[HN Gopher] Fighting cryptojacking and doing good things with co... ___________________________________________________________________ Fighting cryptojacking and doing good things with content security policies Author : crecker Score : 40 points Date : 2021-03-31 20:47 UTC (2 hours ago) (HTM) web link (www.troyhunt.com) (TXT) w3m dump (www.troyhunt.com) | D-Nice wrote: | Run noJS by default with something like uMatrix/uBlock Origin, | and never worry about this or similar problems again. | | All parts of a page for me, even 1st party, have JS disabled... | you'd be surprised, most useful ones work completely fine like | that and things load much faster. There's exceptions that do | actually need it, and if I trust them, I'll enable 1st-party JS | via uMatrix. | wepple wrote: | For the folks who were saying that TLS-everywhere is an | unnecessary burden recently: | | > During our follow-up research on cryptojacking, we discovered | that 1.4M MikroTik routers were serving cryptojacking scripts as | they were routing Web traffic, geographically focussed on Brazil | and Indonesia. It could be that a Vietnamese MikroTik router is | still infected and somehow manages to inject the script into that | particular (popular) website. | gowld wrote: | Aa I recall, people didn't say it was an unnecessary burden, | they said it breaks home labs. | wnevets wrote: | I recall folks on HN and else where claim static websites | don't need https. | r1ch wrote: | While well-intentioned, I don't think the casual website visitor | is going to understand what a cryptominer is and the blog post | doesn't really do a good job of explaining what's going on, | especially for non-English visitors. Instead of the blog post, a | dedicated landing page I think would work much better - | crowdsource some translations on github and put up something very | simple like the Cloudflare interstitial design: | | "The website that sent you here has been hacked and may not be | safe to use. Please contact the site owner to let them know. Are | you the website owner? Click here for a detailed explanation." | | It also seems like the modal popup JS doesn't remember if the | dialog has already been shown and will appear on every new | navigation causing a lot of frustration for visitors. Given the | widespread impact this has to users, it feels a bit rushed. | sodality2 wrote: | I agree. I wouldn't be surprised if someone thought the popup | was the scam. | sodality2 wrote: | TLDR: he bought coinhive.com! very cool | consp wrote: | He acquired it from someone with apparently good intentions. | Contextually a bit different tldr. ___________________________________________________________________ (page generated 2021-03-31 23:00 UTC)