Menu
In order to put e-mail addresses on my sites, I use this Javascript:
function showEmailLink(user, domain, linkText) {
if (linkText == "") {
linkText = user + "@" + domain;
}
return document.write("<a href=" + "mail" + "to:" + user + "@" + domain
+ ">" + linkText + "<\/a>");
}
so that in my HTML I can write this:
please send me an
<script type="text/javascript">
<!--
showEmailLink("edward","tanguay.info","e-mail");
//-->
</script>
This protects my site from spammers who collect e-mail addresses by screenscraping the source code since my e-mail is no where in the text.
However, I can't imagine that a motivated spammer could not write a screenscaper somehow which could mechanically determine the e-mail address based on this javascript and HTML code.
How safe is this method of javascript e-mail obsfuscation really?
246
A obfuscator won't help you at all if someone wants to figure out the code. The code still exists on the client machine and they can grab a copy of it and study it at their leisure. There is simply no way to hide code written in Javascript since the source code has to be handed to the browser for execution.
Obfuscation is a built-in security method, sometimes referred to as application self-protection. Instead of using an external security method, it works within what's being protected. It is well-suited for protecting applications that run in an untrusted environment and that contain sensitive information.
Because the source code of this agent is exposed, attackers can tamper with its logic to bypass it and make it much harder for providers to block their accounts.
While JavaScript obfuscation is often the entry point for those looking for some degree of source code protection, the bottom line is that obfuscation is usually a means to an end. While developing your application's threat model, it's important to understand the risks posed by unprotected JavaScript code.
It's not really a question of "safety" - anything which a regular user can see isn't "safe" because any really determined malicious entity can just act like a regular user and actually render/evaluate the page.
It's more a question of deterrence - how much do automated harvesters care? I don't have exact numbers, but my guess would be that most harvesters don't bother to fully render or evaluate pages, since there are plenty of "softer" targets for them and it takes a lot longer to fully evaluate a page's scripts which isn't well suited for rapid mass spidering.
If you really want to deter harvesters, probably the best deterrence currently available is something that involves a CAPTCHA to retrieve the address like Mailhide. However, even this can be foiled if the harvester is determined enough (by methods such as knowingly or even unknowingly crowdsourcing CAPTCHA-breaking, et cetera).
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
