Posted by Nikita the Spider on 10/12/06 16:27

In article <1160641713.526446.89430@m73g2000cwd.googlegroups.com>,
"John Dunlop" <usenet+2004@john.dunlop.name> wrote:

> dorayme:
>
> [re overcoming e-mail address obfuscation]
>
> > The point is this though: robbers tend to go for the low lying
> > fruit first and there is plenty enough of that to go around. Do
> > you understand what I am saying? No need to crash through even
> > slightly heavier security.
>
> Yes, but I am merely pointing out that obfuscating e-mail addresses is
> inferior to real security; I am not claiming to know what harvesters
> actually do!

Myself, I'm pretty impressed by the fact that the entity-encoded address
received only two spams while its unprotected counterpart has received
over 700. If this method is inferior, I'd like to know to what! If there
are other methods that are equally easy to implement and don't
inconvenience users, I can't say I've heard of them.

> Mind that old axiom 'security by obscurity gives a false sense of
> security'?

I'd argue that we're not talking about security here so much as
annoyance reduction. I don't mean to nitpick about your words; I
honestly think the difference is important. Security prohibits access to
a resource and there are clear negative consequences when it fails (my
account is cracked, for example). By contrast, my inbox lost its spam
virginity a long time ago. All I can do now with the resources I have
available is to limit further, ahem, penetrations.

> And, as I've explained, the techniques to obfuscate e-mail addresses
> proposed in this thread run contrary to the spirit of Internet
> specifications. That a construct is included in a specification is
> hardly license to exploit it.

I see your point, but the spec isn't strongly worded. As you pointed
out, the relevant section is here:
http://www.w3.org/TR/html401/charset.html#h-5.3

"A given character encoding may not be able to express all characters of
the document character set. For such encodings, or when hardware or
software configurations do not allow users to input some document
characters directly, authors may use SGML character references."

But it also says this:
"Character references are a character encoding-independent mechanism for
entering any character from the document character set."

Using entities to encode email addresses fits perfectly well within this
provision, IMO.

Cheers

--
Philip
http://NikitaTheSpider.com/
Whole-site HTML validation, link checking and more

• Next in forum: Re: visitors online to a web site
• Prev in forum: Re: Is it possible to implement pop-up window without Javascript?
• Thread view: Re: email address obfuscation

[Reply to this message]