This is my Gravatar. There are many like it, but this one is mine:
Giving users an instant, recognizable avatar is a user experience win. It adds a bit of personalization and establishes familiarity. Unfortunately, the de facto standard service for this hurts your customers (spoiler: we have a fix for you).
The worse-than-it-seems privacy problem
Gravatar URLs include simple md5 hashes of user emails. When you embed a particular user’s Gravatar URL in a page, you’re effectively giving away their email address …
… which might not sound so bad. But it’s dangerous to leak info that ties users together across sites. You have very little control over who uses your site, and once you get big enough you will almost certainly have users who are vulnerable to privacy problems — they might have a stalker, or live in a country that’ll toss them in prison for saying the wrong things on the internet.
But they’re hashed!
md5 hashes are no good, there’s almost no difference between an md5 vs a plain email address.
- Adobe, LinkedIn, and a bunch of other companies have conveniently released lists of email addresses to seed a dictionary attack.
- Email addresses are similar to weak passwords. They’re almost always short, predictable and use a small range of possible characters. A combinator attack with existing dictionaries to crack md5s of most emails.
- A determined attacker can spin up enough GPUs to brute force hashes they can’t crack the “easy” ways. And, since emails are a predictable format, brute force optimizations are especially effective.
But my app doesn’t have sensitive data!
Email addresses are personally identifiable information. This is why developers default to hiding them, and it’s why the EU requires that sites protect them. They identify people across sites, and users expect them to remain private.
Educated, vigilant users can use unique emails everywhere. If they forget, or are lazy and use
firstname.lastname@example.org to differentiate from
email@example.com, they’re at risk.
It’s impossible to protect users from their own failings, but it’s reasonable to expect developers to avoid amplifying the effect of user behaviors.
Do you trust Gravatar?
Assuming no one’s trying to use email hashes to track people down, you still need to consider who you’re trusting with data. Do you trust Gravatar? Because each request you direct to Gravatar gives them information about your visitors. They can see:
- User IP address
- HTTP headers
- The referring URL, unless you’ve gone to some effort to stop them
Individually, these vary from “the HTTP Language header doesn’t really leak much” to “you’d be amazed what you can learn from an IP address”. Combine them and you get all kinds of nefarious possibilities.
Gravatar might or might not be selling this data. Advertising companies are certainly buying, though. Many, many startups have launched planning to offer a free service and monetized it by selling user data. Every big ad network on the internet is buying data from people you don’t expect.
A Privacy Friendly Gravatar Proxy
We built Gravitas because we love the convenience of an instant Gravatar for users, and also like keeping visitor data contained. When you want to get a user avatar, you can just post to the proxy service and generate a unique link.
All we’re really doing is encrypting the Gravatar params with a pre-shared key, then decrypting them, and proxying the request back to Gravatar’s service … minus most user specific info.
There are two gaps: First, Gravatar still gets an md5 of an email address. They don’t have an IP address, or additional headers to tie it to, so it’s not very useful, but they still see it.
Second, we don’t do anything to obfuscate images. If you stick my Gravatar in a reverse image search tool, you can find me on Github. We could add filters to images to confuse image search engines, but making that effective and keeping avatars recognizable is super tough. What’s important is that we’re “protecting” visitors who don’t use the Gravatar service. No avatar setup? No way to compare it across sites.
Hey! Use Fly!
Fly lets you run your own Gravatar service, either on a dedicated hostname, or mounted alongside other apps (we serve ours from
fly.io/gravatar/). We help you protect your visitors privacy and will never sell your data.
Fly started when we wondered “what would a programmable edge look like”? Developer workflows work great for infrastructure like CDNs and optimization services. You should really see for yourself, though.