The following issue has been updated:
170 - Make gravatar optional for privacy reasons
Project: InDefero
Status: New
Reported by: Loïc d'Anterroches
URL: http://projects.ceondo.com/p/indefero/issues/170/
Labels:
Priority:Medium
Type:Enhancement
Comments (last first):
# By Baptiste Durand-Bret, Dec 18, 2009:
Just a tiny related note : md5 hashs used by gravatar were recently hacked. See
http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea
# By Loïc d'Anterroches, Oct 8, 2009:
Labels: Type:Enhancement, -Type:Defect
# By Loïc d'Anterroches, Mar 27, 2009:
<oxygene> reminds me that I wanted to remove gravatar support (or maybe make it optional on a per-host and per-user basis) but not now..
<CiaranG> Yeah, I thought about that too
Then I decided I just needed to get a less irritating avatar
<oxygene> it's still a privacy violation
unless you use a different email address on any gravatar-enabled site you use
<CiaranG> See what you mean. Never thought about it like that before
<oxygene> you don't have to register for them to create a profile, and once you registered, all you can do is "delete your images" (according to the FAQ). so they won't let go of your email address once they have it
<CiaranG> So they can gather a lot of info about you then, even if you've never been near their web site
<oxygene> yes.. hmm. a firefox plugin to detect gravatar use on pages that emits a warning might be due. crap, my TODO is long enough as is :)
<CiaranG> I don't care personally. But actually, you might say that a site that is going to give your email address to a third party (i.e. gravatar) has a duty to warn you first
Do you actually give the address, or a hash of it?
<oxygene> md5(email)
good enough for profiling
<CiaranG> Oh yeah, I see
<oxygene> and once you register (to add a less silly picture), they can map it to a valid address, too ;)
--
Issue: http://projects.ceondo.com/p/indefero/issues/170/