Re: E-mail Address in WEB Browser

• To: smb@research.att.com
• Subject: Re: E-mail Address in WEB Browser
• From: "Robert S. Muhlestein" <robertm@teleport.com>
• Date: Fri, 15 Dec 1995 09:15:59 -0800 (PST)
• cc: www-security@ns2.rutgers.edu, webteam@teleport.com
• In-Reply-To: <199512150117.UAA14371@ns2.rutgers.edu>

On Thu, 14 Dec 1995 smb@research.att.com wrote:

> The From: line has also been attacked as an invasion of privacy.  Let's
> put it like this -- www.playboy.com and www.penthousemag.com are among
> the most popular sites on the Web.  Lots of people don't like the
> existence of a log that could be subpeonaed by, say, Senator Exon.
> Not your cup of tea?  What about Web sites belonging to extremist
> political organizations.

I guess that's my point.  I know people now who are using a no input, form 
to grab the email address from Netscape browsers by enticing lay web 
surfers into clicking on a submit: 

<form action="mailto:me.com" method="POST">
<input type="hidden" name="Subject" value="Just to get email address 
without letting them know."> 
<input type="submit" value="Click Here for a Surprise">
</form>

> Actually, mailto is standard; see RFC 1738.  But that's irrelevant, in
> the sense that SMTP mail never has been, and never can be, secure --
> ``authenticated'' is really the proper word -- the way you want.  You
> don't need Netscape; all you really need is telnet to some random port 25.
> And there are more subtle ways to abuse the email system as well.

Thanks, I must have missed that part of RFC 1738. 

As for spoofing SMTP, well, how else would we send forged love letters to
co-workers.  This is actually an argument against the use of From: 
information as legal evidence of "visitation" to a site.  If the
government ever convicts a person based on this info alone, it will be a
sad day. This is why I suggest browsers implement some way of turning on
and off the "Send Email Address with Request" in the prefs.  Without
killing the functionality of sending a From: header, this would check the
"tricky" form method of grabbing email.  How? By insisting that the user
confirm the mailto by bringing up the mailto dialogue box (as most
browsers, besides Netscape, do by default and are thus not fully
action="mailto" compatible with Netscapes method). This way the user makes
a conscious choice of sending his/her email field (forged or otherwise) or
not. 

Currently, Netscape users are being tricked into sending their email field
without them even knowing. If I were a Netscape exec, this would concern
me.  If users doesn't know they are being tricked into sending the
contents of the Netscape mail prefs setup, they will be more likely to
leave a valid email address in the mail prefs and...well,that seems like a
greater invasion of privacy to me, and maybe to a jury.  This
security/privacy concern grows more serious with every new AOL and other
BBS web novice who surfs these "tricky" sites. Set one up yourself and 
see just how nievely happy people are to give you their email address for a 
nice picture of, say, Randal Schwartz in silver pants singing Karaoke 
(love you Randal :) ). 

Robert Muhlestein
Teleport Creative Services
CGI-BIN Programmer
cgi@teleport.com

• Re: E-mail Address in WEB Browser
• From: smb@research.att.com

• Previous: Re: E-mail Address in WEB Browser
• Next: Re: E-mail Address in WEB Browser
• Index(es):
  • Index
  • Thread