Jsecoin and Firefox

Front Page Forums Development Jsecoin and Firefox

This topic contains 15 replies, has 2 voices, and was last updated by  James 3 days, 19 hours ago.

Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #8393 Reply

    Mark the Woodpecker

    Firefox has compiled a list of websites that serve cryptomining scripts. Firefox will block such scripts by default in future versions. Jsecoin.com is featured on the list that can be found below in its entirety. You should maybe contact them to get more info and explain the transparency and ethics behind Jse.

    https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9537

    According to the article on CCN cryptomining will be blocked from Firefox, beginning with Beta 67. Users who install nightly versions or update to 67 can enable the protections under the “Privacy and Security” section of Firefox’s settings.

    #8423 Reply

    Mark the Woodpecker

    According to the Mozilla blog they will first start testing the crypto mining protection with small groups of users and will continue to work with Disconnect to improve and expand the set of domains blocked by Firefox. They then plan to enable the protection by default for all Firefox users in a future release.

    So the timeline is unclear but you should have ample time to sort out the problem with Mozilla if need be.

    #8424 Reply

    Ev

    As a JSECOIN Mining User, I submitted a Mozilla Bug that Mozilla is incorrectly discriminating against legitimate, voluntary crypto-miners. It has yet to be assigned, but others who wish to report this as a bug or comment on the existing submission can go to:

    Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1547001

    User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.88 Safari/537.36 Vivaldi/2.4.1488.36
    Firefox for Android

    Steps to reproduce:

    As of Beta 67, the Checkbox for by-default blocking all cryptocurrency miners is discriminating against JSECOIN: A 100% Voluntary, Opt-In Miner and potentially other GOOD miners.

    Actual results:

    With the Cryptoiner Checkbox selected, scripts run which block JSECOIN.

    Expected results:

    Because JSECOIN is 100%, explicit USER-OPT-IN, users will always be asked whether they want their CPU used for mining at JSECOIN-hosted-sites. The Default behavior of Firefox is to NOT even allow the question to be asked (see the Firefox code: “license”: “Copyright 2010-2019 Disconnect, Inc. / This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. / This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. / You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.”,
    “categories”: {
    “Advertising”: [
    {. . .
    “JSE”: {
    “http://jsecoin.com”: [
    “jsecoin.com”,
    “hostingcloud.racing”,
    “freecontent.stream”,
    “hostingcloud.science”,
    “hashing.win”,
    “freecontent.bid”,
    “freecontent.date”
    ],
    “performance”: “true”
    }
    },

    This is incorrect as it by default, lumps JSECOIN into the wrong category (Involuntary/Unknown use of a users computer cycles, versus Known and Desired use of a users computer cycles by that Site Visitor). There needs to be a Checkbox that By-Default allows Opt-In Miners, (or it’s equivalent), because Opting-In should be the user’s choice. It’s the secret monetizing by stealing user CPU cycles that is to be discouraged, not legitimate means of monetizing anything with which users explicitly agree.

    Search in the enclosed .txt file for JSE to see that JSECOIN is incorrectly Blocked as though it’s a stealth miner without user-permission to run (which JSE MUST HAVE in order to run on a users system).

    #8425 Reply

    Ev

    Update: This Issue has been acknowledged by Mozilla, but no decision has been made as to it’s resolution. If you’ll go to the following web address and add your comments re: “JSECOIN should be enabled by DEFAULT, because it is a Voluntary-Basis Miner”, it will surely help for Mozilla to see that others agree that Mozilla shouldn’t be blocking JSE: https://bugzilla.mozilla.org/show_bug.cgi?id=1547001

    #8426 Reply

    Ev

    Update 2: Added the following Open Issue on GitHub

    “Because JSECOIN is 100%, explicit USER-OPT-IN, users will always be asked whether they want their CPU used for mining at JSECOIN-hosted-sites. If this were to be allowed as the Default behavior of Firefox the user would not be able to distinguish between User-Approved (Safe) Miners and unsafe Miners that steal CPU Cycles. Web Hoster and User Consents are the first principles of JSECOIN Design (and perhaps existing or future other Miners too).

    Eventually, it may be useful to provide a Checkbox (or equivalent) that By-Default allows Opt-In Miners, because Opting-In should be the user’s choice. It’s the secret monetizing by stealing user CPU cycles that is to be discouraged, not legitimate means of monetizing anything with which users explicitly agree. JSECOIN needs to be removed from this code.”

    #8445 Reply

    Meh

    Jse coin is a shit coin. 6 says no exposure no real end goal. Not to mention the shitty latoken exchange. Jse is dead and will continue to do so.

    #8446 Reply

    Ev

    James: Here’s the response from Steven Englehardt re: my request to remove JSECOIN from Firefox blocking. There are some JSECOIN changes they will need before giving JSECOIN a pass:

    Thanks for the report. Marking as invalid for two reasons: JSEcoin’s opt-in has a number of flaws (detailed below), and we do not maintain Disconnect’s list. If you’d like to request a reclassification of a domain you can do so on Disconnect’s upstream repository: https://github.com/disconnectme/disconnect-tracking-protection.

    In my opinion, JSECoin’s opt-in does not come close to constituting meaningful consent. For context, I’ve attached a screenshot of the opt-in prompt. Here are a few issues:

    The opt-in is cross-site. Meaning if a user clicks “Continue” on a single site they are automatically opted in to mining on all future sites. This is particularly concerning given that sites may coerce users to opt-in, such as the example in my second screenshot. The dialog box gives no indication that the user’s decision is global.
    The notice is vague (i.e., “By continuing you agree to donate surplus resources.”). Without knowledge of cryptocurrency mining, what does “surplus resources” mean? Do we expect the average site visitor to understand this dialog?
    Opting out is distinctly harder than opting in. By design a user can “Continue” with or without opting in, so why does the “Continue” button default to yes? To deny future prompts a user needs to click “Privacy & Opt-out” and then click “You can opt-out of JSE crypto-mining across the whole network by clicking here”. These types of dark patterns are concerning given that the “Continue” button is a global opt-in.
    The opt-in can be trivially bypassed by any site that embeds the mining script. As an example, see my test page: https://github.com/englehardt/englehardt.github.io/blob/master/test/cryptomining/jsecoin_auto_optin.html (live version here: https://senglehardt.com/test/cryptomining/jsecoin_auto_optin.html). This allows mining to start on my page, but doesn’t globally opt-in — it does appear they attempt to prevent automated interaction with the “Continue” button, e.g., randomized element IDs. But a more sophisticated approach could be successful.

    #8459 Reply

    James

    Hi Steven, I’m one of the developers on the JSE project.

    I’ll respond to each point separately and then look at what we can do to get removed from the list.

    1. The opt-in is cross site, this is intended as if someone opts-in to the JSE mining project we believe they should not have to re-opt-in every time they visit a website in the network. We have some publishers that use multiple sub-domains or tld’s as well. We could potentially put content in the notification to state the opt-in is global but space is of a premium, especially on mobile devices where we don’t have much room in the notification bar. See below.

    2. I think “surplus resources” is non-technical enough that most users would understand. We could be more detailed and less vague and explain that the mining uses less CPU, RAM and data usage than an average video advertisement but I think this may make it harder to understand for the majority of users. The more information we put in the notification the smaller font size we have to use which I think is important as well. We want to inform users as best as possible but also not put a lot of text in the notification that they wont actually read.

    3. We can make the opt-out link work directly as a single step/click.

    4. The client-side code can and always will be able to be bypassed. As you’ve seen we’ve gone to quite a bit of effort to make it as difficult as possible. When we were working on this we decided to focus on server-side code to prevent misuse as these can’t be manipulated by malicious web masters. Server side checks are in place to prevent publishers from profiting from bad practices. We use tensorflow to do fraud analysis on the traffic patterns and any kind of automatic opt-in would be detected and a suspension put in place before the 7 day pending period for payouts was reached.

    Obviously we want to work with you to ensure our project meets your requirements to prevent blacklisting.

    So potential compliance changes:
    – Opt-out link > direct (one click), no explanation page.
    – Text change from
    “By continuing you agree to donate surplus resources”
    “By continuing you agree to donate surplus computational resources across all JSE publisher websites”
    ^ I’m open to suggestions on this.

    Can you confirm that these steps will meet with your requirements for whitelisting?

    #8461 Reply

    James

    The above was posted on the thread which can be followed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1547001

    #8462 Reply

    Marc

    Are you not talking to the wrong guy?

    Thanks for the report. Marking as invalid for two reasons: JSEcoin’s opt-in has a number of flaws (detailed below), and we do not maintain Disconnect’s list. If you’d like to request a reclassification of a domain you can do so on Disconnect’s upstream repository: https://github.com/disconnectme/disconnect-tracking-protection.

    Looks to me that Firefox will simply use that Disconnect list the way it is, so I guess you better complain over there.

    #8469 Reply

    James Bachini
    Keymaster

    I’ll contact them as well. Thanks

    #8470 Reply

    James Bachini
    Keymaster
    #8471 Reply

    hobo

    Do you guys do “fingerprinting” too? That sounds like another problem you would have to deal with and it seems like you guys do because you definitely have a lot of data on webmasters in order to ban them when they violate rules.

    #8495 Reply

    Everett Nelson

    Bugzilla Latest JSE/Firefox comments to James’s explanations and question.

    Do not reply to this email. You can add comments to this bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1547001

    Comment # 11 on Bug 1547001 from Steven Englehardt [:englehardt] at 2019-05-17 09:51:55 PDT
    Thanks for reaching out! I’ve flagged Disconnect on your questions. They can loop us in if it’s necessary They can be reached directly at: support@disconnect.me.

    —–
    It will; of course, be interesting to hear what Disconnect has to say once James contacts them to be removed from their Block List. So there’s no change of confusion, unless there’s some other way I can add value on this Issue, I’m in read-only-mode as of this latest reply to James.

    Best Regards,

    Ev

    #8496 Reply

    Everett Nelson

    “chance” not “change”

Viewing 15 posts - 1 through 15 (of 16 total)
Reply To: Jsecoin and Firefox
Your information: