add to resource abuse list pls

[Zhangsun321]

https://authedmine.com/
coin miner.. 'opt in my ass'....

[jspenguin2017]

After a quick analysis, the opt-in seems to not be bypassable by the site using it, it is shown in a secure iframe. The whole point of resource abuse list is so that mining becomes opt-in, I don't think this is a threat until they start abusing it.

[okiehsch]

I agree with @jspenguin2017, I had a look at https://authedmine.com yesterday and unless someone can provide an example of a site using authedmine without an explicit opt-in, I will not add it to the resource abuse list.

[Zhangsun321]

ok.... understood...

…

On Wed, Oct 18, 2017 at 7:10 PM, jspenguin2017 ***@***.***> wrote: The opt in is not bypassable by the site using it after a quick analysis, it is shown in a secure iframe. The whole point of resource abuse list is so that mining becomes opt-in, I don't think this as a threat until they start abusing it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#770 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AarfLJ6UumkDjmoc_ibiVZvNa4oENEO4ks5stoVLgaJpZM4P-dwJ> .

[uBlock-user]

The notice is cookie based. As long as the cookie and site data is NOT removed after being permitted once, it won't ask and will start mining.

[jspenguin2017]

They said on their website that the cookie is valid for up to 24h.

[lain566]

@okiehsch This, for example

https://mylink.st/OqQzF7J

[jspenguin2017]

Well, if you clicked the Captcha, it's like giving consent. It does not load CryptoNight before you click it.

[okiehsch]

Correct me if I am wrong but it looks to me like all mylink.st-links will only be displayed after you mine for some time, so blocking authedmine.com makes mylink.st non-functional by disabling the captcha.

[jspenguin2017]

I'll exclude authedmine.com from my filters until I can see by myself that it mines automatically without letting you know.
I consider a Captcha box to be enough of a consent.

[lain566]

@jspenguin2017 Of course, I clicked, but not everyone is informed about this.

[jspenguin2017]

@lain566
The box itself is enough of a consent IMO, disabling uBO was used as a "consent box" because for those automatic miners we didn't really have other choices. But the side effect is that trackers and other stuff are unblocked as well, and when the Captcha finishes, you get redirected and you'll have a white list that you need to go into uBO settings panel to remove.
It's just my opinion and I'm OK with what ever @okiehsch does.

[okiehsch]

In the end it is @gorhill 's decision, but like I said, I agree with @jspenguin2017

[lain566]

@jspenguin2017 That captcha has changed, before, they used coinhive.com, now they use this authedmine.com, I guess it's a tactict, I never said that this should be blocked, I thought there was a solution, to pass without loading cryptonight

[jspenguin2017]

A solution to bypass it? Where?

[terrorist96]

@okiehsch the https://mylink.st/ site has anti-adblock as well.

[jspenguin2017]

Yea, it's Antiblock.org v3. I think this should work:
mylink.st##script:inject(abort-current-inline-script.js, document.getElementById, nextFunction())
Their code is polymorphic, but becomes static once a site owner installs it. The generic solution I use is a bit heavy.

[okiehsch]

mylink.st##script:inject(abort-current-inline-script.js, document.getElementById, nextFunction())
will lead to

@@||mylink.st^$generichide works on my end.

[terrorist96]

@okiehsch There's also some VPN ads after you "prove you're human" (i.e. mine for like 20 seconds).

[jspenguin2017]

after you "prove you're human" (i.e. mine for like 20 seconds).

I don't have any analysis data, but I think a Captcha like that is effective, since botnets are usually only composed of low power (IoT) or old and broken systems, neither is able to quickly mine coins. And if there are many requests from one IP they can just raise the difficulty to slow you down.

[smed79]

@okiehsch The $generichide filter does not fix the anti adblock for me.
need
@@.png#$image,domain=mylink.st
or
||mylink.st^*.png#$image,redirect=3x2-transparent.png

• http://i.imgur.com/C3RIKMc.png
• http://i.imgur.com/57eXzWm.png

[jspenguin2017]

Actually, just mylink.st###y219 would work, the ID is static after installation.

[okiehsch]

mylink.st###y219 does not reliably work on my end, I sometimes get a blank screen, so I added the redirect. e308746

[uBlock-user]

They're holding the link hostage unless you mine for them, same as cnhv.co Nope, not gonna whitelist it.

To put into proper terms a mining paywall.

[ghajini]

Is there any global script based approach to stop these .....Like "no popup" switch present in ublock origin....they can use random domains ,every time can't block domains......
https://blog.eset.ie/2017/09/15/cryptocurrency-web-mining-in-union-there-is-profit/

because I have very less specified windows ,low CPU, ram that iam not going in hands of bitcoin miners...I visit movie sites and get that .info popups....

[uBlock-user]

Some interesting discussion going around on bug tracker - https://bugs.chromium.org/p/chromium/issues/detail?id=766068

[gorhill]

Is there any global script based approach to stop these

I did implement a no-web-workers switch at some point: #690 (comment). Typically coin miners use web workers, though some may use setTimeout, but that last one is more difficult to abuse because it can cause lot of janks on a page. The problem with the no-web-workers switch is that it can't be implemented in Firefox, as it does not yet support the worker-src CSP directive required to block web workers.

[gwarser]

Firefox have dom.workers.enabled in about:config, but this will break a lot of things.

[uBlock-user]

It's WIP at FF - https://bugzilla.mozilla.org/show_bug.cgi?id=1302667

[jspenguin2017]

Some interesting discussion going around on bug tracker - https://bugs.chromium.org/p/chromium/issues/detail?id=766068

Browser level interventions ain't going to work. Implement it and I'll get you 3 ways to get around it.

[Hrxn]

I'd disagree here.

If our browser makers would really want to do something about stuff like this, they would.
But they lack the cojones.
They could change all of this, autoplay etc. to make it click-to-play. Everything, without exception. Hard whitelist for everything, for every site.
Maybe their realization will kick in, sooner or later.

[jspenguin2017]

Sounds good in theory, not going to happen without help from AI. It is an unreasonable amount of work to police every website, and good luck operating on a white list, every time someone updates his website, it breaks in your browser.
If you think it's doable, I'd like to see you implement it.

[Hrxn]

Huh? AI?

By whitelisting, I mean to whitelist by the user, i.e. manually. That's definitely doable.

I always wanted to write my own web browser, sure.

[uBlock-user]

All of these clones are bent on manipulating users to mine Monero coins for them which they should be doing rather on their own and on their own rig, also all the tools they need are available on Monero's official page.

[jspenguin2017]

@Hrxn So you mean every user will maintain their own filter list? That's really a lot of work for the user, and most people wouldn't have enough knowledge about web development to make a good decision.

[Hrxn]

No, I mean that the browser should keep and maintain those lists, basically. Similar to what browsers actually do right now, by setting content options (JS, images, cookies etc.) on a per-site basis. Although that is buried deep in the settings menus.

All that is needed is some form of UI element, a prompt, if unobtrusive, or better some notification "area" as part of the address bar or something, that asks the user for permission, i.e. "Allow this site to use Auto-play/Web Workers/WebRTC and whatever else". No need to know anything about web technologies, only necessary to know if you can trust a site. This could optionally be limited to secure sites with EV certificates or something, which can be overridden of course, for more advanced users. This is only a question of doing the User Experience right, everything else should be straightforward.

[jspenguin2017]

Similar to what browsers actually do right now, by setting content options (JS, images, cookies etc.) on a per-site basis.

So the browser stores the filter (or permission rules) list and the user set them on a per-site basis? That's literally the definition of maintained by the user.
If you mean preloaded permission settings, then Brave has it, and... that's it. Pretty much none of the other browsers have them. Browsers right now have only one default permission settings and it apply to all websites unless the user manually update (maintain) it. So what do you mean by "Similar to what browsers actually do right now"?

No need to know anything about web technologies, only necessary to know if you can trust a site.

Given a website, how do you know if you can trust it? And how many people even know what web workers and WebRTC are?

[okiehsch]

@gorhill EasyPrivacy has added the filter ||authedmine.com^$third-party, apart from the fact that an explicitly opt-in miner shouldn't be blocked, in my opinion, this filter makes sites like
mylink.st/OqQzF7J non-functional with uBO-default settings.
Would you agree to adding ||authedmine.com^$third-party,badfilter to uBO-unbreak?

[smed79]

The content is blocked and the mening is forced. In my opinion, authedmine here is just replacing an anti-adblock.

What if an adserver adopte the same approach?

[okiehsch]

I can see your point and I would have no problem adding
||authedmine.com^$third-party,domain=example.com, I just don't think the uBO-default setup should block an explicitly opt-in miner.

[smed79]

uBO-default setup should block an explicitly opt-in miner.

If they are not used to block the content.

On top of that, 100% normal users will think they are solving a normal CAPTCHA for that uBO-default setup should protect them as has already been done before.

[okiehsch]

I already said, I agree that using a miner as a defacto "paywall", should not be allowed by uBO, but right now, all authedmine opt-in usage is blocked by the uBO-default setup, which means the "normal"
uBO user has no choice.

[gorhill]

Would you agree to adding ||authedmine.com^$third-party,badfilter to uBO-unbreak?

Yes, if it's entirely opt-in in a respectful way, there is not point blocking this. Was this added because of an instance of the miner not being respectful?

[jspenguin2017]

I think EasyPrivacy blocks everything that would send the performance data of your device to a third party.

[okiehsch]

The commit message states that they sync with the adblock-nocoin-list or sync with "mining servers".

[gotitbro]

@okiehsch @gorhill I came upon a website (http://www.nicolabattista.it/) that uses authedmine. And even if you click "Cancel" to disallow mining it keeps asking again and again but does not ask again and again if you allow it.

@coinhive-com You might want to take a look at this behavior. If a users disallows mining it shouldn't ask repeatedly.

[gorhill]

Consider this a web site error, that's completely out of the scope of the repo here, its purpose is not to fix site's coding errors.

[gotitbro]

@gorhill Seems like they, authedmine, don't store a cookie when a user disallows the mining request. Just wanted to bring that to attention as it was being considered to be whitelisted.

If another website can be seen with same authedmine behavior then we can say for sure if they repeatedly ask for mining.

[coinhive-com]

The AuthedMine library provides functionality to test for opt-outs before showing the popup again, as detailed in the docs, e.g.:

// Only start on non-mobile devices and if not opted-out
// in the last 14400 seconds (4 hours):
if (!miner.isMobile() && !miner.didOptOut(14400)) {
	miner.start();
}

[jspenguin2017]

@gorhill Maybe they did it on purpose? It keeps poping up in order to pressure the user to click allow?

@coinhive-com You need to enforce a cooldown for asking again, you can't expect websites to responsibly use your API to check for opt out.

[uBlock-user]

Abusal of API is nothing new, this was bound to happen at some point. They themselves are evading the filters by using new domains 😞

[gotitbro]

@uBlock-user Sorry didn't get that. Who's evading what?