Cryptojacking

A change meant to improve Google Chrome performance will also indirectly impact cryptojacking scripts (in-browser cryptocurrency miners) and will severely reduce their efficiency.

According to a design document seen by Bleeping Computer, Google engineers plan to limit the CPU power some types of JS scripts running in the browser's background will be able to use.

Throttling system already in place

A throttling system for JavaScript background code is already included in Chrome since version 57, released in March 2017.

Back then, Google decided to limit a background tab's JavaScript "timer" operations to no more than 1% of a CPU core.

Google made the move to prevent background tabs from running JavaScript code that was not needed or did not produce visible results for the end user.

Throttling system expanded to service workers

Now, Google is expanding this throttling mechanism to service workers (JavaScript code that a browser runs in the background).

JavaScript-based cryptocurrency miners —such as the ones provided by Coinhive, Crypto-Loot, and all similar services— rely on service workers.

The same limitation applies, and JavaScript service workers running in background tabs will not be able to access more than 1% of the entire CPU processing power. This means cryptojacking scripts won't be able to run rampant and drive CPU usage to 100% if the user changes to another tab.

Change is part of a bigger (unrelated) plan

Last year, Google publicly announced it was going to throttle background JavaScript service workers, so Google did not make this change as part of a move to block or reduce the efficiency of cryptojacking scripts.

Even if this change is part of a master plan to improve Chrome performance, Google engineers are particularly happy that this will impact cryptojackers as well.

"The goal of this intervention is to prevent scripts (particularly malicious ones) to adversely affect browsing performance and battery life for work users can’t see," wrote Google engineers in the design document.

"This intervention also addresses the recent rise of malicious scripts performing power-heavy computations without user permission (e.g. cryptocurrency mining)," they also added.

Here are the current particularities of Google's implementation plan:

It is proposed to use the same mechanism as main thread throttling -- throttling starts 10 seconds after backgrounding a page and all tasks are run once a second. If tasks use longer than 1% of CPU (10ms of work per 1 second), the next task is delayed to ensure that CPU load stays under 1%.

Given that this mechanism was designed for the main thread where tasks have to yield control back, it is also proposed to add another mechanism to enforce 1% CPU limit -- for very long tasks (>15 seconds) which are actively using power (i.e. advancing thread times, waiting on locks is OK) worker thread will be paused on OS level and will be resumed for 10ms every second, bringing CPU usage under the specified threshold.

Last year's "browser permission" idea left for dead

Last October, Google engineers were mulling over the idea of placing all computational-heavy JavaScript code that ramps up CPU usage under a browser permission. That plan never went anywhere and received little attention after an initial debate.

Once the service worker throttling goes into effect —a few months from now, we're told— cryptojacking scripts will only work efficiently and produce profits for crooks if users are interacting with the page the script is being loaded on for long periods of time.

It's not a deadly blow for in-browser mining services, but it will narrow down the types of sites on which these scripts can be used efficiently. For example, video streaming sites will remain a good place to run cryptojacking scripts, as users tend to leave tabs open and focused while they watch the video content.

Related Articles:

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

Cryptojacking Android Apps Continue To Plague Google Play Store

Mozilla Firefox Will Soon Block All Trackers by Default

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers

Google Adds New Rules To End Malicious Chrome Extensions