New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request for block] Crypto Miners #690
Comments
Script was removed from page, but description should give enough information |
i think the focus should be on blocking coinhive not sites using coinhive 🤔 |
That is the request
|
Apparently, pirate-bay is doing it now too: https://betanews.com/2017/09/16/pirate-bay-secret-bitcoin-miner/ |
Anything that abusively auto-opt-in users deserve to be blocked by default. Now the problem I am having is, in which filter lists does this go? Given this previous issue, and the one here, maybe it's time to create a new filter lists for anti-users auto opt-in abusive behavior. Name? "Dark patterns"? |
Yeah, even worse is that you can't opt out of it in some of these cases (like the two i posted), by any means other than blocking. Dark Patterns sounds good to me. |
I wonder if a situation like how https://gus.host works is ok |
No...? |
How about adding it to |
Thanks dude! Super fast reply :) |
I don't know what to think yet, I will listen to all arguments pro/for. "Dark patterns" and "Badware risks" are both self-explanatory, I suppose "badware risks" is a subset of "dark patterns"? |
You could name the list |
Off topic: Anybody knows whether a link to the commit not showing in the auto-generated "gorhill closed this 15 minutes ago" above is a temporary GitHub quirk or a new by-design behavior? I kind of relied a lot on the commit being auto-linked in the issue. |
I think this behaviour is a quirk, because the link to the commit does not show if you also closed the issue with that commit. |
Off-topic: |
@gorhill The "uBlock filters – Badware risks" filter list should not be renamed. I do not use it as it blocks The list in the end is subjective to how grave the user perceives the risks of the listed blocked sites to be and as it states it is a "risk" but not directly harmful. Filters such as these should be added to the main "uBlock filters" list itself with additional text on why so in the wiki. A new list can be created if need be but things such as a javascript miner are directly harmful to a users machine not to say even more than ads. @gorhill Also what is meat by "Non-pro-users auto opt-in abusive behavior."? |
@aequasi Thanks for opening this issue I was going to myself but thankfully I checked if it was already there. I haven't been going through news lately and I would've definitely not become aware of this if I was not randomly checking out website tech on BuiltWith (a great website). I was checking this out on: Here I noticed that the website was using Coinhive what was described as a JavaScript miner on BuiltWith, I instantly recognized what it was and went to see the CPU usage of the website I was checking out. These things are designed to kill browser performance. Went looking for more info and it turns out even TPB is using this. I said enough this needs to be blocked, came here to open an issue but you had already opened one 👍. Edit: Also, here is the original report by TorrentFreak about TPB using the cryptominer. |
I think that we should not mix ads and on-site cryptocurrency mining. Examples like @devsnek have an opt-out option and show transparency. Mining cryptocurrencies on-site could be a nice way to get rid of ads. IMO, you have rushed. How cool would it be if you had an option to block ads and another option to block mining on the uBlock Origin panel? Thanks in advance. |
@gangsthub FYI, @gorhill has put out a separate list for these incidents: https://github.com/uBlockOrigin/uAssets/blob/master/filters/dark-patterns.txt It is different from the ads filter, nothing has been rushed. Just an open source project open to ideas :) |
I'd say a single quite verifiable crypto-miner during short exposures absolutely isn't worse than malicious ads. It definetly isn't badware per se, it would be a badware if injected maliciously into websites. It's another adware. |
@Avamander I don't see any problem in putting these filters in a special filters list (as has been done) or the main ads filter as you suggest. I did comment above that these filters be put in the main filter but I do see now why people may have problems with this as these are not ads per say but I am all go for putting them in a different list and I think it should be a default one as well. The main issue here is of user consent which is non existent and that fits the definiton of putting a block on it. |
@gotitbro Fair enough, but how many ads ask for consent though? I would like to see them in a different list, just that people would have a choice now. |
@Avamander As I said above they already are in a different list: #690 (comment) What seems to be the issue here? |
Shameless plug here. I wrote a tiny extension specifically for blocking coin miners (which works using a domain blacklist): https://github.com/keraf/NoCoin I have plans to add a white list feature to temporarily allow a certain domain to use coin miners, for example if you need to pass one of these coin-hive Captchas. |
@keraf I saw your extension mentioned somewhere else as well. I am not sure if I will use a separate extension for this but I have a few concerns that I just came upon for you and @gorhill. Coinhive also has recaptchas and URL shorteners using the same CPU hashes to verify them. Here are some examples: More info: |
Just disable uBO if the site informs you of what it's trying to do and you agree. The reality is that despite all the ostensible wishful thinking by the authors of those miners and other schemes using user resources (bandwidth, CPU), those miners and other resource-eating approaches will be used against users by default without their consent, the ones playing nice will be the exception -- this is what advertising/tracking/data mining has shown. |
@gotitbro you seem to acknowledge that people can abuse a bitcoin miner maliciously, and your solution for this is blocking it for everyone, even if they are not using it maliciously. However, you don't seem to acknowledge the ability for list authors to abuse the power they have to block whatever they want. You don't think uBO should protect the user from this form of abuse, but it should protect them from the former form of abuse (with a wide ranging block). Am I understanding this correctly? |
This will never work. Don't use lists you don't like, it's that simple. |
@Avamander Whether an ad is evil or not is irrelevant. People install an [ad] blocking list to block ads, not bitcoin miners. The same can be said for a dedicated miners list. Whether they are evil or not is irrelevant, they can use the list to block them all, and ONLY them. This is what I mean by scope. |
@funkydude uBO has and always will be about protecting users as they wanted it to when they installed it in the first place. Coinhive is being blocked as it gives no user consent, give me one site which uses Coinhive with user consent maybe then we can take this further. List authors aren't abusing anything they do what they do in the interest of users and that is what is being done. Open source being the mindset behind it all. |
And you bring this up again which ad list is blocking the miners btw? |
@funkydude so your proposal would be to add
to uBO-filter list to deal with the filters in EasyPrivacy, which you think are beyond the scope of that list? |
@okiehsch That is what I think is trying to be communicated. But I don't think it should be done. |
@okiehsch which could then be overwritten by a dedicated miners list if a user wanted to block miners, evil or not. |
I don't think a specific miners list would be created as it is beyond this projects scope. |
It doesn't have to be started by this project, you can debate that at will. I've already seen people linking to lists with only this entry, on various forums and news articles. |
Then why is it being debated here in the first place? |
I am not talking about the EasyPrivacy issue. I am talking about creating the miners list which as I said seems to be beyond this project's scope and to which you also seem to agree. |
I never said I agree that a miners list is beyond the scope of this project, I don't care who wants to do it, I'm stating that's the "proper" way to deal with this situation. A list dedicated for ads. This entire ticket was debating the bitcoin miner issue, I'm not sure why you think it should not be debated. |
Creating a miner list was never the scope of this issue. It was about blocking a specific one that was being abused majorly. It doesn't need a debate if you want a miners list that badly maybe you can create one. If its good enough it might even become the de facto list for blocking miners. |
@funkydude even if one agrees with you that the filters in EasyPrivacy are beyond the scope of that list,
would make dedicated anti crypto-miner lists like |
@funkydude And you filter creation debate has already been solved as @okiehsch has provided us with a working example. |
@okiehsch , it seems |
@mapx- technically it does not overwrite it, it is a different filter, so |
@funkydude Who said the list has to be personal put it on GitHub. You are just humdrumming the same thing again and again. When provided with alternatives you don't acknowledge them. As to stopping an author from the abuse of power short answer we can't. But I don't believe anyone is abusing their power or is going to. These projects have been up for years with many supporters. |
@gotitbro I'm the one bringing up a valid debate, you're the one moaning that's it happening. Pro tip: leave. Users that opt into a TRACKING list do not expect to be blocking bitcoin miners. It is a simple abuse of their trust. When you tell a user "this list blocks trackers", don't lie to them. Telling people to "use other lists as a workaround for having your trust abused" is not a viable solution. We should be debating this and considering all the angles, instead of smacking it down with a giant hammer. You risk killing the potential of a real solution for replacing ads. |
The insults you are lashing out with are doing nothing for your side of the argument @funkydude. Try to have a little bit more tact when you are having a "debate", and people might be more apt to work with you.
Good. That's the purpose of ublock. To block stuff that people find annoying. |
You said something dumb and got schooled, not my problem. Also I don't really care what you think of me, as I don't hold you in a high regard either, considering your attitude earlier. If you dismiss valid talking points on the grounds of not liking the person speaking them, that says more about you.
No. The purpose of uBlock is to block what you tell it to block. That can be ads, trackers, miners, or entire websites. "uBlock" not "uSafety". If I've told it to block trackers, it needs to block trackers, not crypto miners. |
@gorhill can we lock this. This is quickly going to turn into just snipes and jabs, and i have no interest having my name dragged through the mud. |
@funkydude "If I've told it to block trackers, it needs to block trackers, not crypto miners." Yeah, that's not how it works, you can't tell uBlock to "block ads" or "block trackers", you enable lists, and if the list is unsuitable for you then DISABLE IT. Stop complaining here. |
@Avamander I honestly don't understand your logic. The lists you choose to install are the very action of you choosing what you want to block. If you don't enable any lists, you won't block anything. I have to wonder if you'd have the same attitude if it was something being blocked that you didn't want blocked, or if you just have this attitude because you're ok with having miners blocked. |
@gorhill websites have started crypto mining using random domains: The only practical solution I can come up with, is
or
or do you prefer a different fix? Edit: 638ad54 |
I would love to see ublock start blocking the crypto miners that people have started to embed on their pages (or
fetch
)URL(s) where the issue occurs
Warning, these link will end up consuming over 80% of your CPU
https://gus.host
https://spoopy.link/facebook.com
https://thepiratebay.org/search/Some%20Movie/0/99/0
Describe the issue
This page requests this: https://gus.host/coins.js via a script tag, which in turn runs a
fetch
to grab this script:https://coin-hive.com/lib/coinhive.min.js
. This script then hammers your CPU cores.The text was updated successfully, but these errors were encountered: