Educause Security Discussion mailing list archives
Re: Email marketing keys and contact information privacy
From: "Crim, David" <dvcrim () TAYLOR EDU>
Date: Tue, 31 Mar 2009 17:02:33 -0400
Or perhaps use a unique key like google (picasaweb) does to protect its stuff: http://picasaweb.google.com/obfuscated/moreobfuscation?authkey=Gv1sRgCMi 6pqmvhbOvDw&feat=directlink I would think a alpha-numeric with 20 characters would be enough "randomness" to protect against from somebody trying "aaaaa..." to "zzzz..." since there are several billion billion combinations there. David Crim Security Analyst Information Technology 236 West Reade Avenue Upland, Indiana 46989-0001 Office: 765-998-5167 Cell: 765-251-3370 Fax: 765-998-4640 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Testart Sent: Tuesday, March 31, 2009 2:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: Email marketing keys and contact information privacy Gary Flynn wrote:
Lets say there is a mass marketing company who sends e-mail on behalf of its customers based on contact information given to it by those customers. The URLs in the individual e-mail messages are unique for each recipient so when the recipient clicks the link, the marketer knows what e-mail address is responding and can record the individual who responded and adjust the display accordingly if desired. Standard operating procedure so far, right? Now lets say that mass marketing company has the name, address, and phone number associated with each e-mail address and displays that information based on the link in the e-mail. So if I get one of these unsolicited messages and click the link, my name, address, and phone number is displayed. Under such a system, one could theoretically download the customer database contents by making successive requests: https://website.com/person?ID-number000,000,001 https://website.com/person?ID-number000,000,002 https://website.com/person?ID-number000,000,003 . . . https://website.com/person?ID-number999,999,997 https://website.com/person?ID-number999,999,998 https://website.com/person?ID-number999,999,999 Under what circumstances would this be acceptable? If the ID-number was a certain minimum size that was X orders of magnitude greater than the population?
and the ID numbers are assigned randomly rather than in sequence. Are you not looking for a GUID? http://en.wikipedia.org/wiki/Globally_Unique_Identifier
If the URL in the e-mail only worked a limited number of times to prevent the harvesting and limit re-use?
How about where the number of times = 1? URLs should have an expiry time as well. jt -- Jason A. Testart, BMath | Voice: +1-519-888-4567 x38393 Manager, IT Security | Fax: +1-519-884-4398 Information Systems and Technology | http://ist.uwaterloo.ca/security University of Waterloo, Waterloo, Ontario N2L 3G1 CANADA
Current thread:
- Email marketing keys and contact information privacy Gary Flynn (Mar 31)
- <Possible follow-ups>
- Re: Email marketing keys and contact information privacy Jason Testart (Mar 31)
- Re: Email marketing keys and contact information privacy Dennis Meharchand (Mar 31)
- Re: Email marketing keys and contact information privacy Crim, David (Mar 31)