Good reason not to obfuscate URLs (was: Fishing from PyPI ?)
Ben Finney
ben+python at benfinney.id.au
Tue Aug 7 02:01:26 EDT 2018
Vincent Vande Vyvre <vincent.vande.vyvre at telenet.be> writes:
> To verify, visit your Account Settings
> <https://pypi.us18.list-manage.com/track/click?u=[… personally-identifying information …]>
> page.
>
> -------------------------------------
>
> The Account Settings
> <https://pypi.us18.list-manage.com/track/click?u=[… personally-identifying information …]>
> is :
> https://pypi.us18.list-manage.com/track/click?u=[… personally-identifying information …]
>
> Phishing ? yes, no ?
It's impossible to tell, from those links alone. The links are
obfuscated deliberately.
What we can say for certain, is that following those links allows
parties unknown, to track the fact you've followed that link, before you
ever get to PyPI.
You are right to be concerned.
This is one good reason why I argue that link obfuscation like this is
bad practice: we can't tell what domain they will redirect to, so
there's no way to know before visiting the link whether it will go to a
‘python.org’ URL.
Instead, sending people links that you want them to follow should be
direct links. That way we can see where it is the person wants us to
visit.
As a bonus, we avoid more layers of surveillance that these
man-inthe-middle providers like ‘list-manage.com’ try to gather about
our online behaviour.
--
\ “Programs must be written for people to read, and only |
`\ incidentally for machines to execute.” —Abelson & Sussman, |
_o__) _Structure and Interpretation of Computer Programs_ |
Ben Finney
More information about the Python-list
mailing list