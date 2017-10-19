Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 82
An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."
An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.
Good, I'd never go back to that site.
Once sites like that fill search results (Score:3)
I'd never go back to that site.
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain [lifehacker.com], but this feature has since been permanently discontinued [google.com]. I found some promising browser extensions for users of Google Search on select desktop browsers:
So how will you deal with the frustration when you find that the majority of the top ten results from a particular web search query come from that site and others like it? It becomes tedious to add a dozen or more -site:domain.example terms to every single query. Google Search used to allow blacklisting a domain, but this feature has since been permanently discontinued.
Ah yes, like the super-annoying "experts exchange" site that I blacklisted wherever I can. Those assholes should die a slow death.
Expert Sex Change always had the information available to non-subscribers, but hidden at the bottom in a way you'd think it wasn't there (because if it wasn't there, Google wouldn't index it.) So if you come across a result that might be relevant, from them (after, no doubt, fifteen pages of results from Stack Overflow), that's what you can use.
So what about allowing mining, just doing it very slowly, and occasionally doing the calculations incorrectly so that the resulting hash is invalid?
Why isn't this already standard? (Score:3)
Most web surfing involves text, images, and perhaps video in a well-defined box. Anything else is generally crap that doesn't benefit the surfer.
I'd say rather than a percentage of total CPU utilization, they ought to be measuring against a percentage of the browser's CPU usage. Any non-whitelisted script that is taking more juice than it would take to render a straight text-and-image page can be throttled to zero, in my opinion.
> Anything else is generally crap that doesn't benefit the surfer
Not always --there are valid use cases:
* Notch prototyped Minecraft procedural textures [jsfiddle.net]
* Us graphic geeks using WebGL "hang out" on shadertoy [shadertoy.com] (Warning: Space Audio)
As long the default is opt-out and we need to whitelist our favorite sites, while being a minor inconvenience, that is the right way to do it.
Proof of concept (Score:2)
As I understand it, EME provides a controlled interface to a Content Decryption Module (CDM). A CDM can obfuscate only audio and video decoding and output, not any process whose output the script can directly monitor. If you have a proof of concept of Monero mining in a well-known CDM, such as Widevine, Primetime, or PlayReady, I'd like to see it.
Disable Javascript. There's no reason not to.
Other than the fact that all but the most ancient website won't work without it anymore... unless its a flash website that is.
Try browsing with scripting summarily disabled and let me know how it works for ya.
Forum sites such as SoylentNews and Slashdot work without script. The user navigates or submits a form, and the site returns a document. Those web applications for which navigation and form submission are insufficient can be rewritten as a native application.
If there's a website that has a legitimate use for Javascript, then the user can easily enable it for that site. The trivial use cases include Kongregate, Newgrounds, and flash-portal game sites.
In all other cases, the website should maintain basic function in the event the browser doesn't activate Javascript. In fact, both examples I listed above still function without JS enabled, a
Great, except many sites simply don't load right and you can't navigate and are filled with gibberish when you do that. I like that Chrome allows me to control JavaScript on a per-page basis but I wish there was a big button on the toolbar that would allow me to turn it on and off at a whim if I want.
All the more reason to disable javascript then: we should not be teaching web sites that it is acceptable to depend upon.
[Without script,] many sites simply don't load right and you can't navigate and are filled with gibberish when you do that.
Then visit the many sites that do work without script instead of the many sites that don't work.
Re:That's easy! (Score:4, Insightful)
LOL....yeah, there's not reason not to. Lets just abandon DHTML and go back to full page reloads on every action, not matter how small. It's been so long, I guess I must've forgotten how much I loved all those full page reloads.
Ad company defends business model (Score:2, Insightful)
Company threatened by emergence of a new model of online compensation uses control over existing infrastructure to severely limit its penetration into the market.
Big surprise.
Big surprise.
Re:Ad company defends business model (Score:4, Insightful)
Not really. Running a miner is not a way that legitimate content sites recover their cost of operation. It's a way to grab some of the viewer's cycles for mining without their knowing it. If you want viewers to pay for use of your site in CPU cycles, design a protocol for that which will tell the user what they're paying, and allow them to pay it fairly or inform their decision to stay off your site.
You could make the exact same argument for third-party ads.
Re: (Score:3)
Your solution of Firefox and NoScript is about to be broken pretty soon.
False positive rate to high (Score:2)
The problem with this method is half the web already acted like it was running a crypominer before these things even showed up.
Google should see this as a threat!!! (Score:3)
Not so great on battery powered devices though.
Most people wouldn't even notice the difference or the cost.
Not even when the device's battery runs out twice as fast as it used to? Or were you operating under the assumption that "Most people" use a desktop PC as opposed to a laptop, tablet, or smartphone?
About time (Score:2)
I also keep Windows Task Manager's CPU graph in the notifications bar so I can see if my computer isn't dropping to idle. That's what originally led me to start using The Great Suspender. Although in my case it wasn't crytocurrency mining scripts, it was poor coding on Google's Photos and Drive websites which kept chewing up CPU cycles
Miner scripts will just dial it back to 50% CPU usage or whatever threshold chrome sets.
A typical webpage shouldn't need even 0.1% after loading. And during loading the majority of the cpu usage should be profiled to the browser itself (rendering the html/css/downloading elements etc) not the javascript. More than 1 - 2 seconds of high javascript cpu usage on a typical site is not necessary. Even the continuous async updates, analytics tracking etc is all really low level... like a couple percent of the cpu every 100 milliseconds or something.
Even Media playback is pretty low on modern systems
Egregious is bad (Score:2)
Chrome is a browser. We live in an age where some people (notoriously Google) think browsers needs to run full fledged apps in a sense they must take advantage of modern processing power. That is just wrong - websites are nowadays supposed to be much more technically sophisticated, and yet, consequentially much LESS demanding with things like the quai-extinction of flash and the advent of HTML5. In any case, 100%, or even 20% is not uncommon on "harmless" websites and this would induce in many false positiv
Google explores ways to break non-google web apps (Score:1)
Chrome will be the new IE6
Chrome will be the new IE6
Yes! my css code will work, at last!
It already kind of is. On the desktop, Microsoft was actually their main competitor. But then Microsoft launched Edge and like most new Microsoft products it was a crushing blow to Microsoft:
2 Years ago, MS still held an incredible 50% of desktop browser share:
https://www.netmarketshare.com... [netmarketshare.com]
Now, they are down to 20%
https://www.netmarketshare.com... [netmarketshare.com]
Despite being literally shoved into users faces, the introduction of Edge didn't draw users away from Chrome. No, it seemed to send IE users running to it inste
It's not desktop muscles they're flexing (yet). It's search. How fast websites render in Chrome (okay, according to rules that totally happen to randomly perfectly align with Chrome) influences pagerank
I like the idea, and not just for miners (Score:2)
How about blocking (Score:2)
How about blocking autoplay video? That shit is way worse than a miner.
There is absolutely ZERO need for autoplay video if you're not an advertiser looking to force something into someone else's eyeballs.
Every browser should, by default, put a placeholder in for video and require user interaction just to start loading it, never mind actually play it.
Back when most video was Flash and Firefox was king of the alternate browsers, I used the FlashBlock extension and it was glorious.
I called it. (Score:2)
This is exactly the kind of thing I told you was going to happen yesterday [slashdot.org] and yet, only +3 Insightful.
Just a hint, Bucko, you don't have enough other things going on in your life.
that would totally mess with streaming (Score:1)
that kind of measurement system would mistakenly assume that all CPU intensive pages were a problem. that ain't the case. thus, tons of false positives requiring authorization and white-listing.
that kind of measurement system would mistakenly assume that all CPU intensive pages were a problem. that ain't the case. thus, tons of false positives requiring authorization and white-listing.
Hardly, Crypto mining is a 100% of CPU continuously type of operation. I can watch my tv on youtube and barely break 10% CPU utilization... (Well, thread utilization which is even lower). I imagine if you are watching super HD/8k video it might take interesting percentage of a modern CPU, but nowhere near 100%, especially with GPU offload.
I like it (Score:2)
Browsers desperately need a CPU indicator (Score:2)
The massive pegging of CPU is hardly new. There have always been terrible websites - many of them video ones - which for various reasons, such up as much CPU as they're able to, bringing the machine to a crawl. Most of them are video related, including flash (it was notorious), and - in its early days - YouTube. The worst are those that call functions of code you had to install natively.
The problem is that most browsers give absolutely no indication that this is happening, leaving the user to wonder why hi
Paraphrazing Comrade Mao (Score:2)
Let a hundred extensions bloom!
Let extension developers deal with the problem.
Once a great approach is identified, bake it in all browsers.
A monolytic company (and specially one like google, which lives of adds) is not the best blace to come with a solution, let alone a great overall solution