Mozilla: Firefox to block cryptomining scripts hidden on websites by default
An upcoming release of Firefox will give users the option to block two increasingly common and ugly aspects of today's web: browser fingerprinting and cryptomining scripts.
Neither type of script is helpful or beneficial to browser users. Fingerprinting lets advertising outfits silently track users around the web and profit from users' activity and interests.
Meanwhile, freeloading opportunists have found it profitable to plant cryptomining JavaScript on websites and secretly sponge off a visitor's CPU to 'earn' cryptocurrency.
Web-based cryptomining took off after the launch of the JavaScript-based Monero miner, Coinhive, which was created with the intention to challenge the online advertising business model. But it was quickly adapted for 'cryptojacking', or hijacking a victim's CPU through a browser so that it mines for cryptocurrency on someone else's behalf.
SEE: How to build a successful developer career (free PDF)
Coinhive shut down on March 8, but there's a long tail of rivals that will keep the cryptojacking threat alive for the foreseeable future.
Mozilla, keen to make Firefox relevant again in a Chromium world, on Tuesday revealed that Firefox Nightly 68 and Firefox Beta 67 will include protections against both threats, thanks to a new blacklist of websites known to use scripts for either purpose. The blacklist was compiled by Disconnect, a VPN maker known for its anti-tracking efforts.
ZDNet's Catalin Cimpanu revealed Mozilla's anti-fingerprinting efforts using 'letterboxing' in Firefox 67 last week. But Mozilla has now shared more specifics about that and related protections against cryptojacking, how the protections can be enabled in Firefox, and its plans for a rollout.
Mozilla is taking a multi-pronged approach to fingerprinting. Letterboxing aims to thwart a technique used to tag a browser – for example, by measuring a browser's window size at a point in time – for persistent tracking across websites without the aid of cookies. The second piece is a blacklist of sites that are known to use fingerprinting scripts and sites known to use cryptomining scripts.
The script-blocking feature is now part of Firefox's 'Content Blocking' settings within the 'Privacy and Security' tab in Preferences. Within 'Content Blocking', Firefox users can check boxes to block either or both Cryptominers and Fingerprinters.
"Once enabled, Firefox will block any scripts that have been identified by [privacy tool] Disconnect to participate in cryptomining or fingerprinting," said Mozilla's Arthur Edelstein, adding that the protections will be on by default in Nightly "in the coming weeks".
Security
Firefox 67 is due for release in mid-May and until then Mozilla is seeking feedback about the effectiveness of the new protections.
Like most security solutions, Mozilla's isn't watertight. The blacklisting side will only be as good as Disconnect's list of known offenders, which may be incomplete or could become outdated as additional sites include the offending scripts. And there are multiple techniques for fingerprinting a device through a browser that aren't accounted for.
But it's better than nothing and could be appealing to users looking for a reason not to use Chrome.
Mozilla said it plans to "continue to work with Disconnect to improve and expand the set of domains blocked by Firefox". It's also concerned that enabling the feature could break some websites in the browser and it wants feedback about these occasions.
The browser maker seems intent on proceeding with the feature, confirming that it does plan to enable these protections by default in some future release of Firefox.
More on Firefox and security
- Mozilla: Google Accounts, Android trip up Firefox's 'passwordless' sign-in plans
- Firefox to add Tor Browser anti-fingerprinting technique called letterboxing
- Coinhive cryptojacking service to shut down in March 2019
- Windows Firefox 65 rollout halted by Mozilla: AV clash stopped users browsing
- Firefox 66 is out: Block on auto-playing video with sound, Windows Hello support
- Mozilla's Firefox Fenix: New Android browser rethinks tabs and sessions
- Mozilla launches Firefox Send, a free, encrypted file-sharing service
- Google, Mozilla working on letting web apps edit files despite warning it could be 'abused in terrible ways' TechRepublic
- Firefox fans reject advice to join forces with Chrome CNET