Running websites with CSP is an interesting experience. You'll discover how much crap is injected into people's website view. Extensions referencing remote scripts, weird browsers injecting their content (looking at your ucweb), website being framed for both bad (clickjack overlay) and good (translators) purposes, bots injecting their own helper JS, bots that don't disable their internal CSP reporting (looking at you cookiebot), AVs which try to patch CSP header and break it (Kaspersky).
Essentially you will find there's a whole wild west out there that you don't normally think about.
This sites example code seems to be taking the blacklist approach instead of whitelist, so I shouldn't break too many sites. Nor give the surprise treats you mentioned.
But I agree, locking down a site with CSP is a great exercise in just how domains get loaded. Especially if you have a marketing team who gets sold on the latest service weekly.
I think you may be misunderstanding parent's post. When you run a site with a strict CSP and a reportUri enabled, you will notice that you get tons of blocked scripts reported not because there is a vulnerability in your site, but because clients have installed tons of browser plugins that try to inject scripts into your site, and your CSP will block them.
I figured this out the first time I tried instrumenting my code for latency/exception handling/etc purposes (self hosted!) .. and got terabytes of error logs consisting of terribly written shitty browser plugins or malware toolbars spraying rubbish into the console.
Yeah; care to take a guess as to what % of HTTP traffic is human vs bot?
(Given your comment, I suspect your guess is likely to be much closer to reality than the vast majority of even the relatively clueful people here on HN.)
That will depend massively on your site structure. (With enough pages Bingbot will do a magnitude more requests than other crawlers) Overall "lower % than your tooling tells you" - for example cookiebot runs crawlers with both proper user agents and "totally a normal Chrome user" from another network. (Not sure if misconfigured or on purpose)
When doing some stuff with automated Google Admanager Ads (that required frequent updates), we realized that google is checking every link. At least once per update. Usually more often. With no proper user agent identifying it as a bot. Our solution was to redirect all links through our server and completely block every known google IP-range during the redirect.
While well-intentioned, I don't think the casual website visitor is going to understand what a cryptominer is and the blog post doesn't really do a good job of explaining what's going on, especially for non-English visitors. Instead of the blog post, a dedicated landing page I think would work much better - crowdsource some translations on github and put up something very simple like the Cloudflare interstitial design:
"The website that sent you here has been hacked and may not be safe to use. Please contact the site owner to let them know. Are you the website owner? Click here for a detailed explanation."
It also seems like the modal popup JS doesn't remember if the dialog has already been shown and will appear on every new navigation causing a lot of frustration for visitors. Given the widespread impact this has to users, it feels a bit rushed.
I think messaging this to a "normal" user is going to be really, really hard no matter what. Bordering on impossible.
E.g., with your proposed wording, now the website owner gets reported that their website has been compromised, when, in the case of compromised routers discussed in the article, it hasn't.
(I do think some of your suggestions are valid; the article isn't going to be approachable for the average Joe, and if it does pop up that frequently, perhaps that could be improved.)
The core intention of the script is to be loud enough for the person responsible for the site to quickly take notice.
Explaining the situation to the casual visitor is pretty much pointless as they can't really do anything about it and, as it's not serving anything malicious currently, that's all that's really necessary at this point.
For the folks who were saying that TLS-everywhere is an unnecessary burden recently:
> During our follow-up research on cryptojacking, we discovered that 1.4M MikroTik routers were serving cryptojacking scripts as they were routing Web traffic, geographically focussed on Brazil and Indonesia. It could be that a Vietnamese MikroTik router is still infected and somehow manages to inject the script into that particular (popular) website.
Nope, there was certainly a lot saying that you only need TLS on login pages and sensitive data pages. And that even sites with login and payment pages are ok to use http on the rest of the site.
I still hold that opinion, though reduced to situations where there are other ways than full-blown TLS to get authenticity.
Due to a lack of options for putting signing pubkeys into DNS or something like that, this requires the loaded page itself to be delivered over TLS. Bulk content can rely on subresource integrity, but may need a fall back on TLS to successfully load the content in the presence of MITM. This fallback can likely be done via a small script, either inline or also served via TLS.
I'm complaining about a lack of support for signing keys. Think IPFS's IPNS (though that goes a bit beyond just signing keys, as it includes DHT-based retrieval with just the key (and notably lacking an address).
My home lab has its own openssl x.509 root CA, which issues TLS certs for all my stuff in rfc1918 IP space. I've trusted the CA in my browsers. It wasn't rocket science to set up.
Quote: "If the miner is owner-initiated then firstly, shame on them, and secondly, just remove it" - and it shows the picture of PirateBay.
Well, IMO, this is the best model. PB it clearly states they run a cryptominer and if you want you can have an adblocker block that and they still allow you to search undisturbed their website. Now compare this with Forbes for example, who have adblocker detection which will not allow you to view the content you want and asks to whitelist them in your adblocker. Except that once you do that they will fill your page with not only their ads but also 3rd party websites ads, which was proved many times in the past were malware. So if there is any name and shame it should be done to Forbes / Bloomberg and the likes, not PB.
Posts like this remind me how little I fully understand about networking and associated protocols, and how valuable it is to understand them to build things right.
The note about securing static sites with https finally painted the picture for me as to why it's a big deal, even for sites that don't send any data to a db!
> Securing the transport layer isn't just about protecting sensitive information, it's also about protecting the integrity of the content
Anyone seeing significant performance impact with CSP? We simply enabled an extremely lax policy on a Jira service desk instance and are seeing a 15-30% performance cost loading the summary page. Also, has anyone else come up with a consistent way (short of watching browser timeline) to determine the performance cost?
Unfortunately the cryptojacked website gets screwed either way.
Without a CSP policy, it will have its resources cryptojacked, which depletes its resources, and with the CSP policy it will have to process the violation report, which again depletes its resources.
The only solution is to never visit a cryptojack website, if you’ve come to rely on that site for something then that might prove very difficult, and not visiting it could again deplete resources finding a replacement site.
What's interesting is that as he points out in the part about the mikrotik routers doing mitm on http traffic, lots of websites out there are not serving the .js, they are just http only sites which are vulnerable. Any user inside the border of one of those hacked mikrotiks requesting any non https page will get the .js from any site.
From an ISP perspective it's an unfortunate side effect of a race to the bottom in pricing and network equipment in the developing world. And cargo cult network engineering where people know just enough to be dangerous, copying and pasting templates of bgp configurations into $800 mikrotiks and calling themselves an ISP.
I loved this article, but I'm confused about one thing – if I read it correctly, it seems to connect hacked routers inserting tokens into traffic, and tokens found on hundreds of pages (discovered with a script run by the author). But he wouldn't see these at all, so the same token found by him on many hosts is caused by something different, isn't it?
I think you misunderstood about his scripts; his primary source of data is from acquiring the domain the malicious scripts were hosted on and he wrote scripts to summarize the server logs of his previously malicious CDN.
He knows the script URL and referrer URL of each attempt to invoke the malicious scripts. The URLs of the scripts seem to include the token to configure them to the attacker.
He visited sites in the referrers and looked them up in search only to do tests to convince himself that the pages are clean and the servers aren't conditionally returning the malicious content, etc.
Are we completely dismissing "legitimate" cryptomining for micro payments? E.g. asking for a user's consent to mine with their CPU to unlock content or get rewards.
I personally think it sounds like a great way to pay for things without having to sign up for anything and just pay with my electricity bill, but please educate me.
In my view as a consumer, I welcome the possibility to support the author with my device's computation power. And I prefer this to being harassed with undesired ads.
I don't like his negativity towards Coinhive or similar miners.
> So, instead of serving ads you put a JavaScript based cryptominer on your victi... sorry - visitors - browsers then whilst they're sitting there reading your content, you're harvesting Monero coin on their machine.
I don't see how this is worse/more evil than ads though? At least the worst that a miner will do is consume some resources, where as conventional ads will consume resources + compromise the privacy of the victim.
There are big differences between the consumption of the victim's resources by ads and their consumption by cryptomining.
Firstly, whatever resources are consumed by ads, resource consumption is not intrinsic to their nature. In other words, the effectiveness of an ad does not depend on how many resources it uses on its target's device.
Furthermore, the resource consumption by ads can be argued to be a real creation of value, in the sense that the advertiser could not make money from running ads on their own devices without any involvement of their targets. Neither is the target being deprived of any profit that they themselves might have wanted. Would the target wish to run their own advertising aimed at themselves on their own browser to promote their own product and/or track their own browsing habits? Of course not.
Compare that to covert cryptomining. The cryptominer could achieve the same result by running the code on their own devices, and paying for the resources consumed. On the other hand, the target is being unknowingly deprived of the profit being generated by the resources that they themselves are paying for but chose not to employ in cryptomining. Would the target like to use X% of their electricity bill, sacrifice Y% of their device's resources, and Z% of its durability lifespan to obtain a certain amount of a cryptocurrency? Maybe.
My argument is that most ads will collect personal data and you no longer have control over how it's going to be stored/used. A miner in comparison only mines cryptocurrency but doesn't otherwise have any long-term impact.
Also, ads can have negative impacts from the thing that's being advertised if it ends up being a scam, dangerous/fake/misrepresented product or malware.
You are right that the effects of internet advertising (assuming trackers etc.) on the individual can be understood as long-term, but in that case at least the operator is undertaking two risks:
1) The long-term validity and usefulness of the data they are gathering. A user may be relatively net-savvy regarding the use of private browsing, they may rescind their consent on this or that advertising network to track them, their visiting son or daughter might give their device a "privacy clean-up", or they may be ironically so digitally illiterate that when their phone dies or they forget their passwords they just create a new Google account.
2) The legal risks involved in gathering, and particularly exploiting, non-GDPR (or other local law) compliant data.
With non-consensual cryptocurrency mining, both points become irrelevant. Once it is mined, cryptocurrency is a pure commodity, regardless of legality and the consent or future opinions of the person whose resources were employed to produce it.
What if you explicitly ask for the user's consent? E.g. a confirmation prompt saying "To unlock this content we will use your CPU to mine.".
I know Coinhive originally started like that, for this Polish imageboard where you explicitly had to allow your CPU to mine in order to get premium account time, as an alternative way to just paying for it outright.
If the request is honest and straightforward regarding the resources being consumed on the user's device, to what extent it may or may not impact them, and how it benefits the operator, I would have no problem with it beyond my personal misgivings with cryptocurrencies. That is, as long as the consent is not easily confused with just another cookie checkbox to which most web users have become desensitised.
Run noJS by default with something like uMatrix/uBlock Origin, and never worry about this or similar problems again.
All parts of a page for me, even 1st party, have JS disabled... you'd be surprised, most useful ones work completely fine like that and things load much faster. There's exceptions that do actually need it, and if I trust them, I'll enable 1st-party JS via uMatrix.
As a uMatrix user, this is a pretty misleading set of statements.
Disabling JS and blocking 3rd parties breaks -- and I mean completely, unusably, breaks -- a ton of websites. It's rare I run across a site these days that is strictly 1st party and has nothing else going on. I can't even order a goddamn pizza without enabling four different 3rd party domains.
Sure, you can save your preferences in uMatrix, but when the website updates you're back at square one, or worse, you're overly permissive.
Worst of all, I often have to completely turn off uMatrix for some sites.
While the intent is good, I honestly cannot recommend this approach anymore. It just sucks.
Essentially you will find there's a whole wild west out there that you don't normally think about.