Improve email security #249
Comments
|
Hi there, I've pushed a commit to fix the issue 1. For issue 2, the reason not user user name in the link is because hard to match, but e-mail address is more likely to match, and its unique. To encode the e-mail, I'm thinking about use base64 or some other encryption algorithms. |
|
base64 is reversible (it can be decoded easily on the backed back into an email address), md5, although a weak hashing algorithm, is already used for gravatars and is not (at least not easily) reversible. If base64 was used, no extra column would need to be added to the database (to the users table) from what I can see, the email address can be decoded on the backend if it is in base64, from which the user can then be found. The only problem is that base64 isn't really encrypted off course, but at least it will hide the email address from most bots that way. If md5 was used, you would either need to query all the users in the database and compare the md5 of the email address for each user, with the hash from the url (which can be expensive if there are lots of users and probably won't scale well)... unless you added an extra column with the hash of the email for each user, so that can be used as a lookup. I think base64 is probably the easiest solution to implement. |
|
I would recommend to remove the e-mail address from the user profile and replace it with a link to a website, which the user may optionally provide. Also simply try to lookup the username from the database and if there is no such user, just simply write the name there. At least thats the behaviour other code hosting platforms seem to use. In case this gets a performance issue, you could still cache it in memcache or something. |
|
@sts Gogs is not a public code hosting, it does not has large user base to match the user name, so the e-mail address I believe is the best identity to match. |
|
But currently you try to link to a user profile, which doesn't exist, because the function is simply trying to use the e-mail address. Links without valid targets are confusing users. |
|
Given invalid user name will point to 404 as well. |
|
Yes, my point was to show the user's name but not link it. If you try to lookup the e-mail address, and it doesn't exist in the database, you cannot show a user profile and you don't need to put a link there. Besides that it resolves the issue with exposing e-mail addresses as well. I was just trying to get the feature a bit more clear from a users point of view as well. :-) |
|
I would prefer check e-mail and disable link if not exist, user name isn't more reliable than e-mail address in my opinion. |
|
OK u think u could help me out cuz I have the same problem |
|
OK, now I check e-mail in database, if exists, then given link of user profile page; if not, disable the link style. So now, there is no e-mail address available in this page any more. |
|
Feel free to test it: https://try.gogs.io/Unknown/gogs/commits/dev |
|
Notification email contains email addresses of all recipients in the To: field. This can be annoying when number of watchers increase. Some SMTP servers even reject emails where number of recipients exceed a limit. These emails should be sent separately one-by-one or in configurable chunks. See Postfix configuration:
http://www.postfix.org/postconf.5.html#smtpd_recipient_limit |
|
Is googlecode's issue tracker approach relevant? |
@kolesar-andras you want to have a config option that limits the maximum recipients in a single email? |
|
Yes, exactly. I would prefer to set it to 1, sending each notification individually. Others may leave it empty, keeping all recipients in a single email. Default may be 1000 or below to be compatible with at least Postfix out-of-the-box. |
|
@linquize you can't obfuscate email addresses in an email. If you send email to sya...@google.com it will not reach the intended recipient. |
@kolesar-andras Please rise another issue for this specific purpose. |
I have found two issues regarding exposure of email addresses to email harvesting bots.
First, on a users profile page it will display the users email address as a link, even when you are not logged in. I think it would be best to hide the email address, until you are logged in at least, this would be the simplest way to improve security of this email address link. I don't think any JavaScript obfuscation is necessary if you simply hide the link until you log in.
The second issue, is on the commits page, there is a link for each commit line to the authors profile page, it uses the url /user/email2user...., followed by an email address but it only really encodes the @ character (it's basically url encoded).
I had a think about the second issue, as it is still exposing the users email address how it is right now and bots can probably still parse this info quite easily. Gravatar uses an md5 hash to get around this issue, we could potentially use that however it would make the URL ugly and the hashes will probably have to be stored in the db for faster lookups which is not ideal.
I then had a look at how Bitbucket does it, they simply uses the username in the link, maybe that is a better solution as it does not expose the users email address. I am not quite sure how to deal with commits in the repositories, where there is no user account in Gogs, that is the only problem there.
Let me know if you need help, I can implement this if you want, but need to know what direction to go with this.
The text was updated successfully, but these errors were encountered: