Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 18 Feb 2008 23:42:59 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: wiki - e-mail address obfuscation

I wrote:
> ... it only
> obfuscates e-mail addresses it recognizes - not anything with an @-sign.
> So we need to be very careful about this - e-mail addresses must be
> entered as <user@...mple.org> - with the angle brackets.
...
> As to page source, I've disabled the view source / export raw feature.

I just found another issue: it is possible to "show differences to
current version" without being logged in - and, of course, original
(non-obfuscated) e-mail addresses are seen in these source diffs.

Unless we come up with a way to address that (e.g., somehow disable this
feature for anonymous visitors), I'm afraid that we'll have to obfuscate
addresses manually prior to entering them into the wiki...

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux