Since the release of a major update to Yakaz.com on February 2, 2012, we support user avatars on Gravatar.
Avatar selection
The support for Gravatar is completely transparent to the user:
- If he sets an avatar from the "Profile settings" page, we obviously display this one.
- If he doesn't set an avatar, we query Gravatar, using its e-mail, to get an avatar.
- If Gravatar returns nothing, we default to a random "house" avatar.
Security considerations
One known issue with Gravatar is the MD5 of the user e-mail made public. Some technics permits one to find the original e-mail without brute forcing anything. Therefore, on a website like Stackoverflow.com where the URL to the avatar points directly to Gravatar, an attacker could collect thousands of MD5 hashes, recover the corresponding e-mail and possibily associate it with a user real name.
An article on developer.it describes more deeply the problem.
For Yakaz.com, we use an approach close to the one described in the "Line of defense" paragraph at the end of the article mentionned above. We use a unique URL to get the avatar, no matter the source of the image. The backend will try our local avatar storage, then Gravatar and finally the default avatar. Therefore, the request to Gravatar is not visible to the user.
As explained by the article, this is not bullet-proof but to collect e-mails, the attacker would have to compare images, taking resize and conversion into account. This would be a much slower process.
Avatar freshness
We do not query Gravatar everytime an avatar is requested. We have an HTTP cache in front of the backend responsible for the avatars. Avatars from Gravatar are cached for 24 hours. Therefore, if a user changes its avatar on Gravatar, it won't be visible on Yakaz.com immediately.
Comments