Posted by John Dunlop on 10/13/06 08:41

dorayme:

> [John Dunlop:]

> I am in a picky mood, just excuse and ignore it: the lazy theory
> is inadequate, not so plausible. You do need help. Go and study
> the robber analogy of mine, the robber is not lazy. He can get
> what he wants from unsecured houses. He is rationalising his
> resources.

Oops! Ok, so 'lazy' might not be the /mot juste/, as they say in the
Gorbals, but 'rationalising one's resources' seems to be more or less a
rehashing of the same theory, no? Anyway, it's one I'll have to
remember next time I'm asked to go to the gym.

> > Yes, but I am merely pointing out that obfuscating e-mail addresses is
> > inferior to real security; I am not claiming to know what harvesters
> > actually do!
>
> You were giving a different impression to me at least. I was
> getting a message from your words that it was ineffective, that
> it would not deter. You did not make things so utterly clear. You
> did not say out loud, yes, it will reduce spam but these are the
> downsides...

'I should emphasize that I'm not saying that attempts at obfuscation
will universally fail, only that it takes little effort to overcome
them.'

Does it reduce spam? It would seem to reduce the amount of spam that
that e-mail address owner receives, yes, but whether it makes an impact
on spam in the grand scheme of things, I don't know. Wouldn't a
harvester simply pick other addresses?

> You gave the impression of conflating these issues.

Ok. Let me list some options.

1. Obfuscate the address on the page:
a. munging
b. character references
c. percent-encodings
d. human-only addresses (e.g., 'user (at) host')
e. address written in javascript
2. Implement junk mail filters:
a. server filters
b. MUA filters
3. Remove all trace of the address.

Now my position regarding 1(b,c). Character references are the lesser
of the two evils, because while percent-encodings actually change the
URL for some degrees of equivalency, upsetting the user-interface,
character references don't.

But character references were 'intended to be used when you could not
otherwise enter a character conveniently in the text' (/The SGML
Handbook/ p. 356). I would be surprised if it inconvenienced you to
enter most US-ASCII characters directly.

> > Mind that old axiom 'security by obscurity gives a false sense of
> > security'?
>
> <g> I have a car protection system I made myself that is a sort
> of inverse of this! It consists of a "key" and "switch" that is
> not hidden from view, it is just not obvious to anyone's mind. It
> gives me a great sense of security and has worked on a number of
> occasions, both on my car and my daughter's and a neighbours'...

I could find other analogies such as hiding the backdoor key to your
house under a stone, or hiding the key to your car under a wheel arch,
but I'm not sure what you're getting at here. The sense of security
can be real but false.

> I think I will use en encoding just on this occasion...

If you feel the practical benefits of e-mail address obfuscation
outweigh the practical downsides - e.g., the impression of
unprofessionalism, the mangling of the user-interface by
percent-encoding - and the theoretical downsides, who am I to stand in
your way.

I suppose any persuasiveness I enjoyed must yield to Friday the 13th.

--
Jock

[Back to original message]