Google bans Chrome cryptocurrency mining extensions
Investment in crypto-assets is unregulated, may not be suitable for retail investors and the entire amount invested may be lost. It is important to read and understand the risks of this investment, which are explained in detail here.
James Wagner, Google Chrome Extensions Platform Product Manager, announced yesterday that Google decided to ban cryptocurrency mining extensions in the company's Chrome Web Store.
Cryptocurrency mining in the browser context is a relatively new phenomenon but one that is on the rise. One has to distinguish between mining scripts that run as scripts on websites and mining extensions that get installed in the browser by users or malicious actors.
Website mining scripts make up the bulk of mining activity of browsers. Website mining happens automatically in the background provided that the mining script or connection to mining servers is not blocked.
You have to distinguish between user installed mining extensions that were installed for the purpose, and extensions that were installed by third-parties or downloaded mining components after user installation.
The former type is installed with user approval, the latter without.
Google allowed mining extensions in the Chrome Web Store provided that mining was "the extension's single purpose" and that the user was "adequately informed" about the mining nature of the extension.
About 90% of all mining extensions uploaded to the Chrome Store did not meet Google's policies in regards to mining extensions. The extensions were either rejected outright or removed from Store after the fact.
The decision was made to ban cryptocurrency mining extensions from the Chrome Web Store because of that. Chrome's Web Store won't accept extensions anymore that mine cryptocurrency in the web browser. Extensions that are listed in the Chrome Web Store currently will be removed by Google in the coming months (late June).
The change won't affect non-mining extensions that deal with blockchain or mining related topics such as cryptocurrency exchange rates or news.
Closing Words
James Wanger, on behalf of Google, failed to disclose how the company wants to ensure that mining extensions won't find their way into the Store anymore. The Store has a track record of being abused by malicious actors, often in form of browser extensions that downloaded additional modules when run by users.
Google's Web Store uses algorithms to check and verify uploaded extensions. Threat actors managed to bypass the automatic checks time and time again; the situation got worse in recent time with the rise of cryptomining extensions and Google promised recently that it would do something about that.
It remains to be seen how well Google's algorithm is at detecting cryptomining extensions. While it will block the bulk of extensions I would not hold by breath that it will have a 100% detection track record.
Now You: have you encountered mining extensions or sites?
Related articles
- Chrome: Failed - Virus Detected troubleshooting
- Google promises better protection against deceptive Chrome inline installations
- How to undo the removal of downloads in Chrome
- Verify Google Chrome extensions before you install them
“have you encountered mining extensions or sites?”
I don’t know. I use NoScript to block all scripts by default, and only enable specific ones if they’re absolutely necessary. I may have come across them, but they wouldn’t have been able to run.
I know of the existence of the extension No-Script Suite Lite (Version: 0.2.8 – updated March 28) for Chrome 65 does it do the same as the NoScript (Version 10.1.7.5) I use for Mozilla Firefox 59.0.2?
Is there already a NoScript (full) version available for chrome 65 if the light version is not capable of the same protection as the for FireFox 59 available version?
Did I miss that?
I use Umatrix but I rather use NoScript also in Chrome 65.
Actually I just spent literally one minute in the source and found this:
send: function(channelName, message, callback) {
// Too large a gap between the last request and the last response means
// the main process is no longer reachable: memory leaks and bad
// performance become a risk — especially for long-lived, dynamic
// pages. Guard against this.
if ( this.pending.size > 25 ) {
vAPI.shutdown.exec();
}
On Chrome, the addon can actually stop sending messages to Chrome (assuming vAPI refers to the underlying browser API) if conditions are met regarding the message queue getting too long. The culprit would then be Chrome, not uMatrix, so ditching uMatrix doesn’t seem like a solution.
If you look at the same code in Firefox’s uMatrix, there is no such shutdown, every message is processed.
What does not processing messages mean ? I don’t know, I don’t want to dive into the source code. Worst case scenario it means the add-on’s ability to filter web content is hampered in certain edge cases on Chrome.
We’d either need to look the source code properly or ask author Gorhill to waste some of his time giving insight.
> same code in Firefox’s uMatrix
You are probably looking at the no longer maintained Firefox/legacy version. The Firefox/webext version is under the /platform/webext directory.
No, NoScript can’t exist in Chrome as add-ons don’t have as much control than in Firefox. The author of NoScript is Giorgio Maone, the No-Script Suite Lite is a different extension altogether made by someone else. I’d stay on known ground with uMatrix, if I was a Chrome user.
That said, uMatrix on Chrome is not quite the same as on Firefox either but I wouldn’t be able to tell you exactly how without wasting time looking at source codes. Either way, I doubt you can find a better content and script blocker on Chrome so that’s what I’d use along with uBlock Origin.
> uMatrix on Chrome is not quite the same as on Firefox either but I wouldn’t be able to tell you
It is the same.
Side note: one can disable web workers globally (one of the per-scope switches) and allow only if needed. Most cryptominers execute in web workers, some of them as first-party. This way one can allow first-party scripts and still block cryptominers.