search

rubygems / rubygems.org

The Ruby community's gem hosting service.
https://rubygems.org
MIT License
2.31k stars 909 forks source link

Obfuscate author emails on site profile pages #1617

Closed rlue closed 7 years ago

rlue commented 7 years ago

I'm curious to know what policy the RubyGems.org team follows on this issue (if any).

In brief, some sites (like GitHub) will obfuscate users' email addresses in the raw HTML before publishing it online, in order to protect their users from email harvesting bots. For instance, this is the raw HTML corresponding to the email address shown on my profile page:

<a href="mailto:&#x68;&#x65;&#x6c;&#x6c;&#x6f;&#x40;&#x72;&#x79;&#x61;&#x6e;&#x6c;&#x75;&#x65;&#x2e;&#x63;&#x6f;&#x6d;">&#x68;&#x65;&#x6c;&#x6c;&#x6f;&#x40;&#x72;&#x79;&#x61;&#x6e;&#x6c;&#x75;&#x65;&#x2e;&#x63;&#x6f;&#x6d;</a>

In theory, this approach offers hardly any security at all – it would be trivial for a bot to convert HTML entity codes before scraping the content for potential emails – but it seems to be good enough for GitHub. RubyGems.org, on the other hand, publishes email addresses in the open, without obfuscation.

I myself am undecided on whether this issue is worthy of attention in practice (I certainly haven't received any spam since publishing my first gem), though in principle, I believe it to be the responsibility of web developers to protect their users' personal data.

Does the RubyGems.org team have an opinion on this one? Would they even entertain a PR that implemented this sort of email obfuscation?

jvanbaarsen commented 7 years ago

@rlue Is this really useful if we also have the webhook system and API? That means if you're really want to scrap those emails, there is an even easier way then doing that via the website.

I would say not to implement this, since it will add another place where bugs might arise, and needs to be maintained.

That being said, I'm no maintainer, so my vote is not worth that much ;)

rlue commented 7 years ago

One way or another, I think the risk is small. But the likelihood of someone writing a bot just to scrape the rubygems.org webhook system and API is still far less than someone writing a bot to scrape HTML generally, and then happening to land on rubygems.org.

Though to be honest, I'm less worried about my own information as a user and more curious to know if the team has a unified position on this issue. Part of me believes – and just wants to hear someone more experienced than I am say – that spambots are an outdated risk to protect against, and the email obfuscation put in place by the likes of GitHub or CloudFlare is really just there to appease people who might put up a fuss otherwise.

ghost commented 7 years ago

I am not among the rubygems team so just my 2 cc.

The "obfuscated" part can be very easily converted by a one-liner script right?

So I am not entirely sure what the point of it is.

Perhaps it may be better to convert it into an image. :D

dwradcliffe commented 7 years ago

Personally I don't think it's worth the effort. If someone is really concerned they can hide their email completely.

Thanks for the opinions @rlue @jvanbaarsen @shevegen - definitely appreciated!!

rlue commented 7 years ago

Thanks @dwradcliffe!