Google to block malvertising attempts

Google devs propose changes to the Chrome browser that could prevent malvertising attacks
21 October 2017   1265

Cryptocurrency world has suffered a lot from the hackers.
Now, a new "disease" is so-called “malvertising", which uses online ads as channels to transmit script that causes visitors’ browsers to mine altcoins for the perpetrator. 

Google software engineer, Ojan Vafai, proposes a modification to the Chrome browser that would inhibit and potentially prevent malvertising.

A modification for malvertising prevention
A modification for malvertising prevention

Initially, the man commented on the post about unauthorized mining that was being executed by code from the software firm Coin Hive, which had debuted its flagship mining product four days earlier. Thus, Vafai gives some recommendation to combat the issue.

If a site is using more than XX% CPU for more than YY seconds, then we put the page into ‘battery saver mode’ where we aggressively throttle tasks and show a toast allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions (e.g. no requestUseLotsOfCPU method). It only triggers when the page is doing a likely bad thing.

Ojan Vafai
Google software engineer

In other words, the solution would equip Chrome to recognize suspicious activity and take action to significantly impact the amount of processing power that mining software could appropriate by subjecting the culprit page to a setting that limits CPU usage. Chrome would simultaneously offer users the option to exit this power-saving state. 

Yet it is rather unclear whether Google intends to implement any protections against malvertising or not. Still, the proposal has already drawn a lot of attention. 

Potentional Vulnerabilities Found in ETH 2.0

Least Authority have found potentional security issues in the network P2P interaction and block proposal system
26 March 2020   142

Technology security firm Least Authority, at the request of the Ethereum Foundation, conducted an audit of the Ethereum 2.0 specifications and identified several potential vulnerabilities at once.

Least Authority said that developers need to solve problems with vulnerabilities in the network layer of peer-to-peer (P2P) interaction, as well as in the block proposal system. At the same time, the auditor noted that the specifications are "very well thought out and competent."

However, at the moment there is no large ecosystem based on PoS and using sharding in the world, so it is impossible to accurately assess the prospects for system stability.
Also, information security experts emphasized that the specifications did not pay enough attention to the description of the P2P network level and the system of records about Ethereum nodes. Vulnerability risks are also observed in the block proposal system and the messaging system between nodes.

Experts said that in the blockchains running on PoS, the choice of a new block is simple and no one can predict who will get the new block. In PoS systems, it is the block proposal system that decides whose block will fall into the blockchain, and this leads to the risk of data leakage. To solve the problem, auditors suggested using the mechanism of "Single Secret Leader Election" (SSLE).

As for the peer-to-peer exchange system, there is a danger of spam. There is no centralized node in the system that would evaluate the actions of other nodes, so a “malicious" node can spam the entire network with various messages without any special punishment. The solution to this problem may be to use special protocols for exchanging messages between nodes.