Hacker News new | comments | show | ask | jobs | submit login
Opera now protects you from cryptojacking attacks (techcrunch.com)
96 points by lainon 76 days ago | hide | past | web | favorite | 43 comments

Opera blog post: https://blogs.opera.com/desktop/2017/12/opera-50-beta-rc-cry...

> After we recently updated the rules for our built-in ad blocker mechanism, we eliminated cryptocurrency mining scripts that overuse your device’s computing ability. Simply enable Opera’s ad blocker to prevent cryptocurrency mining sites from doing their dirty work on your computer.

Looks like a blacklist extension to their ad blocker.

This isn't going to work I suspect. Ad blockers work because ad companies are too lazy to make appliances/software to embed their ad packages as first party entities. This is exacerbated by the need for third party cookie access. Utilizing client CPU for mining doesn't need that. They can simply embed the JS script (which presumably would have the WASM binary embedded) and go. At least that's how I would do it if I were nefarious. And I'd add significant randomness to prevent pattern matching, but ad blockers are stupid primitive css selector or URL matchers anyways.

I feel whitelisting JS is becoming the sanest approach, despite all its shortcomings.

I usually prefer to whitelist domains rather than individual scripts. Either I trust a domain enough to serve scripts or I don't, there's rarely a middle ground.

Indeed, with all the CPU sidechannel attacks that just came out, allowing any untrusted code to run on your machine, even sandboxed in a browser, seems like a horrible idea.

Is there anything comparable to NoScript that works in Firefox Quantum?

NoScript[1] works pretty well.

[1] https://addons.mozilla.org/firefox/addon/noscript/

Huh...for some reason I thought it was not compatible. Ugh, now the only thing holding me back from upgrading is some of my other addons. I hate having to wait forever to upgrade because I use some less popular addons with long update cycles.

It used to not be compatible until a few weeks after the release of Firefox Quantum.

It's also been completely rewritten, so it's not the same NoScript that you know. The new UI definitely takes some getting used to and the dev is still in the process of polishing the new UI. And it's also still missing some features compared to the old version, which the NoScript dev wants to have ready for the next LTS release of Firefox (which is going to be Firefox 60), as that's what Tor Browser will be based on, which needs NoScript. On the other hand, the new version has significantly better performance and also works on Android.

Any major features missing?

I think, ClearClick and ABE are still missing. (According to this post [1] from a few weeks ago, they're supposed to be coming in the next few weeks...)

Or well, active content blocking and XSS protection are definitely in there.

[1]: https://hackademix.net/2017/11/21/noscript-1011-quantum-powe...

I ditched a load of addons for Firefox 57. Just embrace the change, find replacements, or move on and stop using them. It's hard, but I found I adapted quite quickly.

For NoScript, even though it is now available, I switched to ublock in medium-mode since NS was delayed until a couple of weeks after 57 hit.

Both ublock and NS now use the same Content-Security-Policy filtering approach (NoScript switched to CSP for the webextension release, ublock did it this way before) and so both now suffer from this bug that means noscript tags are not rendered/parsed at all https://github.com/gorhill/uBlock/issues/308 - so I felt I may as well just use ublock. Full-on global-disallow NoScript with that bug makes many sites completely unusable since their graceful-degraded noscript blocks are not shown, and UI changes in the webextension release made it too fiddly to use IMO.

Is there decent mouse gesture support for 57? That's one thing I'm not willing to budge on in terms of ditching old functionality from addons. Mouse gestures have become a way of life for me.

Yes, me too. This was more of a pain than NoScript, but after trying a few I switched to "Foxy Gestures" and I'm mostly happy with it. It has right-button+move-in-a-pattern gestures, as well as "chorded" right/left clicks and wheel gestures.

It does have 2 issues - 1st it does not work on special pages due to security restrictions. This means stuff like about:blank, when a page fails to load, preferences pages, and Mozilla's add-on site. There's nothing you can do about this regardless of the gestures add-on you use - life is worse due to security concerns, this is why we can't have nice things, etc.

And 2nd on Linux (maybe Mac too) Foxy Gestures did not work at all by default since the right-click menu triggers on mouse down, not mouse up. That stopped the gesture in their tracks. The FoxyGestures developer mitigated this problem by making right-menu take 2 clicks to trigger as an option enabled by default on Linux, but that can be annoying as now the regular right-click menu doesn't appear when you expect. Fortunately a patch is in Firefox for a future version that adds the option "ui.context_menus.after_mouseup", which makes the right-click menu work like on Windows. Also, a bonus, on Arch Linux the packager backported that preference to Firefox 57, so nice of them, which made everything work almost as well as in the pre-57 days.

uMatrix, although it doesn't have the various anti-XSS protections of NoScript. But its UI is great, much better than NS IMHO, and it's not limited to script blocking.


The dev build support specifically blocking web workers, typically used by cryptominers. So at this point I think it will be a good idea to block web workers by default everywhere, and enable only if a trusted site needs them.

Well, typically a page does not run heavy calculations for minutes without any input/output. The ad blocker can use that.

I won't run a closed source ad blocker. Whatever my hypothetical nefarious self sees is the limit which triggers heavy-calc check, I'll just split my insns across requestAnimationFrame/setTimeout just beneath it. The cat-and-mouse game of ad blockers really should be no problem for the adversary (the ad companies) if they just put some thought and engineering into it.

Mining requires lots of Math.something() functions. Maybe they can set a max for that.

You can use other implementations that not require Math.

Just curious... like what?

> Looks like a blacklist extension to their ad blocker

In the blog post comments section they say they're using this block list:


The list is compatible with other blockers like uBlock Origin and Adblock Plus so you can add it to your blocker if you want to.

By default uBlock Origin already includes a Resource Abuse block list which has many of the same entries as this list. I'm not sure how much the two lists overlap, but if uBlock Origin's Resource Abuse list already has all of the entries from this list then obviously there's no gain in adding it.

Is cryptojacking really this common these days? Is there an easy way outside of using these lists to detect if a site is attempting this?

Hopefully they add an option to enable it for specific sites. I think mining scripts are a great way to monetize online content. I'd much rather give away some compute time than watch ads (which I'm just going to block anyways).

Set up a Pi-hole and your entire network is protected from this dreck. The beauty of the Pi-hole approach is that you can add more blacklists on the fly and every device on the network benefits. People are actually starting to spin up Pi-hole servers at work to block this stuff.

I have one running at home and it makes a noticeable difference in my network performance. Highly recommended.

Didn't say 'how'. I'm curious if the blacklisting approach will scale

bummer. I prefer to mine crypto than to see ads

It's optional. It can be turned off if you want it off:


Good to know!

Opera is an awesome browser which very few people use. I do though.

>Opera is an awesome browser which very few people use.

I thought well of it, until it got acquired by the Chinese. How has it been since?

I moved to Opera a few years ago because it performed better than other browsers when kept open for weeks on end. Its ram usage would often clock in at multiple gigabytes less than chrome or firefox over the same time frame even when keeping < 10 tabs open. It allows total customization of keyboard shortcuts and has been an excellent experience. Their iOS version has a built in ad-blocker which prompted me to switch on my phone as well.

Just this week i swapped to Firefix quantum to test the waters here. My initial reactions are fairly muted. It is almost an identical experience given my browsing and development habits. If anything, i would say i still prefer the speed of Opera's (well, Blink's) dev tools.

> Its ram usage would often clock in at multiple gigabytes less than chrome or firefox

Well that's funny, because Opera is based on the Blink engine (which chrome/chromium use as well.), so the memory usage should be very close to the same as Chrome.

I moved to Opera for similar reasons, plus one more: it supports a MRU order for Ctrl+Tab, which Chrome doesn't support and doesn't even allow extensions to support.

I literally can't understand why so many people (who use and develop Chrome) think that MRU is the right thing for Alt+Tab but not for Ctrl+Tab. Sad.

Jon von Tetzchner, the remaining co-founder of Opera (the other one, Geir Ivarsøy, has passed away, RIP) has now launched another browser, called Vivaldi. It's also based on Chromium, so Chrome extensions are compatible with it. And it's probably what Opera would've become...

I don't care for Opera, but they are agile.

I'm particularly impressed that they added a free VPN solution to their browser.

I'm not speaking to the trust or security of this specifically, but the fact that they're offering it built-in to the browser already shows an interesting and unique approach to out-of-the-box web browsers.

I don't get it. Opera keeps being first at everything, yet they seem to fail to get any meaningful browser share (worldwide).

So sad.

In this case they're not the first. They're using this block list:


Which was already being used by Brave. You can add the same list to your browser's blocker yourself.

If you're using uBlock Origin be aware that by default it includes a Resource Abuse block list which contains many of the same entries as the NoCoin list, so there may be no real advantage in adding the NoCoin list. You'd have to check all the entries in both lists to see if you're gaining anything by it.

As of this writing, my uBlock Origin set-up is still making use of 18 of the NoCoin list's 73 filters, so it probably is worth installing if you're concerned about this sort of thing.

And they lost some browser share from me and people I knew when they dumped Presto for becoming a Google slave.

Good move by Opera. Really hoping FF/Chrome adopt the extensions as standard features soon.

No way to ask for permission or turn the blocking off?

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact