, there's not reason not to. Lets just abandon DHTML and go back to full page reloads on every action, not matter how small. It's been so long, I guess I must've forgotten how much I loved all those full page reloads.
Re: (Score:3)
>LOL....yeah, there's not reason not to. Lets just abandon DHTML and go back to full page reloads on every action, not matter how small. It's been so long, I guess I must've forgotten how much I loved all those full page reloads.
Yes, let's do that. Seriously. In practice these horrible full page reloads are faster than loading megabytes of JS garbage to view a comment or something. Just compare using slashdot to Disgus(t) or whatever it's called.
Re: (Score:2)
In practice these horrible full page reloads are faster than loading megabytes of JS
You managed to get Google Fibre working on your 486? Where did you even find a compatible network card!
Re: (Score:2)
No, lets not do that. It must have whooshed over you....in case you couldn't tell, I was being sarcastic.
And I don't know where you are getting megabytes of JS from. Most sites that I examine tend to have not much more than a megabyte of javascript and/or use something like the google cached version. For those that don't, after the first load they are cached.
So lets look at this horrendously big slashdot you use as an example. Here's this story, with 138 comments currently
First load, no cache
Javascript: 794
Re: (Score:2)
I, like many others, run Noscript. I enable javascript, often times just temporarily for my session, as I need to.
Note: Many times I enable javascript just t
Re: (Score:2)
I wouldn't mind going back to the simple web pages of yesteryear, stuff you can write in a simple text editor. Black text on a white background, blue underlined hyperlinks that turn purple when visited, simple formatting that respects your browser's default fonts and pages that degrade gracefully to slow connections and low-resolution devices.
HTML is for content, not styling.
Re: (Score:2)
Guess what. If you want to talk about what responsible developers do, then you need to consider that they can also do a good job optimizing javascript (shrinking size, reducing library dependence, using cached versions like google., etc). You can just compare a shit-quality javascript developer to what a talented HTML-only developer will do and expect that to have any meaning in the real world. Because guess what...while javascript programming isn't exactly hard, it's quite a bit more difficult than HTML-on
Re:High cpu usage blocked? (Score:5, Insightful)
Re: (Score:2)
Why do you think their engineering team would care? Obviously and correctly, it's a browser problem. Approximately all Facebook users will not see that Facebook's changed, so they'll decide that the browser has suddenly gone wonky.
Proof of concept (Score:3)
As I understand it, EME provides a controlled interface to a Content Decryption Module (CDM). A CDM can obfuscate only audio and video decoding and output, not any process whose output the script can directly monitor. If you have a proof of concept of Monero mining in a well-known CDM, such as Widevine, Primetime, or PlayReady, I'd like to see it.
Re: (Score:2)
Miner scripts will just dial it back to 50% CPU usage or whatever threshold chrome sets.
A typical webpage shouldn't need even 0.1% after loading. And during loading the majority of the cpu usage should be profiled to the browser itself (rendering the html/css/downloading elements etc) not the javascript. More than 1 - 2 seconds of high javascript cpu usage on a typical site is not necessary. Even the continuous async updates, analytics tracking etc is all really low level... like a couple percent of the cpu every 100 milliseconds or something.
Even Media playback is pretty low on modern systems
Re: (Score:2)
that kind of measurement system would mistakenly assume that all CPU intensive pages were a problem. that ain't the case. thus, tons of false positives requiring authorization and white-listing.
Hardly, Crypto mining is a 100% of CPU continuously type of operation. I can watch my tv on youtube and barely break 10% CPU utilization... (Well, thread utilization which is even lower). I imagine if you are watching super HD/8k video it might take interesting percentage of a modern CPU, but nowhere near 100%, especially with GPU offload.
Re: (Score:2)
The headline describes nothing of what you mention. Unless that's how you see 'Miners'. :)
The association was made all by itself. It's really no ones fault, except the lowlifes that turn to whatever they can best hide behind the easiest.