Today I got mail by a user who complains about Wget sending the
correct email address as anonymous password. His arguments are:
I've seen that wget sends the email of the user when doing
ANONYMOUS ftp gets. I see a lot of problems:
- Sending the user email if the user doesn't know that it's sent
doesn't protect the user state of ANONYMOUS
- Sending the user email helps SPAM instead of stopping it. Many
ftp sites use this information to send you unsolicited email.
- Sending the user email doesn't help ftp sites to know where the
cracker came crackers are not stupid to send their email
address.
- Sending the user email can be used to discriminate the user
based on the country, company or person itself.
Although I don't find all of these relevant to the issue, he has a
point. Sending the "real" email address (or at least username@FQDN)
seemed like a nice helpful gesture in 1995, but now I'm not so sure.
Today's Internet seems a much more, uhm, unfriendly place than it was
when I started using it. What looked like a useful gesture several
years ago can now be construed as a breach of privacy, and misused by
malicious server owners. Furthermore, some users are trying quite
hard to protect their email addresses. It's not right for Wget to
thwart their efforts without them being aware.
Following the example set by lftp, I'll change Wget to send "-wget@"
as anonymous FTP password, with the option of changing it. That way
we will have a decent default, and enable the users who know what
they're doing to change it to their email address, if they're
oldfashioned, or to something even more anonymizing, like "mozilla@".
(In case you're wondering, it begins with a `-' because it makes some
FTP servers suppress the welcoming message. Therefore the change will
also speed up login.)
Opinions?
