JRS: In article <Hz********************@newsfep1-win.server.ntli.net>,
seen in news:comp.lang.javascript, Doesn't Matter
<pi*************@aol.com> posted at Wed, 5 Nov 2003 19:11:53 :-
I am not looking for a spambot killer or an obfuscator, what I need
is something that will achieve the following. Coulr someone pls point
me at a suitable script.
I run a site which, in part, allows a runaway child or their parents to
communicate with each other by messages, I would like them to be
able to do this by e-mail however, neither side, and particularily the
child side should have their e-mail address divulged.
What I need is basically a simple form with a text box and a 'Send Message'
button that, in the background in fact sends an e-mail without anyone being
able to see where the e-mail is actually going to, neither in the status bar
or by viewing the source.
Is this possible in JS or am I better to have all the e-mails directed to us
and
we re-send them on. Surely something like this though can be automated.
Similiar, I guess, to how it is done on the 'dating' websites.
Any pointers gratefully received.
You need this to be absolutely trustworthy, for any client computer
system; you cannot, for example, assume Microsoft browser and mail, and
you cannot assume the absence of extensive logging of interconnection
data, and you cannot assume that the present situation will remain
unchanged.
There is no way in which you can be sure of achieving this if mail, or
any other communication, is sent directly from one to the other.
The only way is to use at least one trusted intermediate agent; this
agent needs to be trustworthy both morally and technically.
It may be wise to use more than one intermediate, so that one system
knows that
ki*@hostel.uk is Juvenile XYZ2345, and another knows that
JXYZ2345 intercommunicates with P1765ABC, and another knows that Parent
1765ABC is
da*@jail.bc. If a single machine is compromised, then the
security is not fully broken. Possibly there should be an intermediate
link which does not use the Internet at all.
For the case where kid is indeed @hostel and not at an arbitrary
location, then you *may* know more about the physical security of kid's
machine; OTOH, kid's machine is a more obvious target of attack for
those you would specifically wish to defend against. Similarly for the
other end.
If you need to ask, then obviously you do not have the knowledge / skill
/ understanding needed to implement the latter, and you should entrust
the technicalities to appropriate professional Internet programmers,
with an independent skilled check on their work. This is no job for the
bungling amateur.
Remember, the intruder may easily be smarter than you are.
You must allow for the possibility that the identity of the system that
kid/dad communicates with will be discovered, by which I mean the name
of the entity they send to or receive from. This name will obviously
have to be discoverable by possible customers; but it can of itself be a
moderately neutral name, and perhaps slightly deceptive. Then the kid,
or the dad, need not be too concerned about, for example, routine
communications logging.
Remember also that the kid, or even the dad, may be smarter than you
are.
Neither client should possess a unique identifier for the partner; he
should use in effect a suffix, perhaps represented by a codeword such as
Son or Dtr2. Otherwise, there would be a risk that dad1@jail might see
that dad2@jail was claiming paternity of the same lad as he was.
Now consult an expert.
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Proper <= 4-line sig. separator as above, a line exactly "-- " (SonOfRFC1036)
Do not Mail News to me. Before a reply, quote with ">" or "> " (SonOfRFC1036)
