This article will discuss All About In-Browser Mining: Coinhive and WebAssembly
Following a few evolutionary leaps via Application Specific Integrated Circuits (ASICs), mining algorithms appear to have reverted to their origins: the ‘humble’ personal computer.
After a few evolutionary steps via Application Specific Integrated Circuits (ASICs), mining algorithms reverted to their origins: the ‘humble’ personal computer.
Table of Contents
The Beginning of In-Browser Mining
Image credit: pexels
On the other hand, the web-based method allows further freedom for malicious actors: there is no need to store anything on the same page. Functionality and components can be divided among numerous domains, and previously rented or compromised servers can be repurposed.
Is It Malware?
Even the security industry has conflicting opinions over whether or not in-browser mining is fundamentally malicious.
Running a hashing algorithm on someone else’s computer without their knowledge is harmful conduct, as it eventually constitutes the unauthorized use of their resources.
Image credit: pexels
Even though it shouldn’t cause any damage to the data or the machine’s integrity, it will result in a slower-responding PC and a higher electricity bill, especially if it remains undetected for an extended length of time.
On the other hand, hashing with a user’s permission is not malicious; at least some people may be eager to execute these scripts if it means no advertisements on a website. The Salon website experimented with this method at the start of 2018.
Please note that from this point forward, when we refer to Coinhive, we are strictly referring to the unauthorized use of the Coinhive code and service for mining purposes.
1. Web Sockets
In-browser miners are distinguished by their dependency on WebSockets for communication. As processes operating in a browser sandbox are not permitted to access system sockets, WebSockets were created to enable full-duplex, asynchronous interactions between code running on a webpage and servers – for instance, chat services such as Slack heavily utilize WebSockets.
As the standard for WebSockets requires sessions to be established as HTTP and then “Upgraded” to a WebSocket (see the example below), this precludes direct connection with the vast majority of currency mining “pools” that employ the Stratum protocol.
The operators of in-browser mining operations must therefore set up WebSocket servers to listen for connections from their miners and either process the information internally or externally, depending on whether they manage their own mining pool.
While a coin mining script may appear on dozens or even hundreds of websites, there are likely to be significantly fewer WebSocket servers involved in any deployment, which greatly simplifies blocking using web proxies: the inability to communicate with the mining pool typically results in the elimination of mining activity.
As of April 2018, only Firefox and Chrome support the nuclear option of disabling Wasm. To accomplish this, please follow the steps below. Before proceeding, evaluate the likelihood that this technique will impede the normal operation of an increasing number of locations as the technology becomes more widespread.
Change the value of chrome:/flags/#enable-webassembly to disabled in Chrome.
- Blockchain & Bitcoin Conference Prague: Why Should You Join?’
- The Impact Cryptocurrencies Have on The Environment: Is Cryptocurrency Good For The Environment?
- CryptoBlockCon- The Best Blockchain Event to Promote Blockchain Technology
Conclusions: All About In-Browser Mining: Coinhive and WebAssembly 2022
The continued interest in coin mining is unsurprising, given the rising popularity of cryptocurrencies (despite Bitcoin’s volatile value in 2018) and despite the volatility of Bitcoin’s price. The security sector must answer the issue stated above: is it malware?
The mining process is, at its core, nothing more than mathematical instructions run in order to solve a predefined puzzle piece. This is not necessarily malevolent on its own.
The essential question is whether this activity occurs with the user’s knowledge and consent. Therefore, disabling all mining scripts without understanding their context may not be the ideal strategy.
Forcepoint employs a combinatorial approach to the discovery and blockage of currency miners associated with compromised websites, blocking not just the instances of the scripts that we uncover, but also the WebSocket command/relay servers on which entire campaigns rely.