Hacker News new | comments | show | ask | jobs | submit login
Coinhive – First Week Status Report (coin-hive.com)
27 points by pr0gramm 8 months ago | hide | past | web | favorite | 38 comments

I am one of such owners who did not disclose mining activities on my website and I am encouraged yet concerned at the opinions of the developers over what one does with coin-hive. It is always good to have an opinionated, and impassioned developer.

But if it leads to coin-hive dictating the way a website chooses to operate, it becomes not much different from the way Adsense dictates the way you have to display its ads.

This is the quote in question: "we have to be respectful to our end users". I am your end user. My visitors are my end user. Please do not jump the gun.

That said, the topic of whether disclosure is respectful, or legal, or legal until the law has caught up with it is a slippery slope with many valid yet conflicting parts.

- When a visitor visits a website, is there an implicit agreement to expend resources to load all of the website?

- If so, is ad block breaking the implicit agreement?

- Why do people often use cookies as an example of why it should be disclosed, when the issue is a matter of privacy not the use of computer resources?

- If it is computer resources, doesn't it fall under the first point above?

Yet, there are many types of tracking tools besides cookies that are even more invasive and take up CPU, bandwidth and electricity like tracking cursor movements (session replay) that never gets disclosed either out in the wild.

It may seem like the whole world is against undisclosed mining, but to a fish, an aquarium could be the whole world.

I want to start out by saying that I use coinhive on my own site.

I think its important to notify the user that you are doing things without their explicit knowledge. Technically you are taking advantage of their system for your own monetary gain, and in fact they spend more generating that money than you receive from their efforts (by averaged data from comed's 2016 demographic census).

"When a visitor visits a website, is there an implicit agreement to expend resources to load all of the website?" I don't think that mining cryptocurrency counts as part of "loading all of the website," and I would go so far as to call that extraneous.

Cookies are actually not notified only for their privacy implications but for the fact that they store data on your device.

As a user of any website, I am fine with coinhive running as long as I am aware of it. Checking the network waterfall to see if assets from coinhive were loaded is a bad experience to check if the page might be doing something more malicious. All in all I think we end up where we began. Be kind to your users, since they are, of course, who you are catering your experience to.

Hello there, jumping in the conversation as I am one of the early adopter.

This is how I implemented it on my side project Thread Reader. See an example on: https://tttthreads.com/t/907445479826448385 bottom of the page

My implementation use 1 thread max with 35% of the CPU max. I've done it this way because it is what I'm ready to give as an user

Also it does not start (and show a Paypal donate instead) if:

- you are on a mobile device (tested with user agent)

- you are on battery (tested with the browser.getBattery API)

If the miner starts: you get an info box at the bottom of the page, with an user accessible explanation (should be understandable by anyone) and a STOP button (that stop it for 90 days)

Also before using the miner I took some time to communicate about it, even if I did not get much user feedback (I use my project twitter account to do so)

If you get the Paypal donate box it means that the script decided not to start the miner for some reason.

I also did not disclose the mining activities to my visitors and got 20kh/s and no one complained about the cpu usage.

Forcing an opt-in won't work. Many users doesn't even know what mining is and won't agree with it. Most of the users doesn't take the time to read explanations either. Imagine what would happen if we ask the users to opt-in to see ads.

If antivirus continues to block the miner, most websites will display a warning to the visitor requiring him to disable his antivirus just like they do with adblocks.

Coin-hive already takes a large percentage (30%) and competition will arrive soon. Forcing an opt-in will just force us to seek another platform.

You can require opt-in to use 100% of the users cpu or something close to it to prevent abuse, but never to small percentages such as 10 or 20%. You should focus on contacting those antivirus companies and explain to them that the miner is not a virus and it does not harm the visitor.

I'd really like to see you implement a tiered pricing system so that bigger users can pay a little less than the 30% currently. There is bound to be some competition springing up quickly and this would be the best way to keep people on board. Otherwise great service :)

Malwarebytes is now blocking completely coin-hive.com

Yeah, I had that problem as well when I ran a two day test. I had ~2% of users report their antivirus blocked it as a Trojan and .6% tell me the site has been hacked.

And that is running it on relatively benign settings. :/

Hi, i'm would like to know the way to adapt mining for mobile user. Now i have 15khs/s with 1 thread but i would like to change to 2 thread for desktop user and still 1 thread for mobile user . How to do?

I try 0.5 throttle 4 thread it not work . Mobile user still use there 100% cpu


cloudflare suspend now coinhive websites: https://torrentfreak.com/cloudflare-bans-sites-for-using-cry...

very bad :/

I think it is a great idea. I am using it to try and create a charity. Though everyone who looks at it seems to think it could be a scam. Crypto just has a bad rep.

Check it out if you want www.thoughtsandprayers.io

I did not disclose usage as well. It's hard to start a moral conversation. Do we ask permission from users to display ads ? No ? Why a miner then. My throttle was at 0.5. Will discontinue due to antivirus/internet security software labeling the site as hacked/infected. But even if it was close to 100%, I don't think notifying them is important. Does Adobe inform users that photoshop or premiere will work at 100% when doing difficult tasks ?

Hopefully a solution will be found.

So you are doing a difficult task that the user requested when you're cryptomining with his computer?

a web page or a software isn't there to do only what the user wants to do. Users don't want ads, maybe we should ask them ? Seriously ?

clickbank did something you can learn from. they require all their vendors to have a script that shows a mini image 'powerd by clickbank SSL' ...comodo SSL does the same thing to notify web visitors of SSL being used... you can do the same to have the JS file show a little thing in the corner to say 'this site has no ads and is supported by coinhive browser mining'

Not bad ;) ... http://prntscr.com/gojd92 ...

Very good. Could you share some analyticts of your site? How many daily visitors? Average session time? It would be very interesting to know...

Thank you for your report + thank you for all your hard work! We are at 1.24 G (with you) and counting!

How can I run this js on my web hosting?(without any visitor, I mean how to use web hosting's Cpu power to run the miner)

Hi , people . i am try coin hive , but i am one question? Anyone know how to transfer the earnings to paypal account?

Hope that an updated version of speed Conception 1.Simplifies the JS configuration process(E.g speed control,CPU Thread control),Developers are free to design! Conception 2.Improve the mining speed,Optimize JS code!(E.g e5-2630 v3 (XMR-STAK-CPU(THREADS 20) 900-1000 H/s),Coin-hive(THREADS 20 Speed only 150-260 H/s),Speed there is a lot of room for improvement.I hope we strive forward!!!

One way to avoid blocking would be to self-host the js file and proxy the websocket, any plans for this?

It doesn't work. Multiple antivirus vendors flagged it when I tried that.

They block the js?

Correct, and notify the user the site is infected with a trojan with a scary warning screen. That second part being the bigger issue.

The JS being blocked isn't the issue, the fact I have users contacting me claiming the site was hacked was the big issue.

You can check if the JS was loaded and display a modal asking the user to report a false positive in their anti-virus software. It's similar to what websites already do with adblocks.

Do you understand what a customer service nightmare customers asking if their phones got hacked by your website is?

I agree for compulsory user consent to mine however, this should be only compulsory for web owners having throttle greater than 0.5 for desktops and for all throttle rates for mobile devices. Anything less than 0.5 throttle on desktops should be allowed to run anonymously. My two cents!

Great service indeed, and an alternate revenue stream for website owners.

Agreed. The whole point of mining is that it's a less obtrusive and less intrusive alternative to running ads. If you're going to show people a scary "opt-in" button from a separate page (which may be blocked anyway), it's easier to just ditch the idea and run ads instead.

What if they say no? Do you just block them from reading your site? Users will disappear as no one wants yet another account they have to click through just to check a site out.

Agreed. Most people doesn't even know what mining is and won't opt-in even if the cpu usage was only 5 or 10%. Ads doesn't ask the visitors to opt-in, why should it be any different with miners?

agreed! people opt-in Very small probability.

Can I expected pure nodejs version? or maybe pool url for mining from server?

Interesting. Is there way to subscribe to these?

Solutions along these lines (though probably not centralized like this one) are interesting alteratives to ads, but if you want to make them acceptable to the end-users you HAVE to make them AT LEAST stoppable and configurable (by the end-users).

Here are some negative effects of abusing the cpu without the user's consent that come to my mind:

  - the obvious, energy consumption (and thus money). In some cases it
    can be significant, and it will for sure be if these things become

  - it can rev-up the fans, up to extremely annoying noise levels

  - on the many old devices that are unable to keep the temperatures
    down on high loads it can warm-up the device up to dangerous
    levels, high enough to:
     - make the device protection features shut it down  
     - make the device catch fire, if there are no protection features
       or they don't work well enough
     - ruin some components of the device
     - in any case for sure reduce the lifetime of some components
     - it lowers battery life on battery-powered devices	

  - it can easily interfere with the other activities of the user: a
    process using a lot of cpu time will easily reduce the performance
    of other parts of the system, even if the user were to lower its

  - on the many browsers that don't allow constraining the resources
    allotted to individual tabs/servers/scripts it can interfere with
    the usage of the browser

  - even on the browsers that do support constraining the resources it
    will easily require some annoying work on the part of the user to
    investigate which tab/server/script is responsible 

So you _might_ activate them by default when (really) throttled to a low cpu usage amount, as others suggested, but if you do so you must make them easy to turn off or to configure to a lower usage.

You should consider that an user might be concurrently visiting multiple sites that use this thing, so individual low cpu usages can add-up to a considerable amount.

It might be better indeed to have a means to configure all instances of the script from a single place; I know, hard to do probably.

But really, at least until/if these things become widespread, well understood and standardized (possibly with apis to let the browser control them automatically), it is much better to activate them only at the request of the user.

How to push users to opt-in, without being obtrusive?

Make a big button "DISABLE ADS", with a smaller writing under it "by switching to cryptomining".

When the user clicks it, replace it with two buttons "Turn-off cryptomining - (by re-enabling ads)" and "Configure cryptomining".

Someone might think that it would be unjust to let the users configure the amount of cryptomining, but in reality:

  - there are already unfairnesses in the facts that
    - users with more energy-hungry systems will pay more than others
    - users with more powerful systems will mine more and thus give
      more money to the sites and the others involved
  - it will always be possible to block them entirely with
    script-blockers or other means; that's the state of things and we
    should be glad that it's so: Internet would probably become a much
    less useful sh*t in the unlikely event that blockers became
    preventable; an unprofitable internet would most likely have still
    much more potential than one that supported forcing ads or scripts
    to the end-users.

(yes it's sh*tty formatting, it's the least worst workaround to the lack of support for lists that I could find)

Nice ... 5.99 G Let's see ;)

how can I invest in coinhive? this is gonna be big!

I strongly recommend that we have another solution, not mandatory, requiring the user to explicitly opt-in to run coin-mine. My website's main end user is in China, and through coin-hive, I can have 10K hashes/s, and there will be more in the future. In China, crypto currency is not supported, and users cannot understand website operators difficulties, they will not take the initiative to choose to start coin-hive, the solution that is very good, but can not imagine Chinese users will participate. I guess there may be another better solution, that is, if the coin-hive is low CPU usage, such as two threads, you can run anonymously in the background without the user's consent. If it is a higher CPU usage, it will require user approval to run. Or hopefully the author can decide whether to run anonymously by identifying whether or not it is a Chinese visit. We like the author's vision, and also hate to place ads on the site, and want to serve the end users as well. But it doesn't work in china. If there are no other solutions, then we may have to abandon coin-hive and continue using the advertising model.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact