[tor-bugs] #24054 [Applications/Tor Browser]: Prevent Tor Browser from being used as a Javascript Miner

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 30 18:14:27 UTC 2017 

#24054: Prevent Tor Browser from being used as a Javascript Miner
--------------------------------------+---------------------------
 Reporter:  naif                      |          Owner:  tbb-team
     Type:  enhancement               |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by cypherpunks):

 Replying to [comment:7 gk]:
 > Replying to [comment:4 cypherpunks]:
 > > >This is part of #17569
 > >
 > > It's not. And I advise against adding uBlock or uMatrix.
 >
 > Indeed. (see our current design document in that regard: section 5. No
 filters in
 https://www.torproject.org/projects/torbrowser/design/#philosophy)

 That document says that Tor Browser should provide a "general [solution]
 that prevent[s] tracking by all third parties (the solution being: first
 party isolation, antifingerprinting...etc), rather than [through blocking]
 a list of specific URLs or hosts", how does that imply that blocking some
 URLs or hosts *for non-privacy related reasons* (usability, but mainly
 performance and security) should be avoided? Am I interpreting the
 document correctly?

 Also you're going to work next year on a Tor Browser build for mobile on
 Android, at that point it would be difficult to argue against blocking a
 certain set of URLs despite the performance gains and in view of
 ameliorating battery usage.

 Replying to [comment:9 meejah]:
 > It's not the "JS cryptocurrency mining" that's the problem

 You're mostly correct in those paragraphs but it's indeed a problem on its
 own if I use the Medium security setting (where performance optimizations
 such as JIT are disabled) and that website that serves that JS crypto
 miner starts using - without my consent - 100% of my CPU core, starts
 draining my laptop battery, and lags my browser. What if I use Orfox on a
 smartphone (with less CPU horsepower) with Medium security setting and I
 happen on such site? This can definitely become a deterrent for people to
 use the medium security setting (or the high one with JS enabled). In
 fact, even with JS optimizations enabled this can be a problem with older
 hardware, as well as smartphones. (Off-topic: there are consent based JS
 miners such as https://authedmine.com/ that aren't blocked by adblockers)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24054#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list