Could you please add support to use Gravatar for profile photos on the support forum?

SirGatez
SirGatez
Community Member

The title says it all. If you could add support to the forum to allow the use of Gravatar profile images that would be awesome. https://en.gravatar.com/ Using Gravatars is easy, it's just a reference to the email (hashed) provided by the user. As shown on this site: https://en.gravatar.com/site/check/

My Gravatar information is the following for my email:
Email Address: example@email.com <- Just an example for any bots
Email Hash: de4679e2acaea25fa177b4e4ab63b19a <- My real hash
https://s.gravatar.com/avatar/de4679e2acaea25fa177b4e4ab63b19a?s=80 <- s=80 denotes pixel size requested, not including this defaults to 80

The hash is a simple md5 hash which you can generate numerous ways, below is a command line example. Note using printf does not automatically include a trailing new line like echo would. Ignore the trailing - or remove it with cut/awk etc.

printf "example@email.com" | md5sum
8455938a1db5c475a87d76edacb6284e -

More information can be found here as well as a simple code example. https://en.gravatar.com/site/implement/hash/

Thank you!


1Password Version: N/A
Extension Version: N/A
OS Version: N/A
Sync Type: N/A
Referrer: forum-search:Could you please add support to use Gravatar for profile photos on the support forum?

Comments

  • Hi @SirGatez

    I recall having this in the past and turning it off due to a privacy concern. I'm going to check with our security team and see if 1) anyone has a better memory than I do as to what the specific concern was, and 2) if that concern is still applicable.

    Thanks!

    Ben

  • Ben
    Ben
    edited August 2020

    I'm still awaiting an answer from security as to point #2, but my colleague Tommy found an old thread that expands upon point #1:

    Using Gravatars may expose your email address

    Ben

  • SirGatez
    SirGatez
    Community Member
    edited August 2020

    I suspect that if you provide it as an option for the user to select then exposing the email via the calculated hash may not be a concern. A simple warning either near the option or before enabling should suffice.

    Providing the choice allows the user to weigh their risk to the potential risk of email discovery via a brute force attack to match the hash.

    If the user never opts in, no Gravatar url requests are ever made so the hash is never exposed.

  • @SirGatez Unfortunately we don't have that level of control over the forum. The Gravatar plugin is either enabled or disabled. When enabled users can only opt-out by uploading a custom avatar. We don't have the flexibility of making it opt-in.

    Ben

  • SirGatez
    SirGatez
    Community Member

    Ah, thank you for clarifying. I understand the issue of trying to enable this in the forum more clearly now.

  • You're very welcome.

    Ben

This discussion has been closed.