
Coinhive – First Week Status Report - pr0gramm
https://coin-hive.com/blog/status-report
======
only15charlong
I am one of such owners who did not disclose mining activities on my website
and I am encouraged yet concerned at the opinions of the developers over what
one does with coin-hive. It is always good to have an opinionated, and
impassioned developer.

But if it leads to coin-hive dictating the way a website chooses to operate,
it becomes not much different from the way Adsense dictates the way you have
to display its ads.

This is the quote in question: "we have to be respectful to our end users". I
am your end user. My visitors are my end user. Please do not jump the gun.

That said, the topic of whether disclosure is respectful, or legal, or legal
until the law has caught up with it is a slippery slope with many valid yet
conflicting parts.

\- When a visitor visits a website, is there an implicit agreement to expend
resources to load all of the website?

\- If so, is ad block breaking the implicit agreement?

\- Why do people often use cookies as an example of why it should be
disclosed, when the issue is a matter of privacy not the use of computer
resources?

\- If it is computer resources, doesn't it fall under the first point above?

Yet, there are many types of tracking tools besides cookies that are even more
invasive and take up CPU, bandwidth and electricity like tracking cursor
movements (session replay) that never gets disclosed either out in the wild.

It may seem like the whole world is against undisclosed mining, but to a fish,
an aquarium could be the whole world.

~~~
snek
I want to start out by saying that I use coinhive on my own site.

I think its important to notify the user that you are doing things without
their explicit knowledge. Technically you are taking advantage of their system
for your own monetary gain, and in fact they spend more generating that money
than you receive from their efforts (by averaged data from comed's 2016
demographic census).

"When a visitor visits a website, is there an implicit agreement to expend
resources to load all of the website?" I don't think that mining
cryptocurrency counts as part of "loading all of the website," and I would go
so far as to call that extraneous.

Cookies are actually not notified only for their privacy implications but for
the fact that they store data on your device.

As a user of any website, I am fine with coinhive running _as long as I am
aware of it._ Checking the network waterfall to see if assets from coinhive
were loaded is a bad experience to check if the page might be doing something
more malicious. All in all I think we end up where we began. Be kind to your
users, since they are, of course, who you are catering your experience to.

------
jrmgx
Hello there, jumping in the conversation as I am one of the early adopter.

This is how I implemented it on my side project Thread Reader. See an example
on:
[https://tttthreads.com/t/907445479826448385](https://tttthreads.com/t/907445479826448385)
bottom of the page

My implementation use 1 thread max with 35% of the CPU max. I've done it this
way because it is what I'm ready to give as an user

Also it does not start (and show a Paypal donate instead) if:

\- you are on a mobile device (tested with user agent)

\- you are on battery (tested with the browser.getBattery API)

If the miner starts: you get an info box at the bottom of the page, with an
user accessible explanation (should be understandable by anyone) and a STOP
button (that stop it for 90 days)

Also before using the miner I took some time to communicate about it, even if
I did not get much user feedback (I use my project twitter account to do so)

If you get the Paypal donate box it means that the script decided not to start
the miner for some reason.

------
user1667
I also did not disclose the mining activities to my visitors and got 20kh/s
and no one complained about the cpu usage.

Forcing an opt-in won't work. Many users doesn't even know what mining is and
won't agree with it. Most of the users doesn't take the time to read
explanations either. Imagine what would happen if we ask the users to opt-in
to see ads.

If antivirus continues to block the miner, most websites will display a
warning to the visitor requiring him to disable his antivirus just like they
do with adblocks.

Coin-hive already takes a large percentage (30%) and competition will arrive
soon. Forcing an opt-in will just force us to seek another platform.

You can require opt-in to use 100% of the users cpu or something close to it
to prevent abuse, but never to small percentages such as 10 or 20%. You should
focus on contacting those antivirus companies and explain to them that the
miner is not a virus and it does not harm the visitor.

------
grahamlyons1973
I'd really like to see you implement a tiered pricing system so that bigger
users can pay a little less than the 30% currently. There is bound to be some
competition springing up quickly and this would be the best way to keep people
on board. Otherwise great service :)

------
kingvid
I strongly recommend that we have another solution, not mandatory, requiring
the user to explicitly opt-in to run coin-mine. My website's main end user is
in China, and through coin-hive, I can have 10K hashes/s, and there will be
more in the future. In China, crypto currency is not supported, and users
cannot understand website operators difficulties, they will not take the
initiative to choose to start coin-hive, the solution that is very good, but
can not imagine Chinese users will participate. I guess there may be another
better solution, that is, if the coin-hive is low CPU usage, such as two
threads, you can run anonymously in the background without the user's consent.
If it is a higher CPU usage, it will require user approval to run. Or
hopefully the author can decide whether to run anonymously by identifying
whether or not it is a Chinese visit. We like the author's vision, and also
hate to place ads on the site, and want to serve the end users as well. But it
doesn't work in china. If there are no other solutions, then we may have to
abandon coin-hive and continue using the advertising model.

------
Beedybob
Malwarebytes is now blocking completely coin-hive.com

~~~
AFNobody
Yeah, I had that problem as well when I ran a two day test. I had ~2% of users
report their antivirus blocked it as a Trojan and .6% tell me the site has
been hacked.

And that is running it on relatively benign settings. :/

------
krampe
Hey,

cloudflare suspend now coinhive websites:
[https://torrentfreak.com/cloudflare-bans-sites-for-using-
cry...](https://torrentfreak.com/cloudflare-bans-sites-for-using-
cryptocurrency-miners-171004/)

very bad :/

------
kerenpj
Hi, i'm would like to know the way to adapt mining for mobile user. Now i have
15khs/s with 1 thread but i would like to change to 2 thread for desktop user
and still 1 thread for mobile user . How to do?

~~~
kerenpj
I try 0.5 throttle 4 thread it not work . Mobile user still use there 100% cpu

------
TandPio
I think it is a great idea. I am using it to try and create a charity. Though
everyone who looks at it seems to think it could be a scam. Crypto just has a
bad rep.

Check it out if you want www.thoughtsandprayers.io

------
mirror
I did not disclose usage as well. It's hard to start a moral conversation. Do
we ask permission from users to display ads ? No ? Why a miner then. My
throttle was at 0.5. Will discontinue due to antivirus/internet security
software labeling the site as hacked/infected. But even if it was close to
100%, I don't think notifying them is important. Does Adobe inform users that
photoshop or premiere will work at 100% when doing difficult tasks ?

Hopefully a solution will be found.

~~~
g-b-r
So you are doing a difficult task that the user requested when you're
cryptomining with his computer?

~~~
mirror
a web page or a software isn't there to do only what the user wants to do.
Users don't want ads, maybe we should ask them ? Seriously ?

------
maxman12
clickbank did something you can learn from. they require all their vendors to
have a script that shows a mini image 'powerd by clickbank SSL' ...comodo SSL
does the same thing to notify web visitors of SSL being used... you can do the
same to have the JS file show a little thing in the corner to say 'this site
has no ads and is supported by coinhive browser mining'

------
filmlos
Not bad ;) ... [http://prntscr.com/gojd92](http://prntscr.com/gojd92) ...

~~~
superg
Very good. Could you share some analyticts of your site? How many daily
visitors? Average session time? It would be very interesting to know...

------
fvisnjic
Thank you for your report + thank you for all your hard work! We are at 1.24 G
(with you) and counting!

------
dheerajkumar
How can I run this js on my web hosting?(without any visitor, I mean how to
use web hosting's Cpu power to run the miner)

------
marxc88
Hi , people . i am try coin hive , but i am one question? Anyone know how to
transfer the earnings to paypal account?

------
jossieachees
Hope that an updated version of speed Conception 1.Simplifies the JS
configuration process(E.g speed control,CPU Thread control),Developers are
free to design! Conception 2.Improve the mining speed,Optimize JS code!(E.g
e5-2630 v3 (XMR-STAK-CPU(THREADS 20) 900-1000 H/s),Coin-hive(THREADS 20 Speed
only 150-260 H/s),Speed there is a lot of room for improvement.I hope we
strive forward!!!

------
diegorbaquero
One way to avoid blocking would be to self-host the js file and proxy the
websocket, any plans for this?

~~~
AFNobody
It doesn't work. Multiple antivirus vendors flagged it when I tried that.

~~~
diegorbaquero
They block the js?

~~~
AFNobody
Correct, and notify the user the site is infected with a trojan with a scary
warning screen. That second part being the bigger issue.

The JS being blocked isn't the issue, the fact I have users contacting me
claiming the site was hacked was the big issue.

~~~
user1667
You can check if the JS was loaded and display a modal asking the user to
report a false positive in their anti-virus software. It's similar to what
websites already do with adblocks.

~~~
AFNobody
Do you understand what a customer service nightmare customers asking if their
phones got hacked by your website is?

------
coship
I agree for compulsory user consent to mine however, this should be only
compulsory for web owners having throttle greater than 0.5 for desktops and
for all throttle rates for mobile devices. Anything less than 0.5 throttle on
desktops should be allowed to run anonymously. My two cents!

Great service indeed, and an alternate revenue stream for website owners.

~~~
rastilin
Agreed. The whole point of mining is that it's a less obtrusive and less
intrusive alternative to running ads. If you're going to show people a scary
"opt-in" button from a separate page (which may be blocked anyway), it's
easier to just ditch the idea and run ads instead.

What if they say no? Do you just block them from reading your site? Users will
disappear as no one wants yet another account they have to click through just
to check a site out.

------
katopz
Can I expected pure nodejs version? or maybe pool url for mining from server?

------
bsparker
Interesting. Is there way to subscribe to these?

------
g-b-r
Solutions along these lines (though probably not centralized like this one)
are interesting alteratives to ads, but if you want to make them acceptable to
the end-users you HAVE to make them AT LEAST stoppable and configurable (by
the end-users).

Here are some negative effects of abusing the cpu without the user's consent
that come to my mind:

    
    
      - the obvious, energy consumption (and thus money). In some cases it
        can be significant, and it will for sure be if these things become
        widespread
    
      - it can rev-up the fans, up to extremely annoying noise levels
    
      - on the many old devices that are unable to keep the temperatures
        down on high loads it can warm-up the device up to dangerous
        levels, high enough to:
         - make the device protection features shut it down  
         - make the device catch fire, if there are no protection features
           or they don't work well enough
         - ruin some components of the device
         - in any case for sure reduce the lifetime of some components
         - it lowers battery life on battery-powered devices	
    
      - it can easily interfere with the other activities of the user: a
        process using a lot of cpu time will easily reduce the performance
        of other parts of the system, even if the user were to lower its
        priorities
    
      - on the many browsers that don't allow constraining the resources
        allotted to individual tabs/servers/scripts it can interfere with
        the usage of the browser
    
      - even on the browsers that do support constraining the resources it
        will easily require some annoying work on the part of the user to
        investigate which tab/server/script is responsible 
    
    
    

So you _might_ activate them by default when (really) throttled to a low cpu
usage amount, as others suggested, but if you do so you _must_ make them easy
to turn off or to configure to a lower usage.

You should consider that an user might be concurrently visiting multiple sites
that use this thing, so individual low cpu usages can add-up to a considerable
amount.

It might be better indeed to have a means to configure all instances of the
script from a single place; I know, hard to do probably.

But really, at least until/if these things become widespread, well understood
and standardized (possibly with apis to let the browser control them
automatically), it is much better to activate them only at the request of the
user.

How to push users to opt-in, without being obtrusive?

Make a big button "DISABLE ADS", with a smaller writing under it "by switching
to cryptomining".

When the user clicks it, replace it with two buttons "Turn-off cryptomining -
(by re-enabling ads)" and "Configure cryptomining".

Someone might think that it would be unjust to let the users configure the
amount of cryptomining, but in reality:

    
    
      - there are already unfairnesses in the facts that
        - users with more energy-hungry systems will pay more than others
        - users with more powerful systems will mine more and thus give
          more money to the sites and the others involved
      - it will always be possible to block them entirely with
        script-blockers or other means; that's the state of things and we
        should be glad that it's so: Internet would probably become a much
        less useful sh*t in the unlikely event that blockers became
        preventable; an unprofitable internet would most likely have still
        much more potential than one that supported forcing ads or scripts
        to the end-users.

~~~
g-b-r
(yes it's sh*tty formatting, it's the least worst workaround to the lack of
support for lists that I could find)

------
filmlos
Nice ... 5.99 G Let's see ;)

------
maxman12
how can I invest in coinhive? this is gonna be big!

