hngopher.com

       [HN Gopher] Fighting cryptojacking and doing good things with co...
       ___________________________________________________________________
        
       Fighting cryptojacking and doing good things with content security
       policies
        
       Author : crecker
       Score  : 40 points
       Date   : 2021-03-31 20:47 UTC (2 hours ago)
        
 (HTM) web link (www.troyhunt.com)
 (TXT) w3m dump (www.troyhunt.com)
        
       | D-Nice wrote:
       | Run noJS by default with something like uMatrix/uBlock Origin,
       | and never worry about this or similar problems again.
       | 
       | All parts of a page for me, even 1st party, have JS disabled...
       | you'd be surprised, most useful ones work completely fine like
       | that and things load much faster. There's exceptions that do
       | actually need it, and if I trust them, I'll enable 1st-party JS
       | via uMatrix.
        
       | wepple wrote:
       | For the folks who were saying that TLS-everywhere is an
       | unnecessary burden recently:
       | 
       | > During our follow-up research on cryptojacking, we discovered
       | that 1.4M MikroTik routers were serving cryptojacking scripts as
       | they were routing Web traffic, geographically focussed on Brazil
       | and Indonesia. It could be that a Vietnamese MikroTik router is
       | still infected and somehow manages to inject the script into that
       | particular (popular) website.
        
         | gowld wrote:
         | Aa I recall, people didn't say it was an unnecessary burden,
         | they said it breaks home labs.
        
           | wnevets wrote:
           | I recall folks on HN and else where claim static websites
           | don't need https.
        
       | r1ch wrote:
       | While well-intentioned, I don't think the casual website visitor
       | is going to understand what a cryptominer is and the blog post
       | doesn't really do a good job of explaining what's going on,
       | especially for non-English visitors. Instead of the blog post, a
       | dedicated landing page I think would work much better -
       | crowdsource some translations on github and put up something very
       | simple like the Cloudflare interstitial design:
       | 
       | "The website that sent you here has been hacked and may not be
       | safe to use. Please contact the site owner to let them know. Are
       | you the website owner? Click here for a detailed explanation."
       | 
       | It also seems like the modal popup JS doesn't remember if the
       | dialog has already been shown and will appear on every new
       | navigation causing a lot of frustration for visitors. Given the
       | widespread impact this has to users, it feels a bit rushed.
        
         | sodality2 wrote:
         | I agree. I wouldn't be surprised if someone thought the popup
         | was the scam.
        
       | sodality2 wrote:
       | TLDR: he bought coinhive.com! very cool
        
         | consp wrote:
         | He acquired it from someone with apparently good intentions.
         | Contextually a bit different tldr.
        
       ___________________________________________________________________
       (page generated 2021-03-31 23:00 UTC)