Yay, Gravatar Added Support for Identicons, Monsterids and Wavatars
One of the Geeknews articles recently topped 80+ comments and I figured it would be interesting to turn on Gravatars to see what popped up beside the names. However, most of the posts didn’t have Gravatars associated with their e-mail, so I’d either just turn it back off or end up having to add yet another a plug-in to enable autogenerating an avatar for those folks. I was leaning toward’s Shamus’ Wavatars.
Lucky me, it looks like as of a few months ago, Gravatar has added Wavatar support along with two other avatar generators so no plug-in is required now; how convenient! Thank you Shamus and Gravatar!
BTW, since my theme didn’t have Gravatar support built-in originally, I’ve added the following to my comments.php:
<?php if(!empty($comment -> comment_author_email)) {
$md5 = md5($comment -> comment_author_email);
$size = 32; // size in pixels squared
$default = urlencode(‘wavatar’);
echo “<img src=’http://www.gravatar.com/avatar.php?gravatar_id=$md5&$size&default=$default’ alt=” />”;
}
?>
Before I learned that Wavatar support had been added to the backend at Gravatar.com, $default was “http://geeknews.net/images/no_gravatar.jpg“. As you can see it wasn’t very attractive, so being able to mix it up with something interesting is a nice touch.
For Wavatar support, just append your image source Gravatar URL request with ?d=wavatar (here’s gravatar’s implementation page).
Or, instead of “wavatar” you could pass in “monsterid” or “identicon”.
If you’re not familiar with any of these, here’s some examples, each commenter’s unique avatar is generated either randomly or based on their IP:
I hope you realize this exposes the identity of people who post messages here to anyone with a list of valid emails, such as spambots.
Hey Shadow, thanks for pointing that out. The e-mail address in the gravatar url is hashed using md5 encryption. Is your comment referring to the fact that using rainbow tables can crack md5? That’s usually not a concern wrt harvesting of e-mail addresses since there’s lots of other ‘cheaper’ and easier methods of harvesting addresses.
Or is there another flaw here in using gravatar/wavatars (or in my implementation) that i’m not seeing, where addresses are being exposed? Please don’t hesitate to point out security flaws you find.
Thank you!
I’m not saying the email address can be “decoded”. I’m saying that an operator with a list of email addresses, such as a spammer, can hash his list of emails and then use a spider to match those hashes with the ones in the gravatar URLs, and thus obtain information about those persons. Simply the knowledge that the emails are valid is valuable to a spammer. Alternatively, someone looking for information about a person with a known email address (an employer, perhaps) can do a web search for the hash of that address, and discover posts which people thought they were placing relatively anonymously.
And speaking of which, does this thing choose avatars randomly if none were selected? ‘Cuz I never tried to register any gravatar, much less that triangle-head. ^^
The avatar you see associated with your posts is randomly generated on a per user basis if none is detected on the gravatar backend. That was the point of the post, to indicate that seeing something different for each user is more interesting than winding up with the default avatar graphic.
Some of them are pretty goofy, that one generated for TheSHADOW looks kinda cool to me, might be worthy of saving and making it your permanent avatar?
You can read about the algorith used to create these cool and goofy ‘wavatars’ here: http://www.shamusyoung.com/twentysidedtale/?p=1462
I just Googled your Wavatar hash and found a post you made on another site:
http://chattydm.net/2008/02/09/chattys-newly-renovated-abode/
Just warning you again, this system may allow persons to gather information about people who post here, unless they use invalid email addresses.
Ah yes, I remember that post, it was discoverable because I intentionally published my hash on Chatty’s site in his comment box to help in troubleshooting his gravatar implementation.
I honestly appreciate the concern, I’ll continue to look into this.
What i’ve found so far however, is that as long as e-mail addresses are not being exposed there’s little concern regarding information gathering possibilities.
I think your primary concern is someone may detect that a user solicits certain web sites, that these avatars are a form of an inadvertent tracking system across the web. Is this correct?
Thanks again.
That is correct. A person may provide his email on a website expecting that it will not be displayed and that he will have anonymity with regards to the general public for his post.
neploxo tak, i`m glad,
http://yro.slashdot.org/article.pl?sid=08/08/28/2241238
Thanks I’ll check it out.
Wavatars are turned off, gravatars are being left on. The reason is that people leaving a comment aren’t agreeing to have their address hashed which could make that person ‘trackable’ elsewhere on the net.
Folks that sign up for Gravatars are knowingly giving up some aspect of their privacy by wanting the icon and the service to follow them from site to site.
Thanks Shadow.