posted by Adam S on Fri 9th Oct 2009 14:25
Conversations A few users have shared some conspiracy theories about the privacy violation of using gravatar services. I'd like to explore them quickly.

One user shared that we should change our privacy policy since we now share email addresses. I'd like to point out that that assertion is completely false and, frankly, absurd. The best way to crack an md5 string, usually a password, is by comparing the encrypted string to a known md5 string, in what is called a "lookup table." This is why using a dictionary word as your password is so bad: comparing your password to a known string will quickly allow someone to find your password.

But, that's just it, we're encrypting an EMAIL address. There are hundreds of millions of addresses in this world, if not billions, and no one keeps a table of every email address every invested, hashed. It wouldn't make sense: it rarely pays off, and there are so many ways to get email addresses off the net with so much less effort. So of course, this fear is nonsense.

One user suggested a script could crawl the net and find your email address everywhere and build a profile. Perhaps. I work in reality, and I think this is too much effort for too little payoff. You still won't have an email or a real name.

In fact, there are several ID services out there, but in the end, it's just not that hard to piece together pieces of someone identity based on what they share and post online. So any entity using gravatar as their starting point is wasting their time: there are so many more effective ways to harvest personal data - start with Google, Twitter, Facebook public pages, - it just seems like being scared the window panes can be cracked with a hammer, when your house has no doors.

There are several legitimate reasons to be concerned about identity today, but gravatar use shouldn't be one of them.
Previous ConversationNext Conversation
Comments:
Comment by Laurence
by Laurence on Fri 9th Oct 2009 15:13 UTC
Laurence
Member since:
2007-03-26

Maybe it's the 2 pints of real British ale I had for lunch, but I feel as if I've joined this conversation halfway through.

Assuming Gravatar is the service OSNews uses for it's user avatars (I apologise if that's a false assumption), has there been (rightly or wrongly) talks / concerns about user security due to OSNews' integration with Gravatar?


In other news: the Bitter was very enjoyable. ;)

Reply Score: 2

RE:
by Adam S on Fri 9th Oct 2009 18:23 in reply to "Comment by Laurence"
Adam S Member since:
2005-04-01

There a few posts to that end located here:

http://www.osnews.com/comments/22307

There is some paranoia about the md5 being "sharing" your email, and some concern that writing a "simple" script to wander the web parsing website source code for your md5 encrypted email address would allow someone to arbitrarily join your usernames across sites and construct a profile of you across the internet. Perhaps, but it still sounds like some tin foil hat sh*t to me.

Reply Score: 1

My only issue
by Soulbender on Fri 9th Oct 2009 15:38 UTC
Soulbender
Member since:
2005-08-18

is that it's another damn site I might have to sign up to one day.

Reply Score: 2

RE:
by Adam S on Fri 9th Oct 2009 18:18 in reply to "My only issue"
Adam S Member since:
2005-04-01

Crap. I suppose that is a legitimate gripe.

Reply Score: 1

RE:
by Kroc on Sun 11th Oct 2009 17:40 in reply to "My only issue"
Kroc Member since:
2005-11-10

I don’t know if OpenID supports avatars (haven’t had the time to look into it yet), but if it does, we could use that so that your login and avatar are at least with the same provider.

Generally, the highly technical nature of our audience means that people here are also commenting on a number of other websites and blogs and would be more likely than say the public, to have a Gravatar, or to want one.

As always, we will continue to tweak and improve the service in the interest of the readers.

Reply Score: 1

You're right.
by Alex Forster on Sun 11th Oct 2009 23:30 UTC
Alex Forster
Member since:
2005-08-12

Since email addresses tend to be so long and so unique, there is no way a rainbow table could exist to allow a reverse lookup of even 10% of all emails. Theoretically, one could pick a popular domain (@gmail.com) and perform a complicated dictionary attack ({word}{word}{1-2 digit number}@gmail.com) but there are so so so many easier ways to harvest emails that it would be a complete waste of time if that was your sole objection.

Out of curiosity: is the md5 salted in any way?

Reply Score: 2

RE:
by Adam S on Mon 12th Oct 2009 12:17 in reply to "You're right."
Adam S Member since:
2005-04-01

The md5 cannot be salted, otherwise, everyone would need access to the salt to create the md5 to have a portable avatar.

However, you can absolutely use kroc+osnews@whatever-your-domain-is.com to get a unique hash for each site. In fact, gravatar encourages it.

Reply Score: 1

RE:
by Alex Forster on Tue 13th Oct 2009 00:47 in reply to "RE: "
Alex Forster Member since:
2005-08-12

Right, but since md5 is so old there are already massive multi gigabyte freely available rainbow tables. A salt would mean that those tables couldn't be used. Still though, emails are really, really long and complex for any kind of rainbow table to exist. People in general are way too paranoid about these issues. You're wrong if you think anyone cares enough about you to bruteforce your email address using your gravatar hash.

Reply Score: 2

Funny
by Adam S on Wed 14th Oct 2009 21:12 UTC
Adam S
Member since:
2005-04-01

It's worth noting that the users who have changed their email addresses on our site to something false in order to "protect" themselves from the evil that is gravatar are in violation of the account terms, and are subject to have their accounts suspended. Not only that, but they have not only lost the ability to use email notifications and they have also lost the ability to retrieve passwords.

If you're so damned concerned, why not just use the plus trick to create a unique email, and therefore, a unique hash?

Fools.

Reply Score: 1

RE:
by fretinator on Thu 15th Oct 2009 19:54 in reply to "Funny"
fretinator Member since:
2005-07-06

Mat 5:22

Reply Score: 2